HDFilmMaker2112

Perfect. Thanks.

That's unfortunately returning the same thing: TEstABcDE12345678910 TEstABcDE12345678910TeshgaGDasf#1345 <?php error_reporting(E_ALL); $words = array('TEstABcDE12345678910', 'TeshgaGDasf#1345'); $ascii = ''; foreach($words as $word) { $index = 0; while($index < strlen($word)) { $ascii .= "&#".ord($word[$index]).";"; $index++; } echo $ascii . '<br />'; } ?> As far as using htmlentities; I still plan too. This is just to go a step further and remove words that could be used in an attack.

I'm looking for a way to convert a string into ascii number codes. I have the list of conversion words in an array, the problems lies in that each iteration through the array, is starting from the beginning of the array, and appending the next element in the array onto the end. i.e; the below is producing this: TEstABcDE12345678910 TEstABcDE12345678910TeshgaGDasf#1345 $string=array("TEstABcDE12345678910", "TeshgaGDasf#1345"); $asciiString=""; foreach($string as $string2){ for($i = 0; $i != strlen($string2); $i++) { $asciiString .= "&#".ord($string2[$i]).";"; } $asciiCode = str_replace("&", "&", $asciiString); echo $asciiString."<br />"; } How would I make it so that it only converts each array element individually. I also need to some how add a preg_match to this as well. The idea would be to have the array contain a list of "forbidden words" (javascript, alert, style, among others), and then to convert those forbidden words into their ASCII code equivalents. This is an attempt to go above and beyond htmlentities for XSS prevention.

Look into the while loop. http://us2.php.net/manual/en/control-structures.while.php You can look at the examples on this page to see it use with DB query. http://us2.php.net/manual/en/function.mysql-fetch-assoc.php

Did you call session_start(); before session_unset and session_destroy? If not, it doesn't have know what the values are that it should be unsetting and destroying. session_start should essentially be read as, check to see if there's already a session started, if so continue it; if not, start a new one.

This is the first I've tried using cookies for a website. The below isn't setting a cookie. I have my log-in form on the home page. Which submits to this script "login.php", if the credentials match the database, then it redirects to index.php?home. On ?home I'm trying to echo out the cookies and they're coming up blank. I also checked the cookies set in my browser, and the only one set for this domain name is the PHPSESSID. The $login_stay_logged_in variable is set and it does = yes. if($login_stay_logged_in=="yes"){ $hased_value = kam3(md5(generatepassword())); $hashed_username = md5s($rows["email_address"]); $time = time(); setcookie("emtco_hash", $hased_value, time()+(86400*180), "/", "beta.area51entertainment.com"); setcookie("emtco_username", $hased_username, time()+(86400*180), "/", "beta.area51entertainment.com"); setcookie("emtco_visited", $time, time()+(86400*180), "/", "beta.area51entertainment.com"); } if(isset($_GET['home'])){ $content.=' <div class="left"></div> <div class="center">'.$_SESSION['username'].'<br /> '.$_SESSION['password'].'<br /> '.$_SESSION['login_stay_logged_in'].' <br />'.$_COOKIE["emtco_hash"].' <br />'.$_COOKIE["emtco_username"].' <br />'.$_COOKIE["emtco_visited"].'</div> <div class="right"></div> '; }

This: <a href="Size_Menu.html">Click here to choose</a> </td> Should be this: <a href=\"Size_Menu.html\">Click here to choose</a> </td> Or use single quotes around everything: $display_block .=' <tr> <td width="1%" valign="top">'.$Verse_id.'<br/></td> <td width="55%" valign="top">'.$Verse_text.'<br/></td> <td width="35%" valign="top">'.$Mood_info.'<br/></td> <td width="9%" valign="top"><a href="Size_Menu.html">Click here to choose</a></td> </tr>';

MySQLi Persistent connections weren't included in PHP until 5.3. My web server is currently running 5.2... That's the current problem.

