davidolson

Is this right way to make success message? if (empty($errors)) { $query1 = "UPDATE table SET `value` = `value` - :somevalue WHERE `username` = :username"; $update = $dbh->prepare($query1); $update->bindParam(':somevalue', $_POST['somevalue']); $update->bindParam(':username', $_POST['username']); $success = $update->execute(); if ($success) { print "Success message!"; } } And if i need to execute more than 1 query? if (empty($errors)) { $query1 = "UPDATE table SET `value` = `value` - :somevalue WHERE `username` = :username"; $update = $dbh->prepare($query1); $update->bindParam(':somevalue', $_POST['somevalue']); $update->bindParam(':username', $_POST['username']); $success = $update->execute(); $query2 = "INSERT INTO table1 (`1`, `2`, `3`, `4`, `5`) VALUES (:1, :2, :3, :4, :5)"; $insert = $dbh->prepare($query2); $insert->bindParam(':1', $_POST['1']); $insert->bindParam(':2', $_POST['2']); $insert->bindParam(':3', $_POST['3']); $insert->bindParam(':4', $_POST['4']); $insert->bindParam(':5', $_POST['5']); $success = $insert->execute(); if ($success) { print "Success message!"; } }

Now everything works function clean_var(&$varname) { return isset($varname) ? htmlspecialchars($varname, ENT_QUOTES, 'UTF-8') : ''; } $errors = array(); if (!empty($_POST['submit'])) { $to = $_POST['to']; if (empty($to)) { $errors[] = "Please enter the username of who you wish to send this message to!"; } } if (!empty($_POST['submit']) && empty($errors)) { // UPDATE DATABASE THING // } print " <td style='width:65%'><input type='text' name='to' maxlength='50' style='width:200px' value='".clean_var($to)."' /></td>";

how to use html tag inside Php code <?php echo isset($to) ? htmlspecialchars($to, ENT_QUOTES) : ''; ?> <td style='width:65%'><input type='text' name='do' maxlength='50' style='width:200px' value='<?php echo isset($to) ? htmlspecialchars($to, ENT_QUOTES) : ''; ?>' /></td>

Undefined variable: to in C:\xampp\htdoc..............

Undefined variable if i put this code before line 146 then its ok echo isset($to) ? htmlspecialchars($to, ENT_QUOTES) : ''; This also works <td><input type="text" name="to" maxlength="255" style="width:200px" value="<?php echo isset($to) ? htmlspecialchars($to, ENT_QUOTES) : ''; ?>" /></td> But how to make it work with this form? i tried this way but it didn'nt work ".isset($to) ? htmlspecialchars($to, ENT_QUOTES) : ''." print " <td style=\"width:70%\"><input type=\"text\" name=\"to\" maxlength=\"50\" style=\"width:200px\" value=\"...............................\" /></td>";

my full code $errors = array(); if (isset($_GET['action']) && $_GET['action'] == 'send') { if (!empty($_POST['submit'])) { $to = isset($_POST['to']) ? htmlspecialchars($_POST['to'], ENT_QUOTES) : ''; $subject = isset($_POST['subject']) ? htmlspecialchars($_POST['subject'], ENT_QUOTES) : ''; $message = $_POST['message']; $date = time(); $query_1 = "SELECT * FROM users WHERE `username` = :to"; $check_user_stmt = $dbh->prepare($query_1); $check_user_stmt->bindParam(':to', $to); $check_user_stmt->execute(); $check_user_number_of_rows = $check_user_stmt->rowCount(); if (empty($to)) { $errors[] = "Please enter the username of who you wish to send this message to!"; } elseif (!$check_user_number_of_rows) { $errors[] = "The user '{$to}' could not be found!"; } if ($to == $userinfo['username']) { $errors[] = "You can not send a message to yourself!"; } if (empty($subject)) { $errors[] = "Please enter the subject!"; } if (empty($message)) { $errors[] = "Please enter the message!"; } } if (!empty($_POST['submit']) && empty($errors)) { $query_123 = "INSERT INTO inbox (`subject`, `message`, `from`, `to`, `created`) VALUES (:subject, :message, :from, :to, :created)"; $insert_stmt_1 = $dbh->prepare($query_123); $insert_stmt_1->bindParam(':subject', $subject); $insert_stmt_1->bindParam(':message', $message); $insert_stmt_1->bindParam(':from', $userinfo['username']); $insert_stmt_1->bindParam(':to', $to); $insert_stmt_1->bindParam(':created', $date); $success = $insert_stmt_1->execute(); if ($success) { $success_msg = "The message has been sent!"; header("Refresh: 5;index.php?do=inbox&action=send"); } } if ($configs['ShowPageTitle']) { print " <div id=\"pagetitle\">Send Message</div>"; } if (isset($success_msg)){ print " <div id=\"success_msg\"><b>Success</b><br>".$success_msg."</div>"; } if ($errors) { foreach ($errors as $error) { print " <div id=\"small_error_msg\">".$error."</div>"; } } print " <form method=\"POST\"> <table style=\"width:100%\" class=\"\"> <tr> <td style=\"width:30%;font-weight:bold\">To</td> <td style=\"width:70%\"><input type=\"text\" name=\"to\" maxlength=\"50\" style=\"width:200px\" value=\"{$to}\" /></td> </tr> <tr> <td style=\"font-weight:bold\">Subject</td> <td><input type=\"text\" name=\"subject\" maxlength=\"255\" style=\"width:350px\" value=\"{$subject}\" /></td> </tr> <tr valign=\"top\"> <td style=\"font-weight:bold\">Message</td> <td><textarea name=\"message\" style=\"width:350px\" rows=\"8\"></textarea></td> </tr> <tr> <td colspan=\"2\" align=\"center\" style=\"padding:5px 0 5px\"><input type=\"submit\" name=\"submit\" class=\"button\" value=\"Submit\" /></td> </tr> </table> </form>"; }

