kicken

Better to use one query rather than in a loop like you did. $ids = array_keys($contents); $sql = 'SELECT id, SUM(weight) as weight FROM store WHERE id IN ('.implode(',', $ids).') GROUP BY id'; $res = mysql_query($sql); $weights = array(); while ($row=mysql_fetch_assoc($res)){ $weights[$row['id']] = $row['weight']; } $totalweight=0; foreach ($contents as $id=>$qty){ $totalweight += $weights[$id] * $qty; }

Paste it where? $_SERVER['REQUEST_URI'] shouldn't contain the full url anyway, though I guess it might be possible. Now maybe, what about a year from now? Things change. Yes, your checking the basename, not the variable directly. I mean code like: if ($_SERVER['REQUEST_URI']=='/' || $_SERVER['REQUEST_URI'] == '/index.php'){ Not really. What I am talking about is on your index.php page, you would have code such as: <?php define('CURRENT_PAGE', 'home'); //... Then in your file where you need to test if your on the home page or not, use <?php if (defined('CURRENT_PAGE') && CURRENT_PAGE=='home'){ // on home page } else { //not on home page }

You could try: putenv('DISPLAY=:0'); exec('oowriter'); Also, the server may be using a PATH which does not include where oowriter is at. Try using an absolute path to the file.

You should fclose() before your file_get_contents. Before the fclose, it's possible the server would save the content in a buffer and not write it out to the file. In that event your file_get_contents is not accurate. An alternative to file_get_contents would be to test the return value of fputs() to see if it wrote all the data. If the return does not equal the strlen() of what you tried to write, you have a problem.

Not any generic solution. Any fatal error is going to kill the script before you can do anything about it. You shouldn't get random fatal errors though. If your getting a fatal error, you have a problem in your code somewhere you need to fix. Any other errors, like cant connect to a DB or site for instance could be handled in a few ways, such as - encase the code in a loop which will cause it to be re-run in the event of an error: do { $success = true; //... main code ... //... set $success=false if an error ... } while (!$success); - In the event of an error, output a page asking the user to reload, maybe output a small JS block to auto-reload the page.

'/' should never come up, since it represents a directory. All you would need to check for would be '' or 'index.php' but that isn't going to necessarily give you whether your on the home page or not. If you have any sub directories with an index.php file, it would return true for those as well. You can just check if $_SERVER['REQUEST_URI'] equals either '/' or '/index.php', or any other url which would represent your home page. You could also define() a constant that tells you which page your on and check for that. Why do you need to know what page your on?

Make sure your loading the HTML file through the server as well, that way when your form posts it will post to the server. Is if your form was say insert.html, you load http://localhost/insert.html and you'd set your form's action as action="insert_ac.php". When your working with PHP you have to make sure it is always run through a server. So if you have a separate html file, don't just double-click it to open it in a browser. Open your browser and then go to the URL for that file.

Sounds to me like you don't need your two while loops, just one loop and a conditional. while (true){ if (/* 9:30am - 4pm, monday through thursday */){ bodyOfLoop1(); } else { bodyOfLoop2(); } } What is the goal of this code? Might be a better alternative.

See the (7) there? That means the string is 7 characters in length. It must be padded with spaces or newlines or some other character. Try using trim and see if that helps.

if (in_array($_FILES['userfile']['error'], array(1, 2, 3, 6, 7))){ However, 1) You should use the constant names for readabity 2) You'd be better off just checking for success rather than all the error types if ($_FILES['userfile']['error'] != UPLOAD_ERR_OK && $_FILES['userfile']['error'] != UPLOAD_ERR_NO_FILE)){ //.. }

Child element is just an element that is inside of another element. Eg, your <vid> elements which are inside your parent <playlist> element. Attribute node is the combination of an attribute name and value, eg the desc="5" attribute. Attribute value is the value of any attribute. quick xml generation with dom example: <?php $doc = new DOMDocument(); $root = $doc->createElement('playlist'); $root->setAttribute('id', 'Adobe'); //Shortcut to create attributes. $vid = $doc->createElement('vid'); //** Longer way of creating an attribute $attr = $doc->createAttribute('desc'); $attr->nodeValue = 5; $vid->appendChild($attr); //** $root->appendChild($vid); $doc->appendChild($root); echo $doc->SaveXML(); Unless you have a particular need for using the DOM api, if all you want to do is generate and output some xml it is easier to just generate an xml string usually.

