ttocskcaj

Yea, I had a closer look at the logs, and removed the bad stuff. I believe it was XSS. I'm just more curious what those two strings do?

Our admin panel for a gaming community was recently hit by a successful MySQL injection attack. Here are the parameters they entered into forms to gain access. ${99319+100354} <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE acunetix [ <!ENTITY acunetixent SYSTEM "http://testphp.vulnweb.com/dot.gif"> ]> <xxx>&acunetixent;</xxx> Not sure which one worked, or how they even managed to POST to that page. But how do these two strings work? What do they do?

Yup I did realise that haha. But that doesn't matter since ini_set() is called every time a page is loaded anyway. I think we're going to move to PDO anyways.

Yup. It's a forum CMS. So it supports different styles (the name of the style is a constant already ) There's a language class, that stores all the language strings in an array. Including, eventually, error messages etc. If that's what you're meaning. Having different language strings in constants might not work, because there may be hundreds, even thousands of them. That's lots of constants to define and keep track of..

Refer to this sticky: http://www.phpfreaks.com/forums/index.php?topic=126354.0 It's about the Call to undefined function mysql_connect() error.

My queries are mostly like this: SELECT * FROM `" . DB_PRE . "messages`... where DB_PRE is the prefix for table names defined in the config file. So I shouldn't have any need to table name constants. But I see your point. I've discovered that if I run mysql_connect() at the start of execution, the connection stays available in objects and stuff anyway, so I really only need to do mysql_connect() once. Correct?

In MVC type architecture, is it safe to do this ini_set("mysql.default_host"$mysql_host); ini_set("mysql.default_user",$mysql_user); ini_set("mysql.default_password",$mysql_pass); in my index.php file. Then, every time time I do a query in a model, mysql_connect(); // MySQL connects using the default values from the ini_sets we did. mysql_query($query); mysql_close(); The reason behind this, would be to avoid passing database variables to objects/models etc or defining constants. Maybe there's a better way? I'm looking into database abstraction.

Is there no such thing as a company that provides just database hosting without having to buy a whole hosting package (http, php, domain etc)? I've tried searching and found nothing