CroNiX

Its because you are using the functions for mysql when you need to use the mysqli functions/methods. http://uk.php.net/mysqli instead of: $db = mysql_connect(localhost,"username","password"); you need: $db = mysqli_connect(localhost,"username","password");

LOL, we've all done it

I didn't try with a url, but <?php $setup['1'] = 'index.php'; include($setup['1']); ?> worked

What if you <?php include($setup['1']); ?> ?

One of the servers I run I pay $79/month for. Its a real server, not vps. Dual Xeon 64bit 3.2GHz, 2G ram, 250G Mirrored HD (not SCSI tho). 3Mbit connection up/down.

<?php while($qty = mysql_fetch_array($result)){ echo "<tr><td><input type=\"text\" value=\"" . $qty[0] . "\" /></td></tr>\n"; } or something close to that

You should just google for vps servers. You can get them for under $20/month for a very simple one...

Good luck with that. Most ISP's run port scans to see if you are running a server. Maybe your landlord won't be so happy with you when he gets in trouble...hope you have a backup housing plan

Yep...SVN

How do you then, to use your words, if the file is locked and not checking some sort of timestamp?

If you created the scripts for him, they're his scripts unless you have a contract stating otherwise. I usually get asked to show samples of work BEFORE a job, not after...bit strange there...

Why not have your php file which detects your criteria just included at the top of every page on your site? Have it redirect to google or something...

I'd call that more of a 'page' than a site.

Try changing your short tags "<?" with real php tags "<?php" Never a good idea to use short tags. Possibly your template parser is ignoring the short tags.

mysql_real_escape_string doesn't touch html, it escapes single and double quotes so the database doesn't take them literally. Also, setup mysql so that the user account you are using to access mysql via your application doesn't have DROP privileges, unless you actually use DROP in your code. Most people don't DROP tables in their code so I always advise this. Also, whoever did this could have also placed malicious code in your code...so you better check it. One of the main places to check is wherever you are creating new accounts. One thing some hackers like to do is insert code so that when a new account is created it emails the user/pass to some address so they can use it.

Most likely they hacked in through the url via variables being passed through $_GET/$_POST. One thing to do is whenever you are doing something with the database in your code and it uses something from $_GET/$_POST to access data in your db you need to sanitize that variable. Like if you have some SQL that is similar to this: SELECT * FROM tableName WHERE username = '$_POST['username']'; Before you run a query like that you need to properly escape it. $username = mysql_real_escape_string($_POST['username']); then you can SELECT * FROM tableName WHERE tableName.username = '$username'; The problem when you are using a form or something that gets data from the user (or even just from the url variables, the user can type in SQL into that form and do just about anything they want...like DROP tableName; If you sanitize anything retrieved via $_POST/$_GET you can eliminate most of this.

Best to post the code you have.

The page looks the same in FF3 and IE7 to me? Clear your cache maybe?

If you are using PHP 5.2+ you can just use json_encode() and json_decode() to transmit your data in a much more usable form.

What do you mean by index...what do you want to do?

maybe add your own 'X-PHP-Script' header and try to override it. I googled X-PHP-Script and its actually built into php5, before that you had to patch php to get it. I think it is for security so you can easily find scripts that are sending mail out (like spam) to help identify the culprit. If your script is written securely, why does it matter if your users know the location? They couldn't do anything with it...

cool, glad it worked

Haven't tried this, but might work... in the upload form have a hidden field with the current timestamp so when you submit (maybe use javascript for the onsubmit to enter the time so it will be more accurate), it sends that time to the server and after your move_uploaded_file() take another timestamp and compare.

what about <?= ?

It does look nice, however I find dark backgrounds with light text are very hard to read after a while, especially in a forum situation.