I have been for the last several months working on a PHP 5 CMS with friendly URL's, built in forums, user management, etc. As it's nearly complete now, I had a few questions regarding several topics ( security, performance, etc ).

I have been using XAJAX to handle my Ajax. It's a library that generates the javascript needed for a specific action and uses PHP functions to process the information. I like this because, as I do not know Javascript and securing Javascript, I felt I have the extra control over security and processing the data that will be called.

AS far as the script goes, on any action that requires logged in membership, I have been passing the user id or name to the method that is called by Xajax, as well as using the construct to set a user variable containing all the users info ( uses stdclass() to set session info to user var ). AS far as this goes, I wasn't quite sure if anyone could write up some new Javascript and call my function, processing data and passing a fake user to the function? Since it is PHP, I didn't think this could be possible, but could I be wrong?

I'm not too worried, because I do check that the user matches and exists by the user class var I've set (their username passed to the method should be the same as $this->user->username ).

Also, the navigation is loosely based on $_GET. The first URL parameter is a $_GET var, everything after is exploded from that singular point ( unless ofcoarse there is no $_GET, then the frontpage loads ). I guess this basically acts the same as $_GET, so the same precaution has to be taken when gathering parameters. For this, I checked whether ../ exists in the URL first off and exiting if so, leaving a nice message to the user trying to pass that in the URL. I also used strip_tags and htmlspecialchars, since from time to time I would be outputting that param val. Is there any other cleaning I should take on this? The param is used in queries, and I wasn't sure about or even what values like x07 are called or what they can do, but I've heard people getting by addslashes with these characters. I do use mysql_real_escape_string on EVERYTHING used in queries using a method in my database abstration class, so Im not too worried about that.

Another concern I have is my caching method. Due to the setup and to squeeze every bit of performance I could from the app, I have used .php extension cache files only so I could set certain code within them which will print the page title, meta info, etc. The content itself is HTML, but there first few lines contain php code. Is there any danger to this? I do use define('Something') to restrict files from being opened without inclusion, and the information for the most part is already run through strip_tags and htmlspecialchars.

I only did this so I didn't need to query for the pages meta info, title, etc and actually got by without needing to query at all for that ( once but every 10 minutes or so to repopulate cache ).

Sorry, but this is my last concern. As for the built in forums, the posting, inline profile field editing, etc use Xajax once again. What would be a good way to go about ...

1. Disabling an account after X amount of login attempts, as VBulletin does? I thought initially keeping a count in database, and flush that once a succesfull login happens.

2. File uploading, I am not experienced with this at all and I've heard people can upload images with different headers and code that can cause big problems, but do not know how to work with GD or any other image library with PHP. Do you have a good tutorial for this and what really can happen if they upload an image that contains other code? I've never understood that.

Thanks guys, hope I can find some help. If I can later, I will try to get a demo uploaded ( its kind of a good mix between Joomla and Wordpress, what I've always been looking for ) without the weight and strain of Joomla (also, if I can be sure its secure enough, then I am releasing as Open Source ).