Just put the link around the image. Super simple basic HTML. <a href="index.php?option=com_grouppurchase&view=todaysdeal&id=<?php echo $offer['cid'];?>"><img class= "image_frame1" src="images/groupproductimages/<?php echo $offer['cimage'];?>" /></a>

It's not that you do not use htmlentities, you just use it at a different time. As I said before, it all depends on where your going to be using your data at. For example, with the forum posts: Adding a new post: - mysql_real_escape_string before the data is put into a SQL query //Adding $postContent = mysql_real_escape_string($_POST['content']); $sql = 'INSERT INTO posts VALUES (\''.$postContent.'\'); Modifying a post: - htmlentities before the data is put into the html for viewing. - mysql_real_escape_string when you put the data into the query to update the database //Modifying if (isset($_POST['save'])){ $postContent = mysql_real_escape_string($_POST['content']); $postId = intval($_POST['id']); $sql = 'UPDATE posts SET content=\''.$postContent.'\' WHERE postid='.$id; } else { $postId = intval($_GET['id']); $sql = 'SELECT content FROM posts WHERE postid='.$id; $res=mysql_query($sql); $row=mysql_fetch_array($res); $content = htmlentities($row['content']); echo '<textarea name="content" rows="10" cols="10">'.$content.'</textarea>'; } Viewing a post: - htmlentities before the data is put into the HTML for viewing //Viewing $postId = intval($_GET['id']); $sql = 'SELECT content FROM posts WHERE postid='.$id; $res=mysql_query($sql); $row=mysql_fetch_array($res); $content = htmlentities($row['content']); echo $content; What you do not want to do is run the content through htmlentities prior to inserting it into the database (either when adding or when editing). The reason for this is because then when you want to edit the post you would have to undo this escaping or else you will end up with multiple layers of it, like demonstrated above. Also if you ever wanted to use the data elsewhere (say, in a PDF version of the topic) you would have to undo this escaping because it is not necessary when putting the data into a PDF. You always want to do whatever sanitation/escaping you need only just before you actually need it, not before. You want to try and preserve the original data as much as possible. As for this standard practice you seem to be desiring, as has been stated there is no one-size-fits-all or always-do-this method that will protect you from everything. It all depends on how the data is being used and process. For each individual use there are generalizations that can be made, but that is the extent of it. By that I mean for example, when outputting data to HTML, you generally want to run htmlentities. It is not always necessary (an sometimes not desired) but in general it is what you want. It's up to you to recognize when you do or do not want/need it. Same for when you use data in a SQL query. Generally you want to run it though mysql_real_escape_string, though it is not always necessary. Using it when not necessary will not hurt anything. In my examples above, I did not use it for the post id because I ran it through intval() instead, which guarantees it is going to be an integer.

PHP does not parse post data unless it's content type is either a multipart/form-data or application/x-www-form-urlencoded. Sending a content type of application/json doesn't seem to make any sense anyway, your post data is not a json string. Why were you sending that header?

Your while loop will not end until mysql_fetch_array returns false. When it does that, the false value is going to be assigned to $subject making it false. You would have to store all the return values in another array which you can reference later if you wanted to use them outside of the while loop. This may be somewhat more advanced than your current level of knowledge, but judging by your code structure, it's likely that you could accomplish what you want by using a single query with a JOIN statement. If you want to post your table structures, we could give you an example. As a general rule, if you find yourself doing another query while inside the loop processing a previous query (as you are) then chances are good a JOIN could be used to combine the two queries into a single query, resulting in faster processing.

Try having a read through this thread, as well as the manual link above for some more information / examples about the methods: Understanding get, set and property overloading

The error would seem to indicate that your variable, $subject['id'] has no value. Perhaps this value in NULL in the db, or perhaps your using the wrong key name. Use var_dump($subject) before your query to output the structure of the $subject variable. Also, when your debugging queries it is a good idea to store the query in a variable (say, $sql) so that you can print out your query in case of an error. That will let you check it for syntax errors or run it in mysql directly to see if it works as expected. var_dump($subject); //debug subject var $sql = "SELECT * FROM pages WHERE subject_id = {$subject["id"]}"; $page_set = mysql_query($sql); if (!$page_set) { die ("Database query failed: " . mysql_error()."<br>Query was: ".$sql); }

You have your form submit an array of all the checkboxes that they have checked. Then on the PHP side you do two things 1) Delete all the current entries for that user, eg DELETE FROM checkboxTable where ID=$userId 2) Loop over the array of checkboxes submitted and then generate and execute an INSERT statement for each one.

