SigglesMFC

As mentioned, ideally you are based in the UK. I'm after a sole partner, rather than a big business with multiple employees.

I need some help developing a web based application using PHP and MySQL (and HTML, Javascript, etc) for the company I work for, who currently use a very old system that needs updating. The current system is built using FileMaker (version 5!) and I think it would port quite well to a web based application. Having the old system means the blueprint, ideas, workings, needs, etc are already there, it just needs updating. If successful it could then be rolled out to other similar type businesses (of which there are hundreds). Ideally I need someone I can work with who can share knowledge, help design and build the application and hopefully reap any rewards if it is successful. Maybe a graduate or someone looking for a sideline. It will take many months to build. Ideally you will be based in the UK. Please contact me for more info.

Hi, Been using this script for a while - http://angry-frog.com/downloads-page/ - seems pretty good and it attempts to be secure. It uses prepared statements using PDO and other checks are made on user submitted data. The passwords are hashed and salted, etc. But would apprecaite your opinon on it. I think where it goes slightly wrong is not quite sure if it is object orientated or preocedural, sort of half and half. Would like to be sure it is secure now I have it on my site and if neccessary make some changes to make it more secure. Thanks

It's not user submitted data. It gets called by admin functions carried out on the website. The $field parameter that is passed is always hard coded somewhere else in the script. For example... $database->updateUserField($subusertoedit,"userlevel",$subuserlevel); $database->updateUserField($this->username,"email",$subemail); But you have sort of answered my own question. As there is no user input for that parameter I dont need to worry about SQL injection.

Okay thanks.I can get it to work by doing... function updateUserField($username, $field, $value){ $query = "UPDATE ".TBL_USERS." SET ".$field." = :value WHERE username = :username"; $stmt = $this->connection->prepare($query); return $stmt->execute(array(':username' => $username, ':value' => $value)); but by doing this I am not checking the $field variable for injection. Any ideas?

Hi you are right, the function might be used elsewhere in the script like so: $database->updateUserField($subuser,"password",$newpass); What actually causes the problem? If I echo the query it looks like this: UPDATE users SET :field = :value WHERE username = :username

Hi, I have a few INSERT and SELECT statements using a similar format that all work but I cannot get this UPDATE statement to work.. function updateUserField($username, $field, $value){ $query = "UPDATE ".TBL_USERS." SET :field = :value WHERE username = :username"; $stmt = $this->connection->prepare($query); return $stmt->execute(array(':username' => $username, ':field' => $field, ':value' => $value)); } The error is: Any ideas where I am going wrong?