Believe I figured it out. My web host is still on PHP 5.2...

I'm trying to connect to MySQLi via a persistent connection and I'm getting an error stating: Warning: mysqli::mysqli() [mysqli.mysqli]: (HY000/2005): Unknown MySQL server host 'p:localhost' (1) function MysqliPersist($dbname){ $DBconnect = new mysqli_errordisplay('p:localhost', "user", "pass", $dbname); return $DBconnect; } In the manual it says to prepend a "p:" to the host name for a persistent connection.

I'm not looking to return an email address. I'm looking to return the number of rows that has that email address in it. To see if it's equal to 0 or to 1 or more. I've always counted the amount of rows to check for a value. Okay, if I don't count; what do I compare the result to? Basically I need to check if the user entered email address is in the database, if not continue with registration; if it is, prevent registration, and send them back to the form with a error message.

I thought it would literally return a number either 0 or the number of rows that has that email address. Guess I thought wrong. So what should I be doing here? Maybe I'm after $number_rows[0]? To get the first value entry in the array?

The below code is always placing a value of "1" into the $error array. I echoed out the $sanitized_email variable and displays the inputted email address fine. I checked the database via PHPMyAdmin and the email address is not in the DB. $check_email_DB = mysqliCOE('db_name'); $sanitized_email=mysqli_sanitize($check_email_DB, $register_email); $result = $check_email_DB->query("SELECT COUNT(email_address) FROM user WHERE email_address='$sanitized_email'"); $number_rows = $result->fetch_assoc(); if($number_rows>=0){ $error[18]=1; } else{ $error[18]=0; } $check_email_DB->close(); I even ran the query manually in PHPMyAdmin and it returned zero results.

Would help if I knew my own column names. It's email_address not email.

The following code is giving an error: $check_email_DB = mysqliCOE('zyquo_emotico'); $sanitized_email=mysqli_sanitize($check_email_DB, $register_email); $result = $check_email_DB->query("SELECT COUNT(email) FROM user WHERE email='$sanitized_email'"); $number_rows = $result->fetch_assoc(); if($number_rows!=1){ $error[18]=1; } else{ $error[18]=0; } This is producing a non-object error: Fatal error: Call to a member function fetch_assoc() on a non-object. What's wrong with the above? I pretty much copied it right off the manual on php.ner Is there a better way to get the results from a COUNT query in MySQLi?

Perfect. Thanks. Thought I had to base it as a string and some how generate a new variable to be used on the real_escape_string function; Much simpler than I though.

class mysqli_errordisplay extends mysqli { public function __construct($host, $user, $pass, $db) { parent::__construct($host, $user, $pass, $db); if (mysqli_connect_error()) { die('Connect Error (' . mysqli_connect_errno() . ') ' . mysqli_connect_error()); } } } function MysqliCOE($dbname){ $DBconnect = new mysqli_errordisplay('localhost', "user", "pass", $dbname); return $DBconnect; }

If I try passing the connection variable as $connection in the function I get this: Catchable fatal error: Object of class mysqli_errordisplay could not be converted to string in /home/zyquo/public_html/beta/test.php on line 5 function mysqli_sanitize($conn,$formValue){ if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { $formValue = stripslashes($formValue); } $formValue = $conn->real_escape_string($formValue); return $formValue; } $connection = mysqliCOE('db_name'); $sanitized_email=mysqli_sanitize("$connection", "T'es'ts3e"); echo $sanitized_email; Line 5 is this: $sanitized_email=mysqli_sanitize("$connection", "T'es'ts3e");

I have the following function, that I'm using to quote/escape on user submitted data I'm running a MySQLi query on: function mysqli_sanitize($conn,$formValue){ $conn='$'.$conn; if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { $formValue = stripslashes($formValue); } $formValue = $conn->real_escape_string($formValue); return $formValue; } Now in order to use MySQLi_real_escape_string I have to provide the connection variable, or I get a non-object error. How would I pass the connection variable name into the function? I tried the following, but I'm getting the non-object error. $connection = mysqliCOE('db_name'); $sanitized_email=mysqli_sanitize("connection", "T'es'ts3e"); echo $sanitized_email;

.........