A persons initial goal isn't always the correct way to do something. Had you mentioned before that work had already been done on the templates in that syntax, I would have been more likely to solve the initial problem. As it was, your posted read to me as if you were just starting, and not much work had yet been invested into this, so I suggested an alternative that would save you time and be more flexible in the future before you went down the road to far. As for your problem, I would suggest using a string scanning method. To answer your question about how to retrieve the if condition, take this example: $str = '[iF USER_STATUS_ADMIN]{SHOW_ADMIN_LINK}[ELSEIF USER_STATUS_WRITER]{SHOW_WRITER_LINK}[ELSEIF USER_STATUS_TESTER]{SHOW_TESTER_LINK}[ELSE]{SHOW_ALL_LINK}[/iF]'; $pos = strpos($str, '[iF '); if ($pos !== false){ //found an if, now find the ] that closes the if $pos += 4; //Move ahead four chars, '[iF ' = 4 chars $end = strpos($str, ']', $pos); //third parameter stars the search at the given offset, in this case it starts at the location of the [iF if ($end !== false){ //found the end of the if //get the middle content $content = substr($str, $pos, ($end-$pos)); } } $content would contain your 'USER_STATUS_ADMIN' text. To process the whole thing, just use code similar to the above in a loop, and keep track of your progress in the string as you move through it.

That depends on the query your using. A SELECT query pulls data out of the database. An INSERT or UPDATE query puts data into the database. What query type you use is irrelevant though. Regardless of what type of query you use, if you are going to use a variable in the query text, you have to sanitize it to ensure it will not cause problems. //$name must be sanitized so it does not cause problems because it is being used in a query. $sql = 'SELECT blah FROM table WHERE Username='.$name; You don't sanitize 'the query', you sanitize the data. Data you pull out of a database via a select for instance, only need sanitized if you need to use it in a context that requires it, such as if your going to output it in a web page. For example, take these forms. We can enter whatever we want in our post. Say I enter in this: <script type="text/javascript">alert('Hi'); </script> If you do not run that through function such as mysql_real_escape_string before putting it into the insert query which saves the post to the database, it will cause the query to fail due to the quotes. If you do not run it through htmlentities() before outputting it to the web page, then that script block will be executed by the browser and visitors would get an alert saying 'Hi' shown to them. Imagine if it did more than just alert hi? Such as steal cookies or use XHR to submit spam posts using that user's account?

Unchecked checkboxes are never reported, they are left out of the request entirely. PHP will only know about the ones that were checked, and their values will be whatever the value attribute is. There won't be any empty elements filling in for unchecked boxes.

Don't, use one row for each tick box. ID | Tickbox ID | ----+------------+ 1 | 1 | 1 | 2 | 1 | 3 | 2 | 4 | 2 | 5 | 2 | 6 | .... Trying to store them in one field separated by commas is only going to cause you major pains in the future if you need to do anything with those values, such as search on them or join them to another table.

There's nothing in the string abcd that would cause any problems. You only need to escape characters that may cause problems such as quotation marks. What characters will cause problems and how you escape them depend entirely on what you are doing with said data. Meaning If your putting data in a sql query: Quotation marks will cause problems. How you escape them depends on the db engine in use. mysql escapes them using backslash, sql server escapes them by doubling up. If your putting data into HTML: <, >, &, an possibly quote characters will cause problems. You escape them by converting them to the entity values < > & and " If your putting data into a CSV file: commas and quotes will cause problems. You escape commas by ensuring the field is encased in quotes and escape quotes using a backslash. and the list could go on.... To properly sanitize something you just have to consider how your data is being used and ensure it is not mis-interpreted by escaping any problem characters/sequences. You may need multiple types of sanitation on data, but you may not need to apply them at the same time. For example if you let users type something into a form and save it into your database, then you have a page that displays that data you need to do three different sanitation at different times. On input, when they submit to the database 1) Validate the data to ensure it meets all constraints (length, format, whatever you need) 2) Escape the data before putting it in the SQL query to prevent injection (eg mysql_real_escape_string or equivalent) On output, when the data is displayed on a page 1) Run the data through htmlentities() to convert any special html characters (<, >, & ...) into their entity values so that they are not interpreted by the browser as html tags

So? It's not like they have to learn php 100%, just how to write an if statement/loop and how to echo a variable. I'm sure they could learn that just as easily as they could learn your own custom template syntax. Your code: [iF USER_STATUS_ADMIN] {SHOW_ADMIN_LINK} [ELSEIF USER_STATUS_WRITER] {SHOW_WRITER_LINK} [ELSEIF USER_STATUS_TESTER] {SHOW_TESTER_LINK} [ELSE] {SHOW_ALL_LINK} [/iF] PHP way <?php if ($USER_STATUS_ADMIN): ?> <?=$SHOW_ADMIN_LINK?> <?php elseif ($USER_STATUS_WRITER): ?> <?=$showSHOW_WRITER_LINK?> <?php elseif ($USER_STATUS_TESTER): ?> <?=$SHOW_TESTER_LINK?> <?php else: ?> <?=$SHOW_ALL_LINK?> <?php endif; ?> Not that much different. You could always just write a simple filter to use something other than <?php/?> as the opening/closing tag, such as maybe {{/}}

Your executing your insert query twice: mysql_query($i) or die(mysql_error()); // <-- First here if (!mysql_query($i)) { //<-- Then again here That is why your getting a double insert.