Search results

The session ID is definitely vulnerable, if that's what they were referring to. Did they also mean session data is vulnerable to network threats? (Note that even with HTTPS, session data is potentially vulnerable to local threats.) If so, I'm very much interested in what the exploit is. That...

It's rather hard to figure out what's going wrong with something sight-unseen. What's the XML source for the gallery? What's your site layout? You should also give the URL for one of the pages in question, rather than for the site at large. The two most common reasons for images not loading...

Just a heads-up: the old mysql driver is quite outdated and has been supplanted twice over. Especially if you're creating a new site, switch to the newer PDO driver. Among it's advantages are support for prepared statements, which do away with most SQL injection vulnerabilities. If you want a...

There is an error in my original ensure_password_requirements. The line: $authInfo['password'] = hash($authInfo['hash'], $authInfo['salt'] . $pw); should be: $authInfo['password'] = hash($authInfo['hasher'], $authInfo['salt'] . $pw); Note the key 'hash' should be 'hasher'. Other than that...

Try open source clients, such as mpop and libEtPan. You may also wish to read "Best Practices for Implementing an IMAP Client". Web searches will turn up many more. Just make sure your anti-spam software isn't tied to any one implementation. You should be able to get it to work with python, for...

That's because Add a login-successful notice to see that it's working. Here's a minor rewrite with support for salt (you'll also need to alter the database), though many of the tasks (authorization, db↔user mapping, password security requirements) should be refactored into separate classes...

Nope. IE once used extensions to determine content type (newer versions should be correcting this), and other browsers might as a fallback in case there is no Content-type header, but other than that file extensions don't matter. The only thing that should affect caching are HTTP headers.

That's what everyone wants to know, and there isn't an answer, as far as I can tell. Others have removed magic quotes with no ill effect, though it's possible that some plugins (or even the core) rely on magic quotes to sanitize data. Only a code audit could tell for certain. You could run an...

That sounds familiar. How do you feel about patching wp-settings.php?

The topic has been covered many times before. The short version: you can't disable magic quotes on the free hosts (if that's where your site is), you can only undo them (which should have minimal impact on response times). <?php // normal_quotes.php. Include this once in any script that needs...

Note that if using PHP, you can only check the image size after the upload, which may work fine for your purposes. If you need to check before uploading, you'll need something special client side, such as a Flash uploader.

Note that the block is only on the free hosts (due to abuse by phishers and other-ne'er-do-wells). If the site is commercial, consider paid hosting, which allows outgoing connections to port 80, as well as being more performant. As for closing the thread, an admin will have to do it. (it should...

The test authentication page generates no content on successful login, which is why you see none. The error messages show up in the source view because the page is re-retrieved with a GET. Use your browser's DOM inspector to view the live page structure rather than view source. In short, the...

They're also (as stated before) outdated, inaccurate and incomplete, and that's not just my opinion. Note the particular post you replied to is 4 1/2 years old. I very much doubt Randomize is still looking for resources to learn PHP.

GET makes session fixation and the like easier (as an attacker can create a link that includes GET data, whereas POSTed data requires a form), but that's about the only difference when it comes to security. The real difference is semantic: GET should be a safe method (in this context, "safe"...

There's no way to do this securely, as the hidden inputs require that you store credentials in plaintext somewhere. Even if it's only on a user's own computer, it isn't safe. Other techniques where you take responsibility for automatic login (e.g. store credentials in a database, log in from...

Please use [php], [html] or [code] tags (as appropriate) to separate and format code. Take a look at the manual. Assuming the sample code is representative, left and right double quotes aren't valid quote characters. You can only use neutral single and double quotes, along with heredoc and...

A quick search of X10 would have turned up the likely solution (and a better rewrite ruleset).

The site isn't coming up as suspended. Make sure you've cleared you browser and DNS caches.

The self-unsuspend went through (sometimes, these things just take a little time). As for the cause, WP is a resource hog, even without plugins. If it continues to be a problem, you might want to try a different blogging package.