Notice: Undefined variable: to in C:\xampp\htdocs\PDO\inbox.php on line 146 line 146 print" <td style=\"width:70%\"><input type=\"text\" name=\"to\" maxlength=\"50\" style=\"width:200px\" value=\"{$to}\" /></td>"; $errors = array(); if (!empty($_POST['submit'])) { $to = isset($_POST['to']) ? htmlspecialchars($_POST['to'], ENT_QUOTES) : ''; // OTHER SIMILAR THINGS // if (empty($to)) { $errors[] = "Please enter the username of who you wish to send this message to!"; } // OTHER ERRORS // } if (!empty($_POST['submit']) && empty($errors)) { // UPDATE DATABASE THING // }

Changed the ->fetch(PDO::FETCH_COLUMN); to ->rowCount(); and everything works

if i delete this code everything works $number_of_rows = $completed_offer_stmt->fetch(PDO::FETCH_COLUMN); if (!$number_of_rows){ print "No results"; } $query_1 = "SELECT * FROM offer_pending WHERE status = 1 ORDER BY date_modified DESC LIMIT 10"; $completed_offer_stmt = $dbh->prepare($query_1); $completed_offer_stmt->execute(); $number_of_rows = $completed_offer_stmt->fetch(PDO::FETCH_COLUMN); if (!$number_of_rows){ print "No results"; } while($completed_offer = $completed_offer_stmt->fetch(PDO::FETCH_ASSOC)){ $query_2 = "SELECT * FROM offers WHERE id= :completed_offer_id"; $offers_stmt = $dbh->prepare($query_2); $offers_stmt->bindParam(':completed_offer_id', $completed_offer['offer_id']); $offers_stmt->execute(); $offers = $offers_stmt->fetch(PDO::FETCH_ASSOC); print "{$offers['name']} {$offers['points']}"; }

<?php if ($_GET['do'] != "promocode") { header('Location: index.php?do=promocode'); exit(); } if (!isset($_SESSION['loggedin'])) { header('Location: index.php?do=login'); exit(); } $errors = array(); if (!empty($_POST['submit'])) { $promocode = $_POST['promocode']; $username = $userinfo['username']; $expire = time(); $query_1 = "SELECT * FROM promocodes_used WHERE username = :username AND promocode = :promocode"; $used_stmt = $dbh->prepare($query_1); $used_stmt->bindParam(':username', $username); $used_stmt->bindParam(':promocode', $promocode); $used_stmt->execute(); $used = $used_stmt->fetch(PDO::FETCH_COLUMN); $query_2 = "SELECT * FROM promocodes WHERE code = :promocode"; $notvalid_stmt = $dbh->prepare($query_2); $notvalid_stmt->bindParam(':promocode', $promocode); $notvalid_stmt->execute(); $notvalid = $notvalid_stmt->fetch(PDO::FETCH_COLUMN); $query_3 = "SELECT * FROM promocodes WHERE code = :promocode AND expire < :expire"; $expire_stmt = $dbh->prepare($query_3); $expire_stmt->bindParam(':promocode', $promocode); $expire_stmt->bindParam(':expire', $expire); $expire_stmt->execute(); $expire = $expire_stmt->fetch(PDO::FETCH_COLUMN); if (empty($promocode)) { $errors[] = "You did not enter a Promo Code!"; } elseif ($used) { $errors[] = "You have already used this Promo Code!"; } elseif (!$notvalid) { $errors[] = "The promo code entered is not valid!"; } elseif ($expire) { $errors[] = "Promo Code is expired!"; } } if (!empty($_POST['submit']) && empty($errors)) { $query_4 = "SELECT cash, points FROM promocodes WHERE code = :promocode"; $value_stmt = $dbh->prepare($query_4); $value_stmt->bindParam(':promocode', $promocode); $value_stmt->execute(); $value = $value_stmt->fetch(PDO::FETCH_ASSOC); $query_5 = "UPDATE users SET total_cash = total_cash +{$value['cash']}, current_cash = current_cash +{$value['cash']} //is this line safe// WHERE username = :username"; $UPDATE_1_stmt = $dbh->prepare($query_5); $UPDATE_1_stmt->bindParam(':username', $username); $UPDATE_1_stmt->execute(); print "You have just received ${$value['cash']}"; } ?> <?php if ($configs['ShowPageTitle']): ?> <div id="pagetitle">Promo Code</div> <?php endif; ?> <?php if ($errors): ?> <?php foreach ($errors as $error): ?> <div id="small_error_msg"><?php echo $error; ?></div> <?php endforeach; ?> <br /> <?php endif; ?> <form method="POST"> <table cellpadding="4" cellspacing="0" style="width:100%" class=""> <tr> <td style="width:35%"><b>Promo Code</b></td> <td style="width:65%"><input type="text" name="promocode" maxlength="50" style="width:200px" value="<?php echo isset($promocode) ? htmlspecialchars($promocode, ENT_QUOTES) : ''; ?>" /></td> // do this prevent XSS and Undefined variable // </tr> <tr> <td colspan="2" align="center" style="padding:5px 0 5px"><input type="submit" name="submit" value="Submit" /></td> </tr> </table> </form>

