CroNiX

wheres session_start() ?

You should really be using mysql_real_escape_string() instead of addslashes().

Thats a lot of unneeded stuff...using a session variable you could do that in like 10 lines of code.

It will work for that specific example...generally not the best way to go.

I suppose an easy way would be to use sessions. You can have a counter on your page that gets stored in a session variable. Check the variable at the top of the script and if its greater than 1 dont insert.

It should also be placed at the top of the page where you are processing the form data.

Something like this at the very top of your page with the form. I didn't spend a lot of time on it, but I believe it will do basically what you want... <?php //these are set to the current server time...if your server is in //a different time zone, these need to be adjusted accordingly $weekday_times=array("open_time"=>1100, "close_time"=>1830); //set in 24 hour format $weekend_times=array("open_time"=>830, "close_time"=>1130); $closed_message = "We are currently closed."; $cur_day = date("N"); //current day of week: 1=mon, 7=sun $cur_time = date("G") . date("i"); //current hour/minute in 24 hour format if($cur_day < 6){ //check weekdays if($cur_time < $weekday_times['open_time'] || $cur_time > $weekday_times['close_time']) die($closed_message); } else { //check weekends if($cur_time < $weekend_times['open_time'] || $cur_time > $weekend_times['close_time']) die($closed_message); }

css: .center { margin:0 auto; }

Basically it generates a random series of numbers/letters using either premade images or created on the fly using the gd library or imagemagick. It asks you to input the letters/numbers that you see into a textbox and submit. If you type in what it has stored, it lets you in. Theres millions of them out there that are free, just be creative with your search terms. 'php create captcha'. http://www.google.com/search?q=php+create+captcha

google for 'captcha'. You will find a lot.

You dont need those to do this. You just need an onchange event for the text boxes and an onclick event for the checkbox. These should call a function that will recalculate the total based on if the checkbox is checked.

nope, thats not it. I scrolled through the font sizes and it held its own, the tabs even got bigger. Nice job on that.

Hmm...Im running in 1920x1600 resolution, I might have my fonts bigger than yours.

couldn't you: 1) get current date/time 2) check if it is within your valid time range 3) if yes, display page, if not don't?

When you click on 'Show Archives' the last tab doesn't change from 'Prediction Tracker' to 'JGS Prediction Tracker' ?

In FF3 (didn't try in others), when you click on the tabs, the last tab sometimes gets an extra word in it and wraps to the next line. If you are on the default 'welcome' tab and click on 'bio', the last 'Prediction Tracker' tab wraps. If you then click on 'Show archives', the last tab gets an extra word and becomes 'JGS prediction tracker' and wraps to the next line.

'$t2agent%' this says get everything that STARTS with $t2agent. Is that what you want? Most searches search for the phrase anywhere within a word. like if you were searching for 'to' it would return 'tomato', 'atom' etc. The way yours is written would only return 'tomato' because it starts with 'to'. Is that what you want? If not, you need to add % to the beginning of the phrase and not just the end.

Are these pages static or dynamically created?

It should remove it by itself when retrieving. Are you using addslashes() as well? Are you sure you are checking to see if get_magic_quotes_gpc() and then running stripslashes() ? Your data is being escaped more than once or you wouldn't have "David\\\'s"

I wouldn't advise that unless you know for sure that the server is compromised. If he has remote inclusion turned off the hack attempt he is talking about is useless and is only showing up in logs...

It won't fix it for values already in your database, but it should fix it for newly inserted ones. Did you try it with new data?

By the initial posting, it appears to be XSS. The hacker is seeing if you do something like: if(isset($_GET['cfgProgDir'])) include($_GET['cfgProgDir']); which would load and execute the file located at http://rdxihx.angelfire.com/php

Anytime I use $_GET variables, I always check them against a whitelist contained in an array. If its not in the array, it just outputs 'Page Error'. Example: www.mysite.com/index.php?action=help in my code, I have: $action = isset($_GET['action']) ? $_GET['action'] : ""; //.... $allowable_actions = array('help', 'delete'); if(!in_array($action, $allowable_actions)) die('Page Error'); // ... rest of code... so if action does not = 'help' or 'delete' it kills the application and prevents any tampering. There is more to do, like run $_GET superglobal through a sanitizer, but this little whitelist goes a long way.

1 word: firebug

Personally I would use a database and ajax. The user clicks on a menu item and it only retrieves the info for that page and inserts it in the current view without reloading the page. It would be very fast compared to what you are doing.