birbal

It is done by setting another cookie using setcookie() where yyou can set the lifespan of your cookie. that cookie will hold hashed key of mixed data like username,time of it sets,partial password etc but the hash should have different value from the hashed password. in the database you will have two columns one for that remember me token and one for timestamp of it when it was set. in your login script you will check if user logged in or not. if not then you will look for the existance of the cookie if it does exist query the value in database and pull the timestamp of the token. you will then compare the timestamp with current timestamp, if it is in certain amount of time make your user authenticated. When user log out make sure to delete the tokens in database and also the cookies.The link you just read has information about the risks of using persistent cookie for authentication. It is just like password, still it is risky against cookie theft. Our browser has by default a feature called "remember me" which serve the purpose well with better security. http://php.net/setcookie

what does it show now?

does the password is encrypted in same way at the time of registration, as you are doing in login ? both have to be encrypted in same way.

no it does not include tabs, session works with each process browser starts. closing tab does not close the process , closing the browser does.

use braces to group the condition SELECT * FROM members WHERE (nick='$username' OR email='$username') AND password='$password' when in doubt basic database debug technuiqe applies like printing the query,using mysql_error() like niche said and mysql_num_rows() to get the returned row. if query get successfull that does not always mean it is returning rows

third party domain data can't be fetched using ajax (the javascript example you have posted) for 'same domain policy'. if you have the xml file in your own domain you can do ajax request to get it and format it using js.otherwise only option you have left for using server side language like php.

validation is first and basic security step regardless of sql injection.preg_replace() replace string by regular expression you should use preg_match()http://php.net/preg_match for validation. preg_replace() usually used in filtering. in such simple case like ineteger check better to use ctype_*() http://php.net/ctype_digit. regular expressions are resource coastly and should be avoided where it is possible in simple case untill you need the power of regex. particularly for protecting from sql injection we had post the information and methods and links http://w3schools.invisionzone.com/index.php?showtopic=44735&view=findpost&p=248938 http://w3schools.invisionzone.com/index.php?showtopic=44735&view=findpost&p=248931to resourece.

heredoc works like double quote. as everything inside double quote treated as string you cant use any expression or code block there but it can resolve variable names. {} curly braces is called interpolation when used inside string context with variable. to resolve an array element they have to be inside curly braces.more about them here http://php.net/language.type.string to test it is set it or not you have to do it outside heredoc.

take the form defination outside of the loop. generate the item list with radio button with items data inside while loop. so people can use one form for any arbitrary number of list. you can also set a button to loop through each radio button and mark them selected using JS DOM operation which will act like "select all" button

prior to php 5.4 E_ALL does not include E_STRICT so passing E_ALL is sufficient to will suprress strict errors and fater php 5.4 E_ALL^E_STRICT will supress strict errors. 'display errors' are for displaying error it will still generate error depending on error reporting level but it wont show it in browser , same time if error log is enabled it will be logged into that file. people disable display error in production server to stop showing error publicaly instead of that they log every level of error in a file.

yes

you can also do that in mysql console or use friednly convenient application like phpmyadmin. creating tables and databases usually done outside php script.

sorry, made typo there. here is the onehttp://owasp.org another one from php official sitehttp://in3.php.net/manual/en/security.php

mysql api is obsolette it is for previous mysql engine. mysqli(i for improved) for newer engines

Don't trust user inputs $_GET,$_POST,$_COOKIE. filter/sanitinize user inputs. use mysqli_real_escape_String() or more better prepared statements.More info:http://in3.php.net/m...ty.database.phphttp://in3.php.net/m...l-injection.phphttp://in3.php.net/m...y.variables.php

you are adding event listener inside the callback itself. put it outside of the callback cordinate(). inside the cordinate() just use the behaviour of event. add event listener to wrapper div and delegates events rather than appending event on each child div. if you want to add more div on mouseover just create and append it in cordinate() they will be delegated to mousover event automatically as parent wrapper div is bound to mouseover event. the second example in post 8 is a example of "event delegation" you can google more on the topic to get more information.

you don't need to open same topic in different forum. posting it in relevant forum is enough for getting answered.

it seems like you are using CODE constant (right word is constant not fixed variable) in string context. showing the code will be helpfull

++y is pre-increment, means it will increment first then assign.in this case x=++y means it will first add 1 to y and then assign the value to x. so y and x both will be 6 the opposite is y++. where assignment will be first and increment will be later (post increment) so x=y++ , y will be assigned to first which is 5. so x is 5 and after that y will increment by 1 so it will be 6

you can use http://php.net/empty for that. you may also want to look into thesehttp://php.net/issethttp://php.net/strlen

in Js lines are terminated automatically on new line. so it is not must to terminate expressions explicitly.but it is best practice to terminate expression and should do it.

like this newNode=div.appendChild(newAddition);newNode.addEventListener("mouseover" ,function(evt){ cordinate(evt); } ,false); echo '<div id="wrapper" style="float:left;width:600px;margin:0px">';echo '<div onmouseover="coordinates(event)" id="div1" style="float:left;height:200px;width:500px;margin:0px 0px 10px 0px;background:aqua;"></div>';echo '<div onmouseover="coordinates(event)" id="div2" style="float:left;height:200px;width:500px;margin:0px 0px 10px 0px;background:aqua;"></div>';echo '<div onmouseover="coordinates(event)" id="div3" style="float:left;height:200px;width:500px;margin:0px 0px 10px 0px;background:aqua;"></div>';echo '<div onmouseover="coordinates(event)" id="div4" style="float:left;height:200px;width:500px;margin:0px 0px 10px 0px;background:aqua;"></div>';echo '</div>'; as all element isside wrapper div is triggering same event it is better to delegate the event. you can bound event listenerto wrapper div itself and then can test the childNodes if it matches exxecute some function. newNode=document.getElementById("wrapper");newNode.addEventListener("mouseover" ,function(evt){ if(evt.target.tagName=='div') cordinate(evt); } ,false);

yes, it is ok. but testing locally would be better specially if your site is a running site. mysql_real_escape_string() good but prepared statement is most secure option to prevent sql injection. sql injection is not the only way. there is many others exploits, you can read them herehttp://owsap.org

here you go http://w3schools.com/js

first line is calling method getElementByID() od document object which returns a node. which is stored in demoP.innerHTML is attribute of demoP. attributes are accessed by dot operator.