trg86

Any insight? Thanks!

Another quick question. I do eventually plan on having the data sent to a database as well, but also still e-mailing as well. I know I need to clean the data before it is sent to the database and I have it cleaning the data for the email as well. Below is a snippet of code from one of the fields, I wanted to make sure I can do it the way that I am in this line. i.e. 'mysql_real_ecape_string' and 'html_entities' on the same line like this. Let me know if it is incorrect. $name = mysql_real_escape_string, htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8');

I do have it programmed as an HTML email. Would I make the htmlentities the same encoding as the php file itself or the same encoding at the html email that is being created? $name = htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8'); That is now how I have it set, to clean the input data. UTF-8 is the encoding of the document itself.

It appears as if I am misinformed about the use of stripslashes, thank you for the feedback. What would you reccommend to clean the inputs of any malicious data? I only have it sending in an email, no database or anything.

Okay, I would like your opinion. I am in the process of rewriting my web form processor and I wanted to ask if this line of code is sufficient for making sure the input is clean. ( i.e. cutting any malicious attempt from a user filling out the form ) Please keep in mind that the form data is only sent in an email, no MySQL database involved. This is an example of code of just one of the inputs from the form, so you have a reference of what I programmed and asking about. Thanks! $name = stripslashes(trim($_POST['name']));

Thanks. I have tried all of that and the problem is persistant in all browsers for any computer that tries to use the form. It is quite literally a sudden problem.

Okay, the form processor that I wrote awhile ago and have been using since has all of a sudden just stopped working. After clicking the submit button on the form now, all it is returning is a "The connection to the server was reset while the page was loading" page. This has never happened before and it has just started happening all of a sudden, any idea what it may be? Thanks!!

Psycho, Thank you very much for the reply, I looked at your example code for debugging and wrote it into mine, for testing purposes. I am beginning to think it is not being executed for some reason, as I am still receiving the data in it's e-mail form and being re-directed to the success page, basically, I am not getting any different result than I was before. Would it be helpful if I post more of my code? Is there anything specific you want to see? Ugh, this is one of those annoying glitches, mainly because nothing was changed besides the database info for the new server...it's really odd to me how it could just stop working after working flawlessly on a different server...mind boggling I tell you!!

Thanks for the reply David. Yes, I am positive that the username and password are correct, after-all, I still login to phpMyAdmin successfully, which is the same username and password. My account has full privileges, that is definitely not the issue. I am using echo mysql_error() but I am not getting any error messages. Additionally, I also have error_reporting(E_ALL); ini_set("display_errors", 1); in use.

Thanks for your reply. As I said in my original post, everything was working fine for the entire development process so far, until I moved it to the new server. All I changed within my programming, after the server move, was the connection info to the new database, none of my other programming was changed/moved. There are no errors on the page, it still sends the $_POST data to my e-mail inbox and still loads the success page after submission, it just doesn't want to post to the new database for some reason...I can't seem to figure this out.

Okay, I know some of you the past month or so know of the project I am working on right now. I have been pulling my hair out trying to figure out what is causing this issue today. I just got done moving my database from one server (most development) to another server (where it needs to be when its done). Now, the only thing I had to change after the move within my programming was the MySQL login/database info (i.e. username, password, database name, host). But...this is the problem. It no longer wants to insert the data from the form into the database, it's pretty much like it is not firing, even though it works fine on the other server. Does anybody have any suggestions on what could be causing this issue? Thanks ahead of time!!

Thanks for your reply Jessica. By any chance, would you be able to give me code examples? I am not really sure how to go about doing it, thanks!

Hi there guys. I yet again have something I am wanting to do with my project, but I have never really practiced or used before. What would be the easiest way for me to display a list of the currently logged in users (by their username) logged into my system? I can post snippets of my code if you are needing to see something specific. I know doing something like this will involve the users session. Thanks in advance!

Good evening guys! I am in need of a little bit of help again. I am trying to figure out how to make an item that is already in a database and seen by all registered users, have the option to be seen by only one user and become that users unique content, making it invisible to other users. Just so you have a better handle on what I am talking about. I have already developed a php/MySQL form/database system. A user goes to the website and fills out the form, which is then stored in the database I have programmed. Now, authorized personnel, via a login page, can access and view the stored form data in a beautiful user interface I have designed for this. Currently, by default, all of the form entries are located on one page for viewing, as well as some options I have already added, such as editing/updating the data, 'archiving' the data, which moves it to an archive page, and being able to delete the data completely. The part I am trying to figure out, is how a user can go to the default page that holds all of the entries and be able to grab one of them and make it belong to them, i.e. a telemarketer claiming a lead, which would move it to their default main page that they see after they log in, now leaving it only viewable by them, instead of every registered user in the system. Thanks for your help ahead of time! Thanks!

Thank you for the suggestion David, I successfully got what I needed working using the NOW() in the MySql insert. Is there anyway to format it to display in 12-hour format? I'm not a big fan of the 24-hour format with the time. Thanks!

Okay, I have been experimenting with this and am not quite getting the results I need. I have posted snippets below for reference to their explanations. This is the code within the form script to establish the time variable <input type="hidden" name="time" value="<?php $time = date("F j, Y, g:i a"); echo $time; ?></input> This is how that time variable is processed within my from processor $time = ($_POST['time']); //Time message was submitted Also within that same form processor, the $time variable is included in the MySQL INSERT query, along with the other form fields/data Now, the problem I am having is the display of this data on the user interface, I display all the form field data via php echos, which all works just fine. I am doing this with that $time variable as well, but it is returning a result of 0000-00-00 00:00:00, what could be causing this issue? Can you help me find my mistake? Thanks ahead of time!

