Leaderboard

As you are sorting on "name", which is the first element of the sub-arrays, you can just use an ordinay sort() or rsort() call. (By default it will sort on the values oof the first element) EG $tadminlist["pvp"] = [ [ 'name' => 'mapname1', 'type' => 'pvp', 'beta' => 'y', 'final' => 'n', 'modded' => '', 'classification' => 'land', 'sf' => 'n', 'tod' => 'dawn', 'weather' => 'fog', 'es2' => 'y' ], [ 'name' => 'mapname3', 'type' => 'pvp', 'beta' => 'yy', 'final' => 'n', 'modded' => 'y', 'classification' => 'air', 'sf' => 'y', 'tod' => 'day', 'weather' => 'rain', 'es2' => 'n' ], [ 'name' => 'mapname2', 'type' => 'pvp', 'beta' => 'n', 'final' => 'y', 'modded' => 'n', 'classification' => 'sea', 'sf' => 'n', 'tod' => 'night', 'weather' => 'clear', 'es2' => 'n' ], ]; echo "line = " . join(', ', array_keys($tadminlist["pvp"][0])) . '<br><br>'; listData($tadminlist["pvp"]); echo "<br>SORTED ASC<br>"; sort($tadminlist["pvp"]); listData($tadminlist["pvp"]); echo "<br>SORTED DESC<br>"; rsort($tadminlist["pvp"]); listData($tadminlist["pvp"]); function listData($arr) { foreach ($arr as $tlist) echo join(', ', $tlist) . '<br>'; } OUTPUTS line = name, type, beta, final, modded, classification, sf, tod, weather, es2 mapname1, pvp, y, n, , land, n, dawn, fog, y mapname3, pvp, yy, n, y, air, y, day, rain, n mapname2, pvp, n, y, n, sea, n, night, clear, n SORTED ASC mapname1, pvp, y, n, , land, n, dawn, fog, y mapname2, pvp, n, y, n, sea, n, night, clear, n mapname3, pvp, yy, n, y, air, y, day, rain, n SORTED DESC mapname3, pvp, yy, n, y, air, y, day, rain, n mapname2, pvp, n, y, n, sea, n, night, clear, n mapname1, pvp, y, n, , land, n, dawn, fog, y To sort by any other element would require usort, eg to sort by classification usort($tadminlist["pvp"], function($a, $b) { return $a['classification'] <=> $b['classification']; } );

A salt has 2 purposes. In both cases, they assume that an attacker got access to your data, but not your code. As already explained, this happens all too often due to SQL injections and coding errors. If your server is fully compromised it doesn't really matter what you did to encrypt your data, which seems to be a concept you are stuck on. When used with a hash, a salt is added so that a Rainbow table would not be effective. Keep in mind that you can not decrypt a hash. All you can do is provide input, hash the input, and see what hash is produced. For passwords, you compare the computed hash to the stored hash, and grant access when they match for a specific user name. So one way to try and reverse engineer a hash, is to create a database of inputs and hash values. This can be very effective because so many people use poor passwords (names, common words, simple phrases). A salt adds some noise to the raw input that changes it sufficiently to defeat a rainbow table. A best practice is to provide a different salt for each hash, which then makes Rainbow generation, even with salts, a very tiresome activity. If they know a global salt, they can generate a Rainbow table with that salt. If however, you have a salt for each row/hash, they have to create Rainbow tables for any/all rows, and that is going to be time consuming. Some values are not appropriate for hashing because the application requires the ability to access the original value. Your AES_ENCRYPT example is one such scenario. You typically see this used with privacy values like social security numbers, pins that you have to disclose to a customer service rep, or credit card numbers. In the case of AES_ENCRYPT, that is not a "salt" per se, but rather, a passphrase or key. You can hash a value without using a salt, but you can't encrypt a value without a key. That is how they differ. I will say that when people use the mysql AES_DECRYPT() function call, it is often with a single key/salt value purely for pragmatic reasons, as an individual key used on a per row basis would mean that you could never do a query against the entire column ie. SELECT * FROM TABLE WHERE AES_DECRYPT(SSN, $key). Hope this helps you understand these concepts a bit better.

