Stryves

Are you sure there isn't more code than that? A lot of upload scripts check file extensions to determine if it's a valid image or not.

So then in my above code where I am inserting data into the database, I could be safe using trim and strip tags?

Thank you, I'm not normally this slow, I swear. I looked up trim to understand it better again, and it appears it only removes the excess before and after the actual string, so that would be safe for a comment. Security paranoia is a bad thing.

As always, I really appreciate everyones help. My code is: <?php $subject=$_POST['subject']; $comment=$_POST['comment']; $postcomment="UPDATE comments SET subject='$subject', comment='$comment' where ID='$userID'"; mysql_query($postcomment) or die("Failed"); ?> Would it be this with the protection: <?php function protect($subject){ return mysql_real_escape_string(trim(strip_tags($subject))); } function protect($comment){ return mysql_real_escape_string(trim(strip_tags($comment))); } $subject=$_POST['subject']; $comment=$_POST['comment']; $postcomment="UPDATE comments SET subject='$subject', comment='$comment' where ID='$userID'"; mysql_query($postcomment) or die("Failed"); ?> Oh and ignore the UPDATE, I know it should be INSERT when adding a comment, I just was writing some code to understand how to use function in this case.

Ok, honestly, my head hurts. I've been reviewing all of the different types of sql injection protection, and I can't seem to really find a comparison on what's the best to use. I've heard MySQL real escape string is dated, and really isn't as useful anymore. The reason I need it, is I allow users to add comments to pages, or add a bio of themselves, and I just want to ensure that they can't mess up my database. Any suggestions on what should be used to protect when using PHP?

That's correct.

$var1=1 if($var1==1 || $var==2) { // echo the url, www.mydomain.com/page.php?var1=$var1 } Like this?

1. It's checking forum_topics table for the topic with the ID. If it does exist 2. It checks to see who has admin access to the forum_sub_cats table, as you can assign multiple moderators. I think.

echo "<td class=\"td_id\"><a href=\"mailto:$variable5\"></a></td>\n"; Why is there no "> to the end of the a href? Try the above.

What Slip is asking for is the HTML Source you see when the page is displayed, and you look at the source code from the browser. Something is missing when it's being shown through the web most likely. If that is the HTML Source from IE / Firefox, I'm just scanning the functions now.

The blue area beside help? That's part of the navigation CSS, and if you change that it'll affect the area's to the left of it.

Can't really force it, it's depending on the browsers configuration on how to handle the PDF file extensions.

Looks good to me, if anything I'd change the color of the font now. What difficulties?

Without the code, not sure, but I'd have it so that it spits out http://www.phpfreaks.com/forums at PHP Help Forum

If you upload it to the root directory(better here than on tinypic), then you would want this in the CSS for the header: #header{ height:110px; width:758px; margin:0 1px 1px 1px; background:#467aa7; background-image: url(../image.gif); color:#ffffff; }

I looked at the CSS, for the header entry just add the: background-image: url(image.gif); below background:#467aa7; #header{ height:110px; width:758px; margin:0 1px 1px 1px; background:#467aa7; color:#ffffff; }

God I should look at the sites first. Look in the style.css for "header". You can add the following, but change the image.gif to whatever the picture is. background-image: url(image.gif);

Thank you so much! Makes a lot more sense to me now.

As always, I thank everyones input! So then what I am doing overall cleans all input, but what is it doing that is needless operations then? I was just thinking if I am cleaning a form, why have the real escape string written everytime if a catchall can do the job?

hmm I see. But if all POST data should be checked, why wouldn't you check it? I have a lot of data in forms being past through a select/option list, and is this what you would not check?

I agree all post variables should be ran through 'mysql_real_escape_string'. Is this above script running the command on all post variables, or should you specify it each time? For example, on my site. <?php $username=$_POST['username']; $password=$_POST['password']; ?> Would you add the 'mysql_real_escape_string' again to this post, or does having those lines in the DB connect take the post material automatically and check it?

Hello, I use the following PHP file to connect to the database. I'm curious if by using this, will it take all GET/POST data and automatically run mysql_real_escape_string on all data submitted? I found this from a snippet I downloaded, and was curious if this was better than adding the 'mysql_real_escape_string' on all POST variables. <?php $db = mysql_connect("*****", "*****", "*****") or die("Dear Sweet Jebus!"); if(!$db) die("no db"); if(!mysql_select_db("*****",$db)) die("No database selected."); if(!get_magic_quotes_gpc()) { $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } else { $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } ?>

alt='' is used to display text when the mouse hovers over the image, it's also used for Blind users who use programs that read the text on the page.

If you download the files(css most likely) and theme.php, and search for the text "width", you'll find it. What website?

Call GoDaddy if you must absolutely must have it.