cringe

Like someone else said, compare the file extention to a whitelist. (assuming they uploaded a file via PHP). $ext_whitelist = array('gif', 'jpeg', 'png'); $path = '/path/to/myScript.php' ; $file_ext = strtolower(pathinfo($path, PATHINFO_EXTENSION)); if (! in_array($file_ext, $ext_whitelist) { // invalid } And when you move the file from the uploaded folder to a permanent folder, it's a good idea to rename the file slightly, prepend some random characters onto the end before the file extension. Hackers can't run the file easily if they don't know where you put it and what you renamed it too. CR

What in the world does that mean? A host should not store your password in plain text, they should store a hash of it. Or were you phish bait or clickjacked? Was your password 'password'? Clue us in here. This is incredulous. I googled "godaddy password compromised" for the past 7 days and didn't get a good hit. CR

So, I went to this http://nuotoll.com that was injected via that javascript and got this message from my anti-virus software: Reported Attack Site! This web site at nuotoll.com has been reported as an attack site and has been blocked based on your security preferences. CR

Why use the <meta name="keywords">? I don't think search engines even use those anymore. As for the javascript in there, I don't have a clue how it got there. (is interesting though!) CR

At the very least, you need to use htmlentities($yourInputText, ENT_QUOTES); This will render <script> and other tags harmless to the browser. Also, look at strip_tags http://us3.php.net/manual/en/function.strip-tags.php CR

HTTP headers must be sent BEFORE any HTML (body of the response). And a cookie is a header. I moved your setcookie up in the code. You can also use ob_start output buffering to get around this restriction. http://us3.php.net/manual/en/function.ob-start.php . And you could instead store the value $_SESSION and it would be available in login2.php. CR

I'm free-handing this so the syntax might be wrong but... $safe_name = '' ; if ( isset($_COOKIE['username'] ) $safe_name = htmlentities($_COOKIE['username'], ENT_QUOTES) ; echo '<input type="text" name="username" value="', $safe_name, '" />'; CR

Use strip_tags too. http://us.php.net/manual/en/function.strip-tags.php .

Can phpfreaks add NEXT and PREVIOUS page links to pages? The page numbers are so small to click on. Just a thought. Thanks.

Great post! Thanks

Why not use SSL? You seem to be reinventing the wheel.

It's a great idea to always initialize all of your variables at the top of your script. If someone were to turn register globals on, you're more protected from "variable" injections.

Little Guy, You should consider making your class variables private or protected with public setters/getters. If class variables are public, a consumer can use them directly which breaks encapsulation and causes future problems if you decide to rework your class code.

Yes, I use ctype. It's faster than the corresponding regex, like ctype_digit instead of \d , for testing a form field for all digits.

Just so you know, from Wikipedia, "DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small." So in reality, don't use DES. Use something like AES. And I use mcrypt() for symmetric encryption.

Headers are case insenstive. You could use LoCaTiOn: if you really wanted. But yes, I'd use Location: cause it just looks better.

It is?? I thought the XHTML syntax was "<br />" .

yes, so Hello<br /><br />World becomes HelloWorld. It should be Hello<br />World. Therefore, the preg_replace should have a replacement value of '<br />', not ''. Correct?

Doesn't this replace 2 or more <br/> with nothing? The requirement is to replace 2 or more with 1. So the '' needs to be '<br />' I would think.

You really only need to regenerate the session ID when a change in authority occurs, such as when the user signs on. And regenerate it every "x" requests from the client via a counter in the $_SESSION. And include a unique token in every response sent back, via output_add_rewrite_var(). If the next request does not include that token in $GET (URL) or $POST (form) or it's not in the $_SESSION, politely make the user sign in again. And you can have that token "time-out" via another value in the $_SESSION. Set it to time() + 60*10 (10 minutes or whatever) in the $_SESSION when the next response is generated. The next request must be received back with a valid token before time() is greater than that $_SESSION value, or again, ask the use to sign in again or take some other appropriate action.

If you don't want the session ID in the URL, then set session.use_only_cookies = 1 . ini_set( 'session.use_only_cookies', 1) And if you want to tack the session id onto links and in forms as a hidden input field and even images (any query string key/value pairs), use output_add_rewrite_var .

Not hex. I see letters a-z in mine. Hex would be just letters a-f. (and 0-9 of course). Example: sess_k823ri2425tjlhn0741uj3frs5 Thanks.

Not tested... $string = '<b>1</b> - <b>10</b> of about <b>72</b>' ; $stringArray = explode('<b>',$string) ; $lastInt = intval(end($stringArray), 10) ;

Chech the value of $ok. if($ok && move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))

Try adding this to your options array: CURLOPT_FOLLOWLOCATION => TRUE, // follow redirects CURLOPT_MAXREDIRS => 10, // stop after 10 redirects