oni-kun

I told you, look at your logic: if($_POST["username"] && $_POST["password"]) { if(!isset($_POST['username'])) { die('Please enter a name.'); } If username and password HAS to be defined, How can username EVER be not set? Your die() will never run. And as mentioned before.... : if(!isset($_POST['username']) || !trim($_POST['username'])) die('Please enter a name.'); How can !trim equate to a true or false answer? It can't! It's like saying if (substr($message)) { echo "message is correct"; } What is substr doing (or in your case trim), Nothing! it will always equate to one thing.

In your source, you should make each checkbox's 'name' attribute. name="foobar[]" And from in PHP, you can access it via $_POST['foobar'] Try var_dump'ing it to see what the layout looks like.

<?php $con = mysql_connect("blocked","Blocked","blocked"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("blocked", $con); if($_POST["username"] && $_POST["password"]) { if(!isset($_POST['username'])) { die('Please enter a name.'); } $fname = mysql_real_escape_string(trim($_POST["username"])); $ppassword = mysql_real_escape_string(trim( $_POST["password"])); $sql = mysql_query("SELECT * FROM players WHERE Name = '$fname' AND Password = '$ppassword' LIMIT 1"); if(mysql_num_rows($sql)>0) { echo("You are logged in!"); } } else { echo "Password does not match"; return false; } ?> (May be syntax errrors). But you can see the obvious problems with your old code.

!trim($_POST['username'])) This does not return true or false. It only returns the trimmed name (without leading or trailing spaces, blank characters or null) and will never be 'true' , like you wanted to compare the password. As well, and very importantly: $fname = $_POST["username"]; $ppassword = $_POST["password"]; You're not sanitizing the data being inputted to the database! This will lead to such easy injections and data retrieval. Use mysql_real_escape_string $fname = mysql_real_escape_string($_POST["username"]); $ppassword = mysql_real_escape_string($_POST["password"]);

I'm there right now (haven't for awhile), Just removes the longetivity of programming, because, I forget how long I['ve been doing it!

Your code is riddled with errors, look at these lines for example: !strlen($_POST[$username] >= 13)) !strlen($_POST[$userchar]) >= 13) You're forgetting to close brackets for one. $_POST[$username] <-- As mentioned $username has to be passed the the function. $username is NULL if it is not passed or defined wtihin. function validate($username, $userchar, $userpass, $userpass2, $termsofservice) { ...

The $_REQUEST variable is a combination of key and values of $_POST, $_GET and $_COOKIE variables. This is a 'superglobal', or automatic global, variable. This means that you do not know where the value is coming from, can be changed in $_GET itself, can be set in cookie, allow hijacking sessions and data retrieval. Why not just turn register globals on as well and call it a day? <?php if (!isset($_POST['form']['offerings'])) { die('Offerings form not set'); } else { echo '&food_types= ' . $_POST['frmSearch']['food_types'][0] . $_POST['frmSearch']['offerings'][0]; } ?> But what are you trying to do? And please, stop shoving code onto one line.

Do not use $_REQUEST. Only POST/GET, You're setting yourself up for injection. EDIT: You're using shorthand as well? Where did you learn your PHP from? If you used longhand (as preferred, and more efficient) you will obviously see the very simple solution. I'm against sloppy coding, As you can see it just brings problems.

Works well until the user list (or are you still making it?) 1264216753 xxxxxxx. - Offline - 0 xxxxxxx - Offline - 0 xxxxxxx - Offline - 0 (me) - Online - 1 xxxxxxx - Offline - 0 xxxxxxx - Online - 1 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in xxxxxxxx/sc33591-LWQU/picks_web/new_kp/core/includes/functions.php on line 411 GUESTS: When I pressed user list a few times, it said "SET OFFLINE FOR ..), Something to check user session lengths?

Session_start() will create a cookie, so it'd be advisable. -- Now why is ob_start there in the first place? I see no headers being called.

ini_set('display_errors',1); error_reporting(E_ALL|E_STRICT); Why not var_dump your SQL query results and tell us what is wrong? As well as sql_error()

<?php function checkEmail($email){ if(filter_var($email, FILTER_VALIDATE_EMAIL)){ return true; }else{ return false; } } ?> And what do you think filter_var does? For all we know it could be running many times heavier calculations backend. Strpos is faster, but I meant the sheer uses of some of it is slower than preg_match. What I'm getting at is they're (users who are bias to str* functions) try to 'emulate' the function of the patterns, it makes no sense, and is indeed slower in most standard cases that could use preg_match and succeed in less lines and function calls. Two wrongs don't make a right! But three rights makes a left?

Was gonna point that out. Good job. Boolean operators are annoying sometimes.

Sorta. The -f parameter is just a weird concatinating glob. Are you sending your e-mails from admin@yoursite.com? Make the parameter -fadmin@site.com for example.

A referrer is what the client sends when pressing a link (usually with most browsers). If a user clicks on your website from a link in google (on google search), The referrer will be google.com/search?q=widgets for example. If they searched 'widgets' in google, and clicked on your site, you know what they searched to get to your site (from the referrer)

Nothing in your code, or JS relating to the image gallery (which is CoolIris, a well known and developed program) contains any problematic code that relates to a trojan. What specific page? What file are they complaining about and where? I don't think they know what they're talking about if they're saying specifically that front page of the domain. Odd (and obviously defective) Heuristic scans on malware/virus scanners are known for false positives. Nearly 20% of all viruses found are false, and actually something harmless that matched similar code to one.

Yes, IIS is not exactly the best to work with for mod_rewrite. EDIT: btw, your sig, I give you ++

Looks like you need to set permissions (via FTP) on those folders. uploads/1024x768/uploads/temp/ and recurse folders should be CHMODD'ed to 755. And also your undefined variables, you should add them beforehand. "$prefix = null;"

You can use analytics such as Google Analytics (Free) or simply log the referrers from $_SERVER['HTTP_REFERRER'] The referrer may be: www.google.com/search?q=yoursite+foobar&hl=en .. Extract "q=yoursite+foobar" to get the keywords they entered in search to get to your site. If that's what you wanted.

Is their password on the site database? $_GET['pass'] = md5($_POST['pass']); For example, send the md5 hash and compare it on the actual website. 'if $dbpass = md5($_GET['pass']) ...'

<form action="page.php" method = post/get> <input type="foobar" id="baz"/> </form> Would you prefer to get the variable 'baz' from $_POST['baz'] or $_GET['baz']? In otherwords, you're wrong.

Quoted for readability. Now what on earth are you talking about? It looks like your talking to yourself, or maybe it's me, it is 6am. EDIT2: Isn't it obvious? You have HTML within the PHP (if that is what you were running.) Although PHP wouldn't show that. What WAS your actual code?

Then they were using a proposed exploit scanner, and succedded on one level. I added the site to MALZILLA/safebrowsing repo for update, sooner or later it will go through, But you should really fix the code or atleast show us the request that performed the malicious behaviour, Your site is obviously not secure. Mhmm.. POST is not any more secure than GET.

What do you get if you place this after your opening <?php tag? ini_set('display_errors',1); error_reporting(E_STRICT); This should display unmentioned errors.

OP: Yes, what errors are you getting? [ot]PFMaBiSmAd, You like that icon don't you!!! [/ot]