WebStyles

$_SERVER['PHP_SELF'] is not safe, and allows malicious users to include all sorts of XSS code

verification should go away after a couple more posts. $_POST is to retrieve values sent through a form using method="post". CURL has nothing to do with this. in your case, the resulting response can be grabbed with $response = curl_exec($ch); (instead of your last line)

try putting session_start(); before you output the headers in control.php

if(!isset($_POST) || empty($_POST){echo '<br>Nothing was posted from form.<br>';} is just a code to check if anything has been posted or not, for example, if you try to access sysdocupdate.php directly instead of posting the form, this code would tell you nothing had been posted. you can put it before the foreach() statement.

all files need to have session_start(); at the beginning to be able to access the session variables. maybe it's missing in the last one?

it's easier than you think in PHP. you basically use the name tag of your element as the php variable name inside a special array that holds all posted items called $_POST. (I know, sounds confusing like that) for this: <input type="hidden" autocomplete="off" id="post_form_id" name="post_form_id" value="8eb5c8e454f1497750f930e0a0803115" /> you would grab the value with: $_POST['post_form_id']; so to store the value in another variable, just use: $var = $_POST['post_form_id']; hope this helps

better to have a look in the ajax forum, but basically you want to use javascript to create an http_request, and then write the result to the hidden form field. There are many examples. try google for a quick fix.

you can do it with AJAX, but what is the point? since you're going to submit the form anyway, why do you need the segment in a hidden field before hand?

HTTP_POST_VARS is DEPRICATED, change to $_POST so code looks like this on line 3 of sysdocupdate.php: foreach($_POST as $varname => $value) do the same for the other file. you also might want to add a line before that to check if the form was submitted just for debugging purposes: if(!isset($_POST) || empty($_POST){ echo '<br>Nothing was posted from form.<br>'; }

My guess is ferlicia wants to add a row of data, for 2 reasons: 1. Because ferlicia said "i can create the column but do not know how to insert the user input. " 2. because letting users freely add columns do tables is such a bad idea that I'd rather think option 1 is the correct one. So what you need ferlicia, (as said before by irkevin) is something like: mysql_query("INSERT INTO `tableName` (`field1`,`field2`,`filed3`) values ('$value1','$value2','$value3')"); and make sure you have the correct table name: $field = trim($_POST['columnname']); $addname = trim($_POST['addname']); $query = "INSERT INTO `CHANGE_THIS_TO_YOUR_TABLE_NAME` ($field) VALUES ('$addname')"; $status = mysqli_query($link,$query) or die(mysqli_error($link));

The whole script is wrong, think about what it's doing for a second: 1. connects to database (ok so far) 2. grabs username and password, from database where username and password match the ones you already have (oppss... in next step you'll see why this is not what you want ) 3. check if any rows were returned (if not assume username was wrong. WHY? it could also be a wrong password, you have no way of knowing this) 4. mysql_fetch_array($Res); (where does $Res come from???) 5. header() will only work if you have not outputted anything to the page yet. 6. if($PassWord != $PassWordMatch['PassWord']) // this will NEVER work because you specifically said: grab user,pass where pass is equal to my pass 7. you use $UserName in you query then $Username ( lowercase N) in the last message. One of them is incorrect. Think simple, try something like this: 1. connect to database. 2. grab only password from database where username = '$username' (no need to grab the username because you already have it) 3. if there are no results, then username does not exist 4. if there is a result, compare password with the one returned from database 5. redirect accordingly. hope this helps

Why do you have 2 ORDER BY statements in the same query? Try this: 1. grab the filter: if(isset($_GET['filter']) && $_GET['filter'] != ''){ $filter = $_GET['filter']."%"; }else{ // set A as default $filter = "a%"; } (Notice I took the opportunity to add the wildcard % after the letter when grabbing the filter variable from the url string, and also defined a default value for when $_GET['filter'] does not exist or is empty - you can change this if it's not what you want) 2. use filter in your query: $getusers = mysql_query("SELECT * FROM `users` WHERE `username` LIKE '$filter' ORDER BY `username`") or die(mysql_error());

have you tried fgetcsv() ?

if I had to guess, without seeing your code, i'd say that the second file is missing session_start() at the top, so it does not find the session variable.

'a%' was an example, if you're grabbing the letter from a GET var, then you need to replace that.

things to consider when allowing random users to upload files: - SIZE : limiting file size - NAME: changing filename to something unique, so they don't get overwritten - STORING: placing all in same folder, or a folder for each category, or a folder per user (depending on the amount of files you expect) - TYPE: limiting allowed file types to avoid malicious files - BANDWIDTH: limiting number of uploads/downloads per user / per day (avoid bandwidth problems) - VIRUS: Implementing and anti-virus system on server to scan files hope this helps

google "PHP file upload" and I'm sure you'll find many examples. just keep filenames in a database associated to each user, so that you only present them when logged in. (just out of curiosity, if you don't have a clue how to upload a file, how on earth are you building an entire social network?)

totally agree with PFMaBiSmAd. also you may want to check if your database has proper indexes to speed up searches.

also not sure what you mean, but at a quick glance, you've got a database handle that you're not using... instead of mysql_query($SQL); try mysql_query($SQL,$db_handle); (in both places) also, you should consider creating a new mysql user instead of using root. hope this helps

I know this isn't much of an explanation, but without reading your specific CDN manual, i have to say: that will depend on the service you get. Such questions should be answered in your CDN manual. I have used CDN's in the past, that allowed me to upload singe images, or entire folders, if images where uploaded in a folder, then I would reference them with <CDN URL>/<FOLDER NAME>/<IMAGE NAME>, if I had just dumped them freely into the root, I would just use <CDN URL>/<IMAGE NAME>.

you can join both conditions so that you only have 1 IF statement die() will completely stop your script. maybe you just need to echo the error, or redirect back to another page? if(isset($_POST['username']) && $_POST['username'] != ''){ // ok to proceed } else { echo "You must enter a username"; } hope this helps

Ah the joy of helping strangers. Glad our efforts and time are appreciated in such an intense manner. Hope to see you again soon xc0n.

try something like: $getusers = mysql_query("SELECT * FROM `users` WHERE `username` like 'a%' ORDER BY `username`");

if you want the value of "q" to be present in the query string, your form should use method="get" instead of method="post". change the form line from this <form method="post" action="/search-results/?q="> to this <form method="get" action="/search-results/"> and try again. ?q= will be automatically added to the url, so I removed it from the action="" parameter.

@teynon: there are some days when things just get to me, normally I'm a much more patient guy, but sometimes, having to say the same thing 3 times just makes me question why I even bother trying to help. At the end of the day though, many people are grateful and I feel good being able to help a few, but sometimes it's just hard. I do tend to just post some copy/paste(able) code as many times it's just faster and easier than trying to explain every little detail and from what I've seen around here, around 70% of people posting questions don't really seem interested in how or why it works, they just want a quick fix. It's the other 30% that makes everything worth it. cheers to you and PFMaBiSmAd for understanding my little outbreak (for which I apologize)