mac_gyver

safety is not in which functions you use, it is how you use them. you can write code that uses either the mysqli or pdo functions and it can still allow sql injection. the reason that PDO gets recommend over mysqli is that the mysqli library is not consistent and is a PITA to use with dynamically prepared queries.

your examples imply these 'parameters' are actually data values, that the function/method code will operate on as a set of same meaning data. in this case, you would pass them into the function as an array of data, so that the function can operate on any arbitrary amount of data without needing to ever alter the code definition or dynamically produce or dynamically call code, as the amount of data changes. your second example also implies that you are hard-coding these values into a verbose amount of repetitive code, rather than use array functions to have simple general-purpose code operate on the set of data by looping over the data. as an example of why you would NOT use individual parameters that represent same meaning data, just look at the php mysqli_stmt_bind_param() function and what it takes to use it with an arbitrary number of data values.

unless you have a database table named, literally, $user, with the $ as part of the table name, your query is failing due to an error. 1) you need to ALWAYS test if your queries have actually ran without any errors before you try to use any of the data from your query. mysqli_query() will return a false value, that can be tested, when the query has failed due to an error. you can use msyqli_error($conp) to find out what the actual error with the sql query statement is. 2) if $user and $ticker are php variables, php variables are NOT parsed and replaced with their value when used inside of overall single-quoted strings. you would need to use double-quotes around the $sql = "..."; string to get php variables inside the string to be replaced with their value. 3) you should also use single-quotes around the '$ticker' variable, since double-quotes inside of an sql query statement can be configured to mean they indicate a column name, whereas single-quotes inside of a msyql query statement will always mean a literal siting value. 4) you should have php's error_reporting set to E_ALL and display_errors set to ON to get php to help you. the mysqli_fetch_array() statement, along with the $row references, are throwing php errors to alert you to the fact that the query failed due to an error.

all external data - $_GET, $_POST, $_COOKIE, $_REQUEST (don't use $_REQUEST anyways), $_FILES, and some $_SERVER/$_ENV can be anything that anyone want's to submit to your script. if you are putting any external data values into a sql query statement, they must be treated appropriately to prevent sql injection. this means to escape string data and properly validate/cast numerical data OR use prepared queries. also, internal data that could ever contain any sql special characters must likewise be treated appropriately to prevent sql errors. i notice that you have variables for a table name and column name in your query. hopefully, you are not getting these from external, user submitted data, because using a database escape function on table/column names won't prevent sql injection and you cannot supply table/column names through place holders using prepared queries. lastly, the mysql_ functions are OBSOLETE and should not be used when writing new code and if you have old code using them, now is the time to start converting your code to use either the PDO or msyqli_ database functions so that your code will continue to work when the mysql_ functions get removed from the php language.

it's not different sessions. per my reply, you are echoing it in the wrong place in your code -

the reason you cannot echo the $_SESSION variable when your form is being displayed, and get the correct value, is because the code generating the value in the $_SESSION variable and producing the image is a separate http request from the browser that occurs long (in terms of computer processing) after the php code for your form has ended. why do you want to echo it, on lines 17-19 of your code, which is outside of the form processing code? you can echo it inside your form processing code, which runs on the http request after the form and the image have been displayed.

the correct length is 32, which the second one has. the first one has some extra non-printing characters in it somewhere. what does the 'view source' in the browser of the var_dump() output show? what's the code that's responsible for setting the $token variable and if it is coming from a form, what is the code producing the form field it's being passed in?

in your last post, you need to show us what the print_r() output actually is, because it may hold a clue as to the problem. also, when you check only one or two boxes, not all three, is the result correct?

use var_dump() on both values to help see if they contain any white-space/non-printing characters.

we can only help when you post specific information, i.e.your code, a sample of the input data your code receives, the result you got from your code for that data, and the result you expected.