Besides switching to PDO simply because it is easy and better, why not examine why you have this 'query' function. Functions are great for tasks that may be repetitive or complex and you will benefit by writing a block of code that does the work for you and can be relied on at multiple times. In your case you have a function that executes ONE LINE OF CODE! What is the point of that? How do the 6 lines of code in your function (including the call line itself) help you when you could have simply written that query call line in place of it all? If your function actually accomplished some real work it would be great. You could have validated that the query call actually runs or that it actually ran before blindly returning, but you don't. So why the extra overhead here?

Ignore them. It doesn't matter if they add anything because you're not using it. Go back to what ginerjm said a few hours ago. You have to identify what information is being submitted through the form for you to be able to whitelist it.

Perhaps, in your php, you could put those two values into hidden fields. Then, in your javascript, pick up the values from there. var myVal1 = $("#myvar1").val()

It's case of "If you want to go there, I wouldn't start from here". If the second visit were a separate task (so the first two as task #1 and second two are task #2, then life would be easier. It's then simple (pseudocode) SELECT MAX(created) - MIN(created) GROUP BY task_id. You can then aggregate by each engineer for the day

In addition to @ginerjm's advice Separate your php from your html as much as possible, avaiding your spaghetti-like code structure. Do your php processing first, followed by the html output Don't use "select star", specify the fields you want. Don't put user privided data directly into your query strings, use prepared statements I have rewritten your page to illustrate these points <?php $tdata = ''; $where = []; $whereclause = ''; $params = []; $class = $_GET['class'] ?? ''; $sex = $_GET['sex'] ?? ''; if (isset($_GET['todo']) && $_GET['todo']=='search') { if ($class) { $where[] = "class = ?"; $params[] = $class; } if ($sex) { $where[] = "sex = ?"; $params[] = $sex; } if ($where) { $whereclause = " WHERE " . join(' AND ', $where); } } $stmt = $dbo->prepare("SELECT name , class , session_based , mark , sex , phone , date FROM student $whereclause"); $stmt->execute($params); foreach ($stmt as $row) { $tdata .= "<tr><td>" . join('</td><td>', $row) . "</td></tr>\n"; } function classOptions($dbo, $current='') { $opts = ''; $res = $dbo->query("SELECT DISTINCT class FROM student"); foreach ($res as $r) { $sel = $r['class']==$current ? 'selected' : ''; $opts .= "<option $sel value='{$r['class']}'>{$r['class']}</option>\n"; } return $opts; } function sexOptions($dbo, $current='') { $opts = ''; $res = $dbo->query("SELECT DISTINCT sex FROM student"); foreach ($res as $r) { $sel = $r['sex']==$current ? 'selected' : ''; $opts .= "<option $sel value='{$r['sex']}'>{$r['sex']}</option>\n"; } return $opts; } ?> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="generator" content="PhpED 18.0 (Build 18044, 64bit)"> <title>Example</title> <meta name="author" content="Barand"> <meta name="creation-date" content="09/23/2018"> </head> <body> <form method='get' action=''> <input type="hidden" name="todo" value="search"> Class <select class="form-control" name="class"> <option value=''>Any Class</option> <?=classOptions($dbo, $class)?> </select> <br> Sex <select class="form-control" name="sex"> <option value=''>All</option> <?=sexOptions($dbo, $sex)?> </select> <br> <input type="submit" value="Search"> <input type="reset" value="Reset"> </form> <br><br> <div class="container"> <table class="table table-bordered table-hover table-striped"> <thead> <tr> <th class="col-md-1">Name</th> <th class="col-md-1">Class</th> <th class="col-md-1">Session Based</th> <th class="col-md-1">Mark</th> <th class="col-md-2">Sex</th> <th class="col-md-2">Phone</th> <th class="col-md-2">Date</th> </tr> </thead> <tbody> <?=$tdata?> </tbody> </table> </div> </body> </html>

Your html code is terribly flawed. Awful!!! Attributes must be enclosed in quotes. Here is one example of a corrected line of html. You wrote: "<form method=post action=''>" Should be: "<form method='post' action=''>" You have lots of learning to do apparently.

In order to process the $_POST items as arrays, their names need to be of the form "txtname[X]". Your javascript is giving them the form "txtnameX"

On reflection, I concur with Gizmola on the url and double quotes issue (There is a possibilty that a url could contain an apostrophe). In which case echo "<p><a href=\"$url\">Link here</a></p>"; It still avoids concatenation, which as you have demonstrated, can be error prone.