bob_the _builder

Hi, The following code should get files from url and prompt download. file.php $file = '/home/fusion/public_html/uploads/'.$_GET['files'].''; if(!file_exists($file)) die("I'm sorry, the file doesn't seem to exist."); $type = filetype($file); $today = date("F j, Y, g:i a"); $time = time(); header("Content-type: $type"); header("Content-Disposition: attachment;filename=$filename"); header('Pragma: no-cache'); header('Expires: 0'); readfile($file); if i send the url as: file.php?1.zip which exists in the uploads folder I get prompted to download file called file.php Any ideas what the issue maybe? Cheers

Hi, I have 3 tables: [code]CREATE TABLE product_headings (   heading_id int(10) NOT NULL auto_increment,   product varchar(100) NOT NULL default '',   PRIMARY KEY (heading_id) ) TYPE=MyISAM; ### CREATE TABLE products (   product_id int(10) NOT NULL auto_increment,   filter int(10) NOT NULL default '',   product_name varchar(100) NOT NULL default '',   description text NOT NULL,   current int(10) NOT NULL default '',   PRIMARY KEY (product_id) ) TYPE=MyISAM; ### CREATE TABLE product_images (   photo_id int(10) NOT NULL auto_increment,   product_id int(10) NOT NULL default '0',   photo_filename varchar(25) NOT NULL default '0',   PRIMARY KEY (photo_id) ) TYPE=MyISAM;[/code] Im not sure how to create a relationship between the tables and images, If somone chooses to delete a "product_heading" have it also delete the related "products" from the product table and also unlink the images related to the products, whic is where I am stuck. The following code is what I am using to delete a product from the "products" table and unlink all the images related to that product: [code=php:0]if (array_key_exists("confirm",$_REQUEST)) { $sql = mysql_query("SELECT photo_filename FROM product_images WHERE product_id='".NumValidate($_GET['product_id'])."'"); while ($row = @mysql_fetch_array($sql)) {   @unlink($images_dir . '/' . $row[0]);   @unlink($images_dir . '/tb_' . $row[0]); } @mysql_query("DELETE FROM product_images WHERE product_id = '".NumValidate($_GET['product_id'])."'"); @mysql_query("DELETE FROM products WHERE product_id = '".NumValidate($_GET['product_id'])."'"); echo '<br /><center><b>Record was successfully deleted</b></center>'; }else{ echo '<br /><center><b>Do you really want to delete this record?</b></center>'; echo '<br /><br /><center><a href="../index.php?action=del_products&product_id='.$_GET['product_id'].'&del_all&confirm=y">Yes</a> - <a href="#" onClick="history.go(-1)">No</a></center>'; }[/code] Thanks.

Hi, Just for some ideas to help maybe make your address book a little more user friendly: [url=http://www.fusiondesignz.co.nz/address_book/]Address Book[/url] I made it yonks ago as a first project while learning php/mysql.

Hi, Prolly not the answer you after .. But I alter the date in my query when I call it from the database to display on the page: [code=php:0]DATE_FORMAT(ADDDATE(date, INTERVAL 3 HOUR), '%d %b %Y %r') AS date[/code] hth

Hi, You will need to edit this to suit, this is wat I use along with gd code: [code=php:0] $number_of_fields = 4; echo '<form enctype="multipart/form-data" action="index.php?action=upload" method="post" name="upload_form">';  while($counter <= $number_of_fields){   echo '<input name="photo_filename[]" type="file" class="input-box"><br />'; echo '<textarea name="photo_caption[]" cols="26" rows="3" class="input-box"></textarea><br /><br />';  $counter++; } echo '<input type="submit" name="submit" value="Upload Photos" class="submit-button">'; echo '</form>'; echo '</center>';[/code] and to process: [code=php:0]$counter = 0; $known_photo_types = array( 'image/pjpeg' => 'jpg', 'image/jpeg' => 'jpg', 'image/gif' => 'gif');         $gd_function_suffix = array( 'image/pjpeg' => 'JPEG', 'image/jpeg' => 'JPEG', 'image/gif' => 'gif'); $photos_filename = $_FILES['photo_filename'];         $photo_caption = $_POST['photo_caption']; while($counter <= count($photos_uploaded)) { if($photos_uploaded['size'][$counter] > 0) { if(!array_key_exists($photos_uploaded['type'][$counter], $known_photo_types)) { echo 'File '.($counter+1).' is not a photo!<br />'; }else{ mysql_query("INSERT INTO gallery_images(photo_filename, photo_caption) VALUES('".$photo_filename[$counter]."', '".$photo_caption[$counter]."')" ); copy($photos_filename['tmp_name'][$counter], $images_dir."/".$filename); }[/code] hth