Maybe you are showing how to do it correct way.

If i hit Edit button i got these error before i click Submit <? if ($_GET['do'] == 'test2') { $id = ($_POST['id']); $username = cleanuserinput($_POST['username']); $password = cleanuserinput($_POST['password']); $rpassword = cleanuserinput($_POST['rpassword']); $pass = md5($_POST['password']); if(isset($_POST['delete'])){ mysql_query("delete from admin where id='".$id."'"); print '<center><font color=black>Admin has been deleted!</font><br>'; } if(isset($_POST['edit'])){ //Make sure username isn't blank if (!$username){ $error .= '<font color=red>Sorry, the username was empty.</font><br>'; } //Make sure password isn't blank if (!$password){ $error .= '<font color=red>Sorry, your password was empty.</font><br>'; } //Make sure both passwords match if ($password != $rpassword) { $error .= '<font color=red>Passwords Doesn\'t Match!</font><br>'; } //Check username length if (!ctype_alnum($username) || strlen($username) < 4 || strlen($username) > 15) { $error .= '<font color=red>Username must be between 4-15 characters!</font><br>'; } //Check password length if (!ctype_alnum($password) || strlen($password) < 4 || strlen($password) > 15) { $error .= '<font color=red>Password must be between 4-15 characters.</font><br>'; } if (!$error){ $sql_update = "UPDATE admin set username = '$username', password= '$pass' where id='".$id."'"; $result = mysql_query ($sql_update) or die(mysql_error()); print "<center><font color=black>User ". $_POST['username'] ." Has been edited.</font><br>"; } $get_admin = mysql_query("select * from admin where id='".$id."'"); $admin = mysql_fetch_array($get_admin); echo $error . "<form action='?do=test2' method='post'> <table> <tr><th colspan=20>Edit Admin</th></tr> <tr><td><b>Username<font color=red>*</font></b></td><td><div><small>[ 4-15 characters ]</small></div><input name='username' type='text' maxlength='50' size='25' tabindex='1' value='".$admin['username']."'></td></tr> <tr><td><b>Password<font color=red>*</font></b></td><td><div><small>[ 4-15 characters ]</small></div><input name='password' type='text' maxlength='50' size='25' tabindex='2' value=''></td></tr> <tr><td><b>Password 2<font color=red>*</font></b></td><td><input name='rpassword' type='text' maxlength='50' size='25' tabindex='3' value=''></td></tr> </table> <input type=hidden name=id value='".$admin['id']."'> <div align='center'><br><input type='submit' name='submit' tabindex='4' value='Submit'></div> </form>"; } else { print" <table width=90%> <tr><th colspan=20>Current Admin</th></tr> <td>Admin Name</td> <td>Added Date</td> <td align=center>Action</td>"; $get_admin = mysql_query("select * from admin "); while ($row = mysql_fetch_array($get_admin)){ print " <tr> <td>". $row['username'] ."</td> <td>". $row['date'] ."</td> <td align=center> <form method=POST> <input name=id type=hidden value='".$row['id']."'> <input type=submit name=edit value='Edit'> <input type=submit name=delete value='Delete'> </td> </form> </tr>"; } print "</table>"; } } else { admin_wrong_file(); } ?>