Mchl

I did not mean that. What I meant is that you should check for any way someone else could get access to your account. Moving to another hosting will not help if you have spyware that steals your ftp passwords on your PC.

In other words: change your passwords, do not store passwords in your ftp program, check your PC for malware, check for vulnerabilities on other pages on this account.

I was referring more to the idea of cramming as much functionality as possible into a single class (that's how I understood OP's wishes)

If you really wish to go in this direction, you can use call_user_func_array This undoubtly an interesting approach and I'm sure you've got a lot of fun developing it. Just be aware that it's breaking many of well established rules of OOP like: http://en.wikipedia.org/wiki/Single_responsibility_principle http://en.wikipedia.org/wiki/Interface_segregation_principle http://en.wikipedia.org/wiki/Don%27t_repeat_yourself

The code you posted is exactly that.

In other words: change your passwords, do not store passwords in your ftp program, check your PC for malware, check for vulnerabilities on other pages on this account.

In general you should, because 4.x versions are no longer supported. In particular, this should not be the cause of this error. What does var_dump($xmlData); show? Do you have error_reporting enabled?

XSS attacks are only possible with dynamic pages. Static HTML can only be modified by someone acquiring access to your hosting account.

Use JS datepicker like this one: http://www.frequency-decoder.com/demo/date-picker-v2/ there are many more available

Check what is the setting of allow_url_fopen in php.ini

You already have some code in place See: if (file_exists($html_path.$file)) include $html_path.$file; Now change it to: if (file_exists($html_path.$file)) { include($html_path.$file); } else { include('404.html'); //or whatever - just make sure the file IS actually there. } If you still see blank page, there might be something wring with your paths. You might want to use require instead of include(), which will tell you if it can find the file or not

Yes. Or maybe no. I'm not sure. I didn't see your code

file_exists

The question is: how do you recognise a bad request? What does your page variable stand for?

I assume, that on your application you check if $_GET['page'] variable is something meaningful (e.g. there's some content related to it in database), or it's just garbage. If it's garbage, use header() to redirect. Example with MySQL: <?php $page = mysql_real_escape_string($_GET['page']); //make sure nothing harmful get's injected into query $sql = "SELECT ... FROM pages WHERE page = '$page'"; $result = mysql_query($sql); if(mysql_num_rows($result) == 0) { //check if any rows got returned //redirect to 404 } else { //display data }