cringe

Like someone else said, compare the file extention to a whitelist. (assuming they uploaded a file via PHP). $ext_whitelist = array('gif', 'jpeg', 'png'); $path = '/path/to/myScript.php' ; $file_ext = strtolower(pathinfo($path, PATHINFO_EXTENSION)); if (! in_array($file_ext, $ext_whitelist) { // invalid } And when you move the file from the uploaded folder to a permanent folder, it's a good idea to rename the file slightly, prepend some random characters onto the end before the file extension. Hackers can't run the file easily if they don't know where you put it and what you renamed it too. CR

What in the world does that mean? A host should not store your password in plain text, they should store a hash of it. Or were you phish bait or clickjacked? Was your password 'password'? Clue us in here. This is incredulous. I googled "godaddy password compromised" for the past 7 days and didn't get a good hit. CR

So, I went to this http://nuotoll.com that was injected via that javascript and got this message from my anti-virus software: Reported Attack Site! This web site at nuotoll.com has been reported as an attack site and has been blocked based on your security preferences. CR

Why use the <meta name="keywords">? I don't think search engines even use those anymore. As for the javascript in there, I don't have a clue how it got there. (is interesting though!) CR

At the very least, you need to use htmlentities($yourInputText, ENT_QUOTES); This will render <script> and other tags harmless to the browser. Also, look at strip_tags http://us3.php.net/manual/en/function.strip-tags.php CR

HTTP headers must be sent BEFORE any HTML (body of the response). And a cookie is a header. I moved your setcookie up in the code. You can also use ob_start output buffering to get around this restriction. http://us3.php.net/manual/en/function.ob-start.php . And you could instead store the value $_SESSION and it would be available in login2.php. CR

I'm free-handing this so the syntax might be wrong but... $safe_name = '' ; if ( isset($_COOKIE['username'] ) $safe_name = htmlentities($_COOKIE['username'], ENT_QUOTES) ; echo '<input type="text" name="username" value="', $safe_name, '" />'; CR

Use strip_tags too. http://us.php.net/manual/en/function.strip-tags.php .

Can phpfreaks add NEXT and PREVIOUS page links to pages? The page numbers are so small to click on. Just a thought. Thanks.

Great post! Thanks

Why not use SSL? You seem to be reinventing the wheel.

It's a great idea to always initialize all of your variables at the top of your script. If someone were to turn register globals on, you're more protected from "variable" injections.

Little Guy, You should consider making your class variables private or protected with public setters/getters. If class variables are public, a consumer can use them directly which breaks encapsulation and causes future problems if you decide to rework your class code.

Yes, I use ctype. It's faster than the corresponding regex, like ctype_digit instead of \d , for testing a form field for all digits.

Just so you know, from Wikipedia, "DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small." So in reality, don't use DES. Use something like AES. And I use mcrypt() for symmetric encryption.