You need to use a limit clause, basiacllay look into pagination with a limit of 1 record: [url=http://www.phpfreaks.com/tutorials/43/0.php]http://www.phpfreaks.com/tutorials/43/0.php[/url] hth

Hi, Personally to lower sql injection risk I would introduce bbcode and then striptags, trim just helps to keep everything tidy. Bob

Hi, Save yourself some repetitive typing and use a function: [code=php:0]function ValidateInput($value) { if (!get_magic_quotes_gpc()) {   $value = mysql_real_escape_string($value); } $value = trim(strip_tags($value)); return $value; } $firstname = ValidateInput($_POST['firstname']); $lastname = ValidateInput($_POST['lastname']);[/code] Bob

That did the trick Thanks

Hi, Is there a way to place an sql query between: echo 'some html here'; without breaking the echo and starting it again? Its to populate a list/menu fom the db which is within echo. Thanks

Hi, Ok I got it, prior I just had it as a variable, so just place the variable into the function rather than echo the html out within the function. Thanks

Hi, function call inside an echo command sums it up .. Basically I have html stored in a function [code=php:0]function smileys() { echo 'html here'; }[/code] when I call it into my table it messes up the structure, if I store the same code in a variable and call the variable into the table it places it perfect. [code=php:0]echo '<td colspan="2" align="center" valign="middle">'.buttons().'</td>''[/code] messes up the table I guess a function would be better than a variable? Thanks

Hi, Is it possible to place a function holding html in between echo: function smileys () {} echo 'some stuff here smileys()'; I have tried a few ideas but no go, or should it just be held as a variable and place that in the echo instead? Thanks

Hi, I got: [code=php:0]$value = preg_replace("/\[url=http://(.*)\](.*)\[\/url\]/","<a href='\\1'>\\2</a>",$value);[/code] and wrap url with: [nobbc][url=http://www.phpfreaks.com/forums/index.php?action=post;topic=109508.0;num_replies=1]phpfreaks[/url][/nobbc] Does the trick thanks

Hi, When converting [url=http://tags whats the correct format: [code=php:0]"[url]" => "<a href='", "] tags whats the correct format: [code=php:0]"[url]" => "<a href='", "[/url]" => "'></a>",[/code] how can you allow words between '> </a> and is there security risk, should the url some how be cleaned before inserting into the database? so far user input is been cleaned via: [code=php:0]function ValidateInput($value) { $value = mysql_real_escape_string(trim(strip_tags($value))); return $value;[/code] Thanks

I did in the first post, I guess that I assumed id to always be a number. Trying to figure what you need for general site security in the sence of cleaning user input and stoping sql injections. Thanks

Ok, gettin a bit lot now. I am using: [code=php:0]function ValidateInput($value) { $value = mysql_real_escape_string(trim(strip_tags($value))); return $value; }[/code] to clean user input, and I understand that you should check post and get data contains the correct data for the query it is to perform. I thought ValidateInput will clean user data enough to insert into the db and looking for a basic function to check post and get data. Basically some general user security Thanks

Not having much luck with the error message, if I use: [code=php:0]if ($_GET['edit'] == 'edit') { $sql = mysql_query("SELECT description FROM news WHERE news_id = ".SafeNumber($_GET['news_id']).""); while ($row = mysql_fetch_array($sql)) { $description = stripslashes($row['description']); } }[/code] if news_id isnt a number it processes the request anyway with a blank text area as there was no match with a db record. Thanks

So your saying is I use: SafeNumber($_POST['variable']); it will be safe from injection .. but give no error message if the url is altered? Thanks

[quote]+0123.45e6[/quote] Wouldnt the 'e' get filtered as not numeric within that string anyway? All im really looking for is to stop any sql injection via the get or post of the numeric id. Also using: [code=php:0]if(isset($_POST['submit'])) { if($_POST['edit'] == 'edit') { $sql = mysql_query("UPDATE news SET description='".ValidateInput($_POST['description'])."', filter='".ValidateInput($_POST['filter'])."' WHERE news_id = '".$_POST['news_id']."'"); if (!$sql) { echo 'Failed, please contact the web administrator'; }else{ echo 'Sucessfully edited'; } return; }else{ $sql = mysql_query("INSERT INTO news (description, filter, posted) VALUES('".ValidateInput($_POST['description'])."', '".ValidateInput($_POST['filter'])."', now())"); if (!$sql) { echo 'Failed, please contact the web administrator'; }else{ echo 'Sucessfully added'; } return; } }[/code] is that pretty safe from being altered in general also making sure the the id is numeric and making sure edit is = to edit? Thanks

