Zephni

Yep, and it should always be the first thing at the top of the page. This is because you are trying to change the $_SESSION values which won't be associated with any particular session if you don't session_start(); first. Then on the next page it will be like the session was never set. So just try adding: session_start(); Underneath your opening <?php tag

Just checking before looking into it further. But are you running session_start(); at the top of that page? I know it's on the "protected pages" but you can't manipulate the session variables if you haven't started it which you are trying to do on the login page by the looks of things.

Did you see the second part of my message?

You are binding the delete statement twice. First you are binding the parameter ":boxingid" to $PostIdThing and then executing it with a forced ID of 1 in the next line. Then you are executing within the if statement without any parameters. You would be better off deleting this line: $Startoff->execute(array(':boxingid' => 1)); Then the bindTo line would sort out the parameter binding and the execute statement can still be tested by the if statement. Also you don't want to be putting ' quotes inside the statement when using parameter bindings, remove them in this line: $delete = "DELETE FROM BoxingResults WHERE id = :boxingid LIMIT 1"; Hope this helps

I have been working on a frame work type thing: (http://zephni.com/phpzevelop/howto and GitHub https://github.com/Zephni/PHPZevelop) it needs to check for files (pages) before producing them, if the page does not exist and the page isn't set to receive parameters through the URL then it needs to set the default 404 page instead of the page that does exist. It's hard to explain but I have changed the way it works now so it uses try catch statements to check if the files exist instead of using file_exists methods.

In my situation I need to check that a php file exists, but I do not want to run any code in that script yet. I have tried the PHP is_file: http://php.net/manual/en/function.is-file.php and the file_exists function: http://php.net/manual/en/function.file-exists.php But both actually run the file. I can tell because of using sessions to test it in the file itself. Is there any way around this? Thanks in advance.

The reason is, is because I need to tell whether the array was defined with keys and values by the programmer, rather than a single dimensional array. It will be hard to explain exactly why, but it is necessary because what I'm building needs to be able to tell the difference between an array that looks like this: array("item1", "item2"); And this: array("0" => "item1", "1" => "item2"); Because if the key is defined by the user (programmer) the foreach loop needs to perform an extra task. The more I look into this. I should probably do what I'm doing a completely different way.. but I guess the answer is clear... PHP does whatever it wants with types and we have no control over it

This sounds simple in the title, but let me explain... If I did the below: $array = array("1" => "value"); foreach($array as $key => $value) if(is_string($key)) echo "true"; else echo "false"; The result would be false, even though the "1" passed as a key is a string prior to the foreach loop. Is there a way to check the ACTUAL type of the $key in this situation without just determining whether it "can" be a int or "can" be a string. If I did: $array = array("1" => "value"); foreach($array as $key => $value) echo gettype($key); The result would be "integer" so It looks to be that if the foreach loop determines if the string "can" be an integer then it regards it as such. Is there anyway around this? Thanks in advance for any help (Please note I tried to change the title of this post because I realized it wasn't quite specific enough regarding arrays but it won't let me change the title)

Thanks for your reply Ch0cu3r! Ok, but what if someone else set up a AJAX script to post data to my PHP file and make changes to the database that I don't want them to?

This may sound like a weird one. I'm in the process of making a HTML5 game where I need to make contact with a MYSQL database. I planned on doing this using PHP scripts that the game sends AJAX requests to with post data. Is there a way of securing these scripts so no one on the outside can access (or just run) them, but the game can. The game will be ran on the same server as the scripts. Does this sound ridiculous or is it possible? Or am I going about this the entirely wrong way, thanks for any answers in advance!!

