iSOS

One thing I see wrong is no sanitizing of the "$_POST['notepad']", other than that it's okay.

That's how I would have done it but then I couldn't pull the "I haven't changed anything" line xD @SHAD The query would be secure becuase you're not using any data that could be currupted, if you're using variables with un-validated data then that would be insecure and you'd need to 'secure' them using the correct functions. People tend to use sprintf() as preference, yes it formats and does not secure as so many people here think, but it can come in handy.

mysql_query("UPDATE users SET testing=testing-10 WHERE userid=$userid",$c); That's how I'd secure it without using sprintf(), wait I haven't changed anything! "sprintf()" doesn't secure a query!

Try this.   <?php mysql_connect("localhost","******","***********"); mysql_select_db("*************_udata"); //if registering, check fields. if (isset($_POST['user']) && isset($_POST['pass']) && isset($_POST['email']) && isset($_POST['vpass'])) { if((empty($_POST['user'])) || (empty($_POST['pass'])) || (empty($_POST['email'])) || (empty($_POST['vpass']))) { echo ('You must fill out all fields.'); exit; } $action=$_POST['Submit']; $user=$_POST['user']; $email=$_POST['email']; $pass=$_POST['pass']; // check if username exists in database. $qry = "SELECT user FROM udata WHERE user = '".$_POST['user']."'"; $sqlmembers = mysql_query($qry); $name_check = mysql_fetch_array ($sqlmembers); $name_checkk = mysql_num_rows ($sqlmembers); if ($name_checkk != 0) { die('Sorry, the username: [b]'.$_POST['uname'].'[/b]' . ' is already taken, please pick another one.'); } // check passwords match if ($_POST['passwd'] != $_POST['passwd_again']) { die('Passwords did not match.'); } // check show_email data if ($_POST['show_email'] != 0 & $_POST['show_email'] != 1) { die('Nope'); } /* $a=mysql_query("select * from udata where user='$user'"); $b=mysql_num_rows($a); if ($b > 0) { print "Someone already has that username."; exit; } $a2=mysql_query("select * from udata where email='$email'"); $b2=mysql_num_rows($a2); if ($b2 > 0) { print "Someone already has that email."; exit; }*/ //check if passwords are the same if ($_POST['pass'] != $_POST['vpass']) { print "The passwords do not match."; exit; } //end //insert mysql_query("INSERT INTO udata (user, pass, email) VALUES ('$user','$pass','$email')") or die(mysql_error()); { print "You are now registered."; } } ?> <form action="" method="post" name="form2" id="form2"> <table> <tr><td>Username:</td><td><input type=text name=user></td></tr> <tr><td>Email:</td><td><input type=text name=email></td></tr> <tr><td>Pass:</td><td><input type=password name=pass></td></tr> <tr><td>Verify Pass:</td><td><input type=password name=vpass></td></tr> <tr><td colspan=2 align=center><input name="Submit" type="submit" class="submit" value="Register!" /> </td></tr> </table> </form>

if (isset($_POST['user']) && isset($_POST['pass']) && isset($_POST['email']) && isset($_POST['vpass'])) { if((empty($_POST['user'])) || (empty($_POST['pass'])) || (empty($_POST['email'])) || (empty($_POST['vpass']))) { echo ('You must fill out all fields.'); exit; }

All links are on 1 line for me :S

wow, you don't need to pay to get someone to install this. Just create a file called country.php & paste the code into the file. 0.o

I thought this was pretty common knowledge. xD It's a good post though and it will highlight the issue for other developers, good job!

Looks good so far, keep us updated on further improvements. :P

The new episodes are immence, I'm in UK but I watch as soon as there're out in US on a different website.

Wouldn't the 'coder' do that instead of you paying for it... 8|

<?php //This was made by Jordan-Pudda //I made this myself, anyone who uses this must of went on to my computer and got it. echo 'Yayyyyy Meeeeee'; ?>   I'm posting your code, make my life hell lol

You have a team and a Laywer, yet you can't afford an $8 domain. Yeah I smell bull****. I've looked at the site, I can see it's mccodes, the default authenticate exists, all the original JS is there. Go and take you bs somewhere else.

if(time() - $ir['laston'] < 259200) { Blah }   That should probably work.

Haha, well I know now :whistling: Lol, cheers, It wasn't meant to be there I just copied the query you posted and added and obviously forgot to do that :L

Something like this should work for ya... mysql_query("SELECT GREATEST(`VALUE1`,`VALUE2`,`VALUE3`,`VALUE4`) AS `max` FROM `test`");

Ah, I've watched this as there was a lot of 'hype' surrounding the scariness of it. Well I was dissapointed lol, that's all I gotta say, paranormal entitiy was better.

Is there an error?, I've had some people say it work, and some not, So I don't know what's going on...

exif_imagetype() for example, also 'image_type_to_mime_type' I believe as you can associate that with exact image types.

Just linking to scripts in general, It doesn't have to be an MC script, could be a script that redirects you to another website, anything I guess.

I don't think he's actually talking about session hijacking in this instance, I believe it's more of a case of people linking to images, that aren't images. For instance using .htaccess to change .php into .gif, or linking straight to a URL, maybe changing yourself to an admin.

getimagesize() is a decent prevention method, but it only checks the first few bytes of the image, so anything after the first bytes are not validated & anyone with know how can insert code into there images. Another method could be just allow linking to *trusted* image hosts, imageshack ect. Or allow uploading of images. (IMO alot better than linking to them as it allows more control over what's on your site.)

ugh, I'm pretty sure that's the code that many people have problems with, I believe you get the 'warning' on a lot of pages you're not meant to. Also 'eregi' is depreciated, so may need to change that to 'preg_replace'. But if you want to have the feeling of your site being 'un-hackable' go ahead lol.

The original post has been updated to include the link in the actual file, of course only to admins. =) Thanks. =)