Hi, I have: [code=php:0]if(isset($_POST['news_id'])) { if(!is_numeric($_POST['news_id'])) { echo 'Please dont edit the url!'; return; } } if(isset($_GET['news_id'])) { if(!is_numeric($_GET['news_id'])) { echo 'Please dont edit the url! GET'; return; } }[/code] at the very top of my page .. seems to work, but I thought there might be a cleaner way to check both in a single query. Basically the id is sent across the url, then grabed as a hidden field in a form then submited the a sql query .. is the above code enough to make sure it goes thru as a numeric only? Thanks

Hi, I was thinking of some universal way where I could add a snippet at the top of my page which has a few insert, update, delete querys .. Basically all in one check post and get id's, if not a numric then echo error message and halt the script. rather than checking each query individually having the same piece of code several times on the page etc Also whats the advantage to adding: )? return true: return false; to the function? Thanks

Hi, I have a function: [code=php:0]function ValidateNumric($value) { $value = is_numeric($value); return $value; }[/code] Being trying a impliment an easy way to validate any $_POST or $_GET id's using the above function and show an error message about altering the url. Anyone got any nifty ways to check any id parsed, keeping code to a minimum using the above function? Thanks

Hi, This seems to work in FF: [code=php:0]<scrip type='text/javascript'> <!-- function bbcode(open, end){ var tArea = document.form.description; var isIE = (document.all)? true : false; var open = (open)? open : ""; var end = (end)? end : ""; if(isIE){ tArea.focus(); var curSelect = document.selection.createRange(); if(arguments[2]){ curSelect.text = open + arguments[2] + "]" + curSelect.text + end; }else{ curSelect.text = open + curSelect.text + end; } }else if(!isIE && typeof tArea.selectionStart != "undefined"){ var selStart = tArea.value.substr(0, tArea.selectionStart); var selEnd = tArea.value.substr(tArea.selectionEnd, tArea.value.length); var curSelection = tArea.value.replace(selStart, '').replace(selEnd, ''); if(arguments[2]){ tArea.value = selStart + open + arguments[2] + "]" + curSelection + end + selEnd; }else{ tArea.value = selStart + open + curSelection + end + selEnd; } }else{ tArea.value += (arguments[2])? open + arguments[2] + "]" + end : open + end; } } //--> </scrip> <img onClick="bbcode(':D')" src='../images/smileys/biggrin.gif' border="0" /> <img onClick="bbcode(':blink:')" src='../images/smileys/blink.gif' border="0" /> <img onClick="bbcode('B)')" src='../images/smileys/cool.gif' border="0" /> <img onClick="bbcode(':huh:')" src='../images/smileys/huh.gif' border="0" /> <img onClick="bbcode(':lol:')" src='../images/smileys/laugh.gif' border="0" /> <img onClick="bbcode(':angry:')" src='../images/smileys/mad.gif' border="0" /> <img onClick="bbcode(':mellow:')" src='../images/smileys/mellow.gif' border="0" /> <br /> <img onClick="bbcode(':o')" src='../images/smileys/ohmy.gif' border="0" /> <img onClick="bbcode(':rolleyes:')" src='../images/smileys/rolleyes.gif' border="0" /> <img onClick="bbcode(':(')" src='../images/smileys/sad.gif' border="0" /> <img onClick="bbcode(':)')" src='../images/smileys/smile.gif' border="0" /> <img onClick="bbcode(':P')" src='../images/smileys/tongue.gif' border="0" /> <img onClick="bbcode(':unsure:')" src='../images/smileys/unsure.gif' border="0" /> <img onClick="bbcode(';)')" src='../images/smileys/wink.gif' border="0" /> <br /><br /> <input type="button" value="Bold" onclick="bbcode('[b]', '[/b]')" /> <input type="button" value="Italic" onclick="bbcode('[i]', '[/i]')" /> <input type="button" value="Underline" onclick="bbcode('[u]', '[/u]')" /> <form name="form" action="../page.php" method="post">     <textarea name="description" cols="25" rows="5"></textarea><br />     <input name="submit" type="submit" value="submit"> </form> [/code] Does that seem like pluasable code? Thanks

The following does smileys as well .. Could prolly be cleaned up into nicer code? [code]<scrip type="text/javascript"> <!-- function formatText (tag) { var selectedText = document.selection.createRange().text; if (selectedText != "") { var newText = "[" + tag + "]" + selectedText + "[/" + tag + "]"; document.selection.createRange().text = newText; } } function smiley(tag) { var selectedSmiley = document.form.description.value; this.tag = tag; document.form.description.value = selectedSmiley + "" + tag + ""; document.form.description.focus(); } //--> </script>[/code] Thanks