Thanks for your reply So its really a case of, yes it can be cracked, but make it as slow as possible

I may get flamed for this but would just like to see how easy someone would find it to crack this hashed string. I don't mind someone saying the actual answer because its not a password or anything. The method is sha1 (This is not recommended any more apperently) The salt is 970631345a48485769c14d2e40a51706 The hashed string is 212405ffb01342e5eaefe2243fc14084082c2182 You don't need to recommend me to use PHPass, just testing

Edit: Oops... I didn't see your <!-- login functions bit at the top -->

This is unfinished, but does this look safe enough to upload images? <?php class file_upload{ public $err = array(); public $msg; function image($field_title, $base_dir = "../images/", $force_title = false){ //Set file path and filename if($force_title){ $img = $force_title; }else{ $img = basename($_FILES[$field_title]['name']); } $target_path = $base_dir.$img; $f_info = getimagesize($_FILES[$field_title]['tmp_name']); $mime = $f_info['mime']; if($mime == "image/jpg" || $mime == "image/png"){ //Remove image if it already exists if(file_exists($target_path)){ unlink($target_path); }else{ $return = false; $this->err[] = "Error unlinking existing image (ER100)"; } //Upload if(move_uploaded_file($_FILES[$field_title]['tmp_name'], $target_path)){ $this->msg .= "Image uploaded"; $return = $img; }else{ $this->err[] = "Error uploading image (ER101)"; $return = false; } }else{ $this->err[] = "Cannot upload file of this type (ER102)"; $return = false; } $this->compile_errors(); return $return; } function compile_errors(){ $this->err = implode(", ", $this->err); } } ?>

Good answer thanks Sounds like I will check the mime type AND disallow execution of scripts with .htaccess to be safe. Tbh I think you've answered my question in one fell swoop.

I am rebuilding an area of one of our websites that needs to allow a user to upload images. The only way I have done this in the past is allowing 777 perms on the folder. Could I have some suggestions on the most efficient yet safe way of doing this. I already check whether the file extension is a .jpg or .png but considering the file perms are open I'm guesing thats no where near good enough. What do the perms allow to outside users exactly, could they upload files to that folder from somewhere else and run php scripts to remove files from below that 777 folder? Thanks for any help

Not quite sure what your looking to do here, but the first thing I noticed in the code was that there was only one '=' sign meaning the if statement is always true. Also why did you set the variable of the post value and then use the post variable in the if statement?

Ok thanks Xyph, I think I will stick with it as I feel more combfortable with it and the named selectors are a deffinate plus for me, cheers for your comments

I guess you are right, tbh it was only the stmt variable hanging around that I didn't like the idea of, it felt better to have it as a property of the database object. The only thing that put me off of mysqli is that I couldn't find a way of having named selectors. It seemed to just use sequential variables. I just didn't like the syntax and 'hackiness' of it. I'm most probably wrong..

I'm trying to get my head around the PDO way of doing things as we have recently had major SQL attacks and it seems this is the safest way. I am in the process of building a class as I don't like the idea of leaving $db and $stmt variables out there (like alot of tutorials I have seen) and keeping all my querys in one place. Have I made this class well enough to continue with or should I try a different approach, also, is how this is done safe? Without going as far as making an interface as an abstraction layer for the database as we will only be using MYSQL <?php /* Query class */ class dbo{ private $db; public $stmt; function __construct($db_info, $user, $pass){ $this->db = new PDO($db_info, $user, $pass); } function __destruct(){ $this->close(); } function execute(){ $this->stmt->execute(); } function fetch(){ return $this->stmt->fetch(PDO::FETCH_ASSOC); } function close(){ $this->db = NULL; $this->stmt = NULL; } //example of prepared statements added to this class function get_article($id){ $this->stmt = $this->db->prepare("SELECT id, title FROM articles WHERE id>=:id"); $this->stmt->bindParam(":id", $id, PDO::PARAM_INT); } } /* Connect to database and create dbo instance */ $dbo = new dbo("mysql:host=localhost;dbname=xxx", "xxx", "xxx"); /* Query */ $dbo->get_article($_GET['id']); $dbo->execute(); /* Display */ while($result = $dbo->fetch()){ echo $result['id'].": ".$result['title']."<br />"; } ?> Thanks for any ideas

Could you show me how you are calling that function

You should call class properties without the $ <?php $this->ATT; ?> In your function

If each one inserted to the database you could find out. If you passed through each address you could see if anyone opened it more than once and also get unique "opens" aswell

Sorry?

I used to put a 1x1 image that was invisible that called a PHP script that would update the database with the id of the email sent. This does mean that the person receiving the email has to allow images in their emails. But I used to have a full reporting system that said how many people marked it as spam, and the percentage of people that opened it and all sorts.