Equinox

I'm just saying, I don't quite understand why sprintf() has been listed when it formats a string. The person may go and read that, not fully understand it and think just by sprintf()'ing a string that it's secure.

  $var = +27836; echo 'Var = '.$var; // 27836 $var = +27836; echo sprintf('Var = %d', $var); // 27836   My results when tested. Well, actually, this is what I used.   <?php $var = +445566; echo 'Var = '.$var; echo ' '.sprintf('Var = %d', $var);

No problem

You need to declare the database variable within the function.   function Test() { $db->query("SELECT blah FROM blah"); }   becomes   function Test() { global $db; $db->query("SELECT blah FROM blah"); }   EDIT: You posted before me, so here:   function cmarket_index() { global $ir,$c,$userid,$h, $db; print " Viewing all listings... <table width=100% border=6> <tr style='background:black'> <th>Seller</th> <th>Car</th> <th>Acceleration Level</th> <th>Handling Level</th> <th>Speed Level</th> <th>Shield Level</th> <th>Price</th> <th>Links</th> </tr>"; $q=$db->query("SELECT cm.*, u.*,ct.* FROM carmarket cm LEFT JOIN users u ON u.userid=cm.cmADDER LEFT JOIN cars_types ct ON ct.carID=cm.cmCAR ORDER BY cmPRICE ASC",$c); while($r=$db->fetch_rows($q)) { if($r['cmADDER'] == $userid) { $link = "[url='carmarket.php?action=remove&ID={$r[']Remove[/url]"; } else { $link = "[url='carmarket.php?action=buy&ID={$r[']Buy[/url]"; } print "\n<tr> <td>[url='viewuser.php?u={$r[']{$r['username']}[/url] [{$r['userid']}]</td> <td>{$r['carNAME']}</td> <td>{$r['cmACC']}</td> <td>{$r['cmHAN']}</td> <td>{$r['cmSPD']}</td> <td>{$r['cmSHD']} <td>\$".number_format($r['cmPRICE'])."</td> <td>[$link]</td> </tr>"; } print "</table>"; }

Yes it formats a string? But its still useful to use when securing... I don't see why you have even bothered to post? Not once did I say use htmlentities on everything... The topic creator did not specify what they actually wanted to do so I provided a small list of some PHP security functions they could explore. Any who, back to the topic. I forgot to include the security tut link: http://makewebgames.io/board881-security-tutorials/ I'd also recommend reading this tutorial first: An introduction to security   It was an example, you've listed htmlentities() as one of the functions to learn, and you just know that someone will read that, refer to their code and WHAM, they are back here asking for help because nothing works, as they've used it on absolutely everything. And how is sprintf() useful when securing? I have nothing against using it, but please explain your theory.

I didn't, no. Ya'll are welcome to it if I can dig it up

Provide more details, please

"Licensing This chat script can be used for free under GPL-style license for non-commercial purposes. For commercial purposes, please purchase a license." And yes, I have done this already, I edited the script heavily. I think Danny was the person who watched me develop with it and help me test it.

Why sprintf() - all it does is format a string. You can't just give a list of what to learn, different code would require a different way of being escaped. Just like, I wouldn't use htmlentities() on everything, I want people to be able to provide links, and basic HTML, but still leaving it un-escaped leaves my script vulnerable, your list doesn't help me with this ;(

It's not going to be MC at all. :)

Thanks for the great review, just one thing, it's Peter & Equinox :p

Well, if you do..... I own a hosting site along-side Peter who's on MWG, I wouldn't mind some feedback as you do good, in-depth reviews ;) Link

Shame you only do portfolio and game site reviews.

I would prefer to use cases here.

Overusing isset() and using it wrongly. Has no one else noticed (isset($_GET['id'] != "")) ?

  lol. I really laughed out load. So....you're not being serious?

I'm never sure if you're being serious or not, but anyway.   function userLogin() { global $db;

Why do they have to use sprintf() and mysql_real_escape_string() to be considered a 'good coder'? Most people on this forum hate sprintf()......They are convinced it'll slow your site down so much it'll just stop.

Don't jump to conclusions

It's already been established that the 'fix all holes in mccodes' header code is the reason this doesn't work. /thread

I have a few ideas for names you could have that match your personality, but then reading this topic has made me see kids view the forums. Best not mention the names.

You don't need to cry about it.   if($ir['events'] > 0) { echo '[b]Events('.$ir['events'].')[/b]'; } else { echo 'Events (0)'; }   Or   echo ''.($ir['events'] > 0) ? '[b]Events ('.$ir['events'].')[/b]' : 'Events(0)').'';   Edited for the people who prefer ternary methods I'm not sure if $ir['events'] is correct however.

Obviously it's a browser, I'm not stupid. I'm just saying I don't like it and don't consider it a 'real' browser. Not something I would choose, yet you're correct, the problem still needs to be fixed. Otherwise the 10 people that do use it may not be attracted to MWG. (Yes, I know it doesn't really have 10 users)