Hi there! I currently have a form that posts the data to a MySQL database. How would I go about having it automatically add a timestamp (to the form entry) in the database as well, every time the from is submitted by a different user, this way I always know the original date/time of reception? Additionally, I also have a user-interface that displays the submitted form data, how would I go about pulling that timestamp from the database so that each entry also displays the timestamp. Thanks for your help.

Hey there guys, I am trying to figure this out and thought I would post here for a little help/advice. I have been working on the project for several weeks now and I am now needing to add a new feature to my existing system, but I am not quite sure the angle I should take. The system I have already display's the same data for every user, which all comes from a form after it is submitted on the main website. My system also involves being able to edit/update the original data, as well as move it to a different page of the system, i.e. 'the archive'. Working much like a user being able to move it to the archive page (which all users can see), I am needing a user to be able to move an entry from the main page to a page only they will be able to see, not any other user. What would be the best way to go about this? Thanks in advance!

Christian, thank you for your comments again, it is appreciated. As you can see, this is a better example of how clean my code normally is...this project has some sloppy points, but all will be cleaned up.. As for: //************************* //HTML Injection Protection //************************* $name = stripslashes($name); $email = stripslashes($email); $age = stripslashes($age); $gender = stripslashes($gender); $location = stripslashes($location); $homephone = stripslashes($homephone); $referrer = stripslashes($referrer); you say it is pretty much incorrect, and I am definitely trying to get this 100% protected, what would you recommend for this? Additionally, referencing: //***************************************** //Gathered Data From The Users Form Entires //***************************************** $name = htmlentities $_POST['name']; $email = htmlentities $_POST['email']; $age = htmlentities $_POST['age']; $gender = htmlentities $_POST['gender']; $location = htmlentities $_POST['location']; $homephone = htmlentities $_POST['homephone']; $referrer = htmlentities $_POST['referrer']; is this technically incorrect as well?

Yeah, I was actually just doing some research on this, it looks like a Sha1/Salt setup is the way to go.

The data is displayed on my main_interface.php page. I've updated my code, feel free to review and comment on any better ways for me to do something, thanks! <?php //*************************************** //Database Login Information & Connection //*************************************** $username="REMOVED_FOR_THIS_POST"; //Database username $password="REMOVED_FOR_THIS_POST"; //Database password $database="REMOVED_FOR_THIS_POST"; //Database name mysql_connect("REMOVED_FOR_THIS_POST",$username,$password); //Connection to Database @mysql_select_db($database) or die( "Error, the requested database was not found!"); //Database Selection //***************************************** //Gathered Data From The Users Form Entires //***************************************** $name = htmlentities $_POST['name']; $email = htmlentities $_POST['email']; $age = htmlentities $_POST['age']; $gender = htmlentities $_POST['gender']; $location = htmlentities $_POST['location']; $homephone = htmlentities $_POST['homephone']; $referrer = htmlentities $_POST['referrer']; //************************* //HTML Injection Protection //************************* $name = stripslashes($name); $email = stripslashes($email); $age = stripslashes($age); $gender = stripslashes($gender); $location = stripslashes($location); $homephone = stripslashes($homephone); $referrer = stripslashes($referrer); //************************ //SQL Injection Protection //************************ $name = mysql_real_escape_string($name); $email = mysql_real_escape_string($email); $age = mysql_real_escape_string($age); $gender = mysql_real_escape_string($gender); $location = mysql_real_escape_string($location); $homephone = mysql_real_escape_string($homephone); $referrer = mysql_real_escape_string($referrer); //******************************* //Insertion Of Data Into Database //******************************* $query = "INSERT INTO `leads` VALUES ('', '$name','$email','$age','$gender','$location','$homephone','$referrer','0','')"; mysql_query($query); echo mysql_error(); ?>

Does this look a little better? $query = "INSERT INTO `leads` (`name`,`email`,`age`,`gender`,`location`,`homephone`,`referrer`) VALUES ('', '$name','$email','$age','$gender','$location','$homephone','$referrer','0','')"; //Insert Form Values To Database

Also, I made some changes, referencing Christian's advice, does this look a little better as far as security/injection protection? Compared to my original code, which can be seen in this thread. // //Gathered Data From The Users Form Entires // $name = ($_POST['name']); $email = ($_POST['email']); $age = ($_POST['age']); $gender = ($_POST['gender']); $location = ($_POST['location']); $homephone = ($_POST['homephone']); $referrer = ($_POST['referrer']); // //HTML XSS Injection Protection // $name = stripslashes($name); $email = stripslashes($email); $age = stripslashes($age); $gender = stripslashes($gender); $location = stripslashes($location); $homephone = stripslashes($homephone); $referrer = stripslashes($referrer); // //SQL Injection Protection // $name = mysql_real_escape_string($name); $email = mysql_real_escape_string($email); $age = mysql_real_escape_string($age); $gender = mysql_real_escape_string($gender); $location = mysql_real_escape_string($location); $homephone = mysql_real_escape_string($homephone); $referrer = mysql_real_escape_string($referrer);

Okay, I can definitely understand that. Which again will limit the problem I had last night, by having a column in the database table that wasn't in use...it through off the whole thing...

Good afternoon all, I am currently using md5 on my password field for my login processor, but I know I can secure this better. I was given advice the other day to use a hash, but I am not quite sure how to do it. Here is a relevant snippet from my code, I am open to all suggestions! Thanks! // //User Login // session_start(); $username = $_POST['username']; //Username $password = md5($_POST['password']); //Password $query = "SELECT * FROM users WHERE username='" . mysql_real_escape_string($username) . "' AND password='$password'"; $result = mysql_query($query); if (mysql_num_rows($result) != 1) { $error = "Invalid login, Please check your credentials and try again"; include "login.html"; } else { $_SESSION['username'] = $username; include "main_interface.php"; } ?>