fortnox007

did you try to do this with a database instead of a text file? if you never tried it, have a look here: http://w3schools.com/php/php_mysql_intro.asp It's a nice tutorial, that same site also has nice examples on how to do it with a text file.

how do you know it's that little snippet? isn't it some sort of weird loop in your script?

i assume you have <table> before this php code and </table> after it?

i would first of all recommend you use <?php as starting tag instead of <? And concerning your question, if you open up a php file locally without having a server with php installed you will ofcourse see all the code. install xampp for instance and run it again.

would make indeed more sense, but still $tutor_id is empty

your $tutor_id doesn't get a value same is for $_GET['tutor_id'] if i look at the script above. so the whole script that starts with if (!empty($tutor_id)......etc will not be executed. Also the echo is outside the if statement, so it's not a confirmation of succes it's just an echo. Don't you have some more code besides the above?

wicked that little explanation already gave me a headstart. Thanks alot! I'll certainly will sanitize everything, but i find things easier to remember ones i understand it. And because most explanation have that little 'xss here' snippet i never really understood what the fuzz was all about. Those sneaky people just send victims a link to a trusted site. Thanks guys for helping me understand this.

Thanks for your quick reply,porl I am happy to do that, but it still leaves me mind goggling what someone could do to others besides himself. I am not willing to hack r anything, but I just have difficulty understandig this. Because the data doesn't get send to a database or anything it's just the action of the page. and if the page is not correct the action fails. -edit oh wait i see you linked some extra info, i am going to read that right away thank you. -edit 2 lol i read the first one and i think i am just not made for this, lol i think i am going to buy a book on this, because this is total abracadabra for me.

hi all i just read an article at http://www.phpro.org/tutorials/PHP-Security.html about not trusting server variables like $_SERVER['PHP_SELF'] so they explain, it can't be trusted and so on, but when it comes to a real life example i have difficulty understandig what someone could do with it since i assume it only has effect at client side. they use a form and say that <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> ... </form> They give as example that someone could do the following: add <script>alert("XSS HERE");</script> But i don't see how that would have effect to anyone except for the one that inserts that. Could someone maybe explain this a little to me.

you might want to look in the regex forum the right regex can be found there with thanks to Crayon Violent http://www.phpfreaks.com/forums/php-regex/feeling-a-little-stupid/

hehe i am glad i have soft walls

hehe your awesome! I already thought that would be the name of it (because you mentioned it sneaky in the post above this one), just landed on this page:http://www.regular-expressions.info/lookaround.html Never heard of it, but it sure look nice. Thanks a lot for the help Crayon, and thanks for showing the array filter way. never seen that either. Bookkmarked it Cheers!

hehe i just did the following with using the weird stuff in the bracktes and it seems to work. '~^(?=.*[^a-zA-Z])(?=.*[a-z])(?=.*[A-Z]).{5,20}$~' anyone know how i may interpret ?=.* kinda hard to google for it

thanks alot Crayon Violent, hehe i made this for someone else, wasn't my idea to be that user unfriendly oh I didn't forget that someone could have ie. Aa!aAb1 that's why i got here, because i wasn't able to figure out how to match also that. but the function you madecould you maybe review my comment? because i hoped it was easy to do with a single pattern. function validatePassword($password) { preg_match_all('~([a-z])|([A-Z])|([^a-zA-Z])~',$password,$matches); if ( (count(array_filter($matches[1]))>1) && //if part 1 has more than 1 occurences: part is the stuff between () (count(array_filter($matches[2]))>1) && //if part 2 has more than 1 occurences (count(array_filter($matches[3]))>1) //if part 3 has more than 1 occurences ) return true; return false; } // end validatePassword -edit: oh i just looked in a regex library and i saw someone using this (?=.*[a-z]) where i am particularry interested in ?=.* i have a feeling this could help with the above in some way. look this is wwhat someone made ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{4,8}$

Hi all, i just helped someone in the php part with a form to check if a password contains some stuff (2 Uppercase 2 lowercase 2 special character or number). so i reccomended to use regex and came up with the following, but it seems it requires that exact same order so not perfect. preg_match('~[A-Z]{2,}[a-z]{2,}[^a-zA-Z]{2,}~',$password) I thought when leaving out the ^ at the start and $ at the end the order wouldn't matter, but it seems it does. any ideas?

there is a slight error in my regex because it reuires that exact order but i hope you get the idea.

maybe try this out i used regular expresions for it. <body> <?php if (isset($_POST['submit'])&& !empty($_POST['password'])){ // simple check if pressed submit and value of password is not empty $password = $_POST['password']; //assign value of form value to php variable if(preg_match('~[A-Z]{2,}[a-z]{2,}[^a-zA-Z]{2,}~',$password)){ //atleast 2 uppercase 2 lowercase 2 special character or number echo 'nice password'; }else{ echo 'password must contain bla bla bla'; } }else{ echo 'enter a password'; //default message } ?> <form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" method="post"> <input type="text" name="password" value="" /> <input type="submit" name="submit" value="submit" /> </form> </body> the nice thing about regular expression is is that you can also use them exactly the same in javascript to give some extra cool realtime validation (but that's just as an extra, never rely on client side validation)

maybe also have a look in regex (regular expressions, whole section in the forum dedicated to it) it's a bit more advanced but i am pretty sure i needs less coding and might even be faster.

I tried to connect to a remote database earlier, and it seemed the host didn't allow external database connection. Maybe look if that is even allowed.

hehe i would love to see that lock when it's done although it's not very secure

banning people by computer is impossible at least i hope, because if not it would also be an extreme privacy breach. Did you try anything like a captcha or stuff? What maybe also is a solution is to verify accounts. if an account is verified there posts become visible and otherwise they need moderation. I pretty much assume, that ones the bad guys see their post are not shown at all, they will find another victim. besides that normal users can have a verified sign on there account which might even make them happy. This last solution might seem pretty intensive, but it wont give spammers the opportunity to get free marketing.

welcome little brother

Thanks a lot Nightslayer! That sure helped me understand it more, I had a feeling about that last part. glad you confirmed it. I must have overlooked the regexpression, i normally see that. good I learned a new thing \b. Cheers!

Hi all, i am using a little snippet to mimic the hover effect to other elements than A for IE 6 and lower. But since i am a complete noob in javascript i thought i ask some guru's what is happening here. The code is part of the suckerfish menu script. I made some comments in the script of what i think that happends. but i am not sure. its a wild uneducated guess. sfHover = function() { //declare function var sfEls = document.getElementById(“nav”).getElementsByTagName(“LI”); //assign variable sfEls with the //value of <LI> element in a menu with id #nav for (var i=0; i sfEls[i].onmouseover=function() { this.className+=" sfhover"; // looks like a classname is assigned on mouseover to the LI inside #nav? } sfEls[i].onmouseout=function() { this.className=this.className.replace(new RegExp(" sfhover\b"), ""); // no idea what \b means } } } if (window.attachEvent) window.attachEvent("onload", sfHover); // no idea either Any explanation would be great, since i rather not implement snippets i don't fully understand.

Just to make sure, even if you use pdo or mysqli_real_escape_string. Keep in mind that garbage in means garbage out. So make sure you also sanitize on output. And i am not sure if i am correct but mysqli_real_escape_string only makes 1 call to the database, where pdo, make 2 calls. Which is a bit much for a simple non returning select query. This is what the friends of google give: http://stackoverflow.com/questions/3101307/mysqli-prepared-statements-and-mysqli-real-escape-string