Hi,

I am developing a website with login and passwrod , session vars etc.The site allows uploads and downloads of small <3mb files and allows messages to be uploaded. Now I use mysql as well for all this storage.

q)What are some of the security concerns I haven't addressed?

q) what about this (I asked this before with no response) but it looks critical to my needs.

on php manual it says
Note:If you are not experienced with session programming it is not recommended that you use sessions on a website that requires high-security, as there are security holes that take some advanced techniques to plug.

I found this atricle and I don't use cookies for now.

http://phpsec.org/projects/guide/4.html


As for security there are things here that baffle me like from this article above

I don't get wh the ask for the password again. Is this on every page that uses sessions ?

session_start();

if (isset($_SESSION['HTTP_USER_AGENT']))
{
if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
{
/* Prompt for password */
exit;
}
}
else
{
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}


my code is like
--
session_start();
echo $_SESSION['uid'] ;
if (!isset($_SESSION['uid']))
{
header( "Location: http://localhost/school/test/login.php" );
exit;

That code looks like it's checking to make sure the browser is of the same User Agent as last time, which just seems like a good common-sense check.

>. Cross Site Scripting. To stop that just do this around strings before puting them into your database.

Hi,

I did this but my script failed to run with no output. It works if I take them out .

Why does this crash my script

trim(mysql_real_escape_string(strip_tags($comment)));

trim(mysql_real_escape_string(strip_tags($title)));

No valid mysql connection?

How do i fix this as I have no idea?

q) How to fix?
No valid mysql connection?

q) I have files stored a dir that can be accessed by an url (eg .txt .doc files). How do I stop people from accessing these unless they have required login?