Query Error: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '10:22:47)' at line 2 Looks like it's the join_date time. It's wrapped in parenthesis, and I'm not quoting that. So that could be the entire issue. EDIT: That would indeed have been it. Now working. Thanks for the help.

Tried adding the quotes, no luck. And just to note, I have echoed out those variables, and they do have values in them.

Got the birthday working. It had the months as words, not to be converted to Unix time stamp with strtotime() and then into the proper format with date(). Still not understanding the first query though.

100% right. Literally just caught that 5 seconds before you posted. Now it did submited some of the data to the database, but it only did so with the second query. It didn't insert the birthday, and also missed the user_id (but that of course because the first query wasn't run). Shouldn't the rollback control have fired seeing as how nothing was submitted to the first query? $register_name ="$register_fname $register_lname"; $register_birthday ="$register_year - $register_month - $register_day"; $register_date=date('Y-m-d H:i:s'); $DB = SafePDOCOE('zyquo_emotico'); $quoted_account_type = $DB->quote($register_account_type); $quoted_email = $DB->quote($register_email); $quoted_fname = $DB->quote($register_fname); $quoted_lname = $DB->quote($register_lname); $quoted_name = $DB->quote($register_name); $encoded_password = kam3($register_password); $quoted_gender = $DB->quote($register_gender); $quoted_birthday = $DB->quote($register_birthday); $quoted_membership_type = $DB->quote($register_membership_type); try{ $DB->beginTransaction(); $DB->query("INSERT INTO user (email_address, password, user_level, name, membership_type, join_date) VALUES ($quoted_email, $encoded_password, '1', $quoted_name, $quoted_membership_type, $register_date)"); $userid = $DB->lastInsertId(); $DB->query("INSERT INTO user_profile (user_id, birthday, gender, first_name, last_name) VALUES ($userid, $quoted_birthday, $quoted_gender, $quoted_fname, $quoted_lname)"); $DB->commit(); echo "Data Entered."; } catch(PDOException $e){ $DB->rollBack(); echo "Query Error: ". $e->getMessage(); }

I know, but it actually requires dealing directly with MySQL to control the transactions (as far as I know), PDO has them on the PHP side of things. Easier to use in my opinion. I know there's commit and rollback controls, but how do you start a transaction? Is it simply just running the first query? Alright; well here's the class/functions I'm using. class SafePDO extends PDO { public static function exception_handler($exception) { // Output the exception details die('Uncaught exception: '. $exception->getMessage()); } public function __construct($dsn, $username='', $password='', $driver_options=array()) { // Temporarily change the PHP exception handler while we . . . set_exception_handler(array(__CLASS__, 'exception_handler')); // . . . create a PDO object parent::__construct($dsn, $username, $password, $driver_options); // Change the exception handler back to whatever it was before restore_exception_handler(); } } class SafePDO_errordisplay extends SafePDO { public function connect_db($dsn, $username='', $password='', $driver_options=array()){ parent::__construct($dsn, $username, $password, $driver_options); try { $DB = new SafePDO($dsn, $user, $password, $driver_options); } catch (PDOException $e) { echo 'Connection failed: ' . $e->getMessage(); } } } // Connect to the database function SafePDOPersist($dbname){ $DB = new SafePDO_errordisplay("mysql:host=localhost;dbname=$dbname", "user", "pass", array(PDO::ATTR_PERSISTENT => true)); return $DB; } function SafePDOCOE($dbname){ $DB = new SafePDO_errordisplay("mysql:host=localhost;dbname=$dbname", "user", "pass"); return $DB; } Then on my page, it's called simply as: SafePDOCOE(db_name);