268,435,456 bytes (250+ MBytes) is a SIGNIFICANT amount of memory for any script to use and if when you change the memory limit, the amount of allowed memory listed in the error also went up to 512,xxx,xxx and then 1,024,xxx,xxx bytes, this indicates a script that will consuming all available memory, no matter how much you make available to it. the script could either have a logic error that's consuming all memory (loading an array with the same data over and over in a loop for example) or of a script that needs to process a large amount of data, but isn't managing memory usage very well or at all. in any case, you, or better yet, the program's authors, will need to debug what the code and data are doing to find what's causing the large memory usage. edit: i downloaded the script, and the api/pipe.php page specifically sets the memory limit to 256M in the code.

php code is normally only parsed when in a .php file, not a .js file.

exactly what does the 'view source' of the page show for the whole line where the php variable is at?

the php version you listed still has register_globals available. any chance that at some point in your testing you set a $_SESSION['user_rights] or a $_COOKIE['user_rights] variable with some values that could be now overwriting your $_POST data?

when the only thing that varies when an input value changes is an output value (i.e. you are mapping one value to another), you would not use hard-coded conditional logic to do this, as that would mean that you must find where in your code the values are hard-coded at and then alter the program logic every time you you add, change, or remove a value. you would use a data-driven design, where the mapping is stored in a data structure, such as a database table or an array, depending on how much data there is, and the only thing the general-purpose code does is take the input value and make use of the mapping data structure to obtain the result. the code doesn't change just because the amount of data or the data values change. it's really beyond the scope of a post in a forum to feed you everything you would need to know to create a proper database driven content management system. you need to do some research and experimentation on your own and post specific questions you may have. here is an example of a data-driven design that took multiple sets of same program logic that only varied in the data values being operated on and changed it to use a mapping data structure, with one general purpose set of code that doesn't change just because the amount of data or the actual data values change - http://forums.phpfreaks.com/topic/291619-multiple-if-statement-not-working/?do=findComment&comment=1493538

based on what you are showing, you are planning on creating actual files - index.php, jobs.php, region.php, ..., but put (include) the same code in each file, that than needs to map the base filename to a search value. this is not the correct way to do this, as it results in a bunch of 'wrapper' files that must be maintained and managed every time you add, change, or remove a category/search type. the correct way of creating a content management system, would be to store the categories/search types in a database table, then you would have a single page that uses the contents of that database table to produce navigation links and to take the category/search type id/name from a submitted link to find the content to display on the page.

the reason $_SERVER['DOCUMENT_ROOT'] doesn't work for things the browser requests (images, and external css/javascrpt files) is because $_SERVER['DOCUMENT_ROOT'] contains file system path information on your server. it has no meaning to the browser. there are two different things going on - 1) include expects a file system path and a filename, because php is reading and including the file through the file system on your server. include can use a url, but this is not common, since it requires some settings to be enabled and including a .php file through a url doesn't include the actual php code, it includes the output from the .php file, the same as if you browsed to the file being included. 2) the <img > <script > and <link > tags you put on your web page contain URLs to the images, javascript, and css files. it's the browser that requests these and the browser needs to know the URL to use.

and assuming that the session_start() is actually working. do you have php's error_reporting set to E_ALL and display_errors set to ON so that php would be reporting and displaying all the errors it detects, such as session_start() errors?

the time check conditional statement is to send the email. after you get the $last_modified value, you will unconditionally call the error_log() statement to write the error information to the log file. if($time_elapsed > 1800) { // your email code would go here.... } the error_log() statement has a mode that accepts the filename as a parameter (though using it this way, you might as well use file_put_contents() with the append flag.) this would avoid the need to set any php.ini values. you code would have a variable holding the file name that gets used in both the filemtime() statement and the error_log() statement.

your mysqli_query() statements are incorrect. they require the database connection link variable as a parameter. you need to have php's error_reporting set to E_ALL and display_errors set to ON so that php will help you. your usage of mysqli_query() would be throwing a php error. you also need to read the php.net documentation for the php functions you are using. converting your code from mysql_ to mysqli_ statements requires that you know the correct usage of those functions. also, for your mysqli_connect() error handling, you cannot use mysqli_error($link2) because there is no database connection in $link2 and the msyqli_error statement itself will throw a php error. you must use mysqli_connect_error() to get the connection error. there are examples of this in the php.net documentation for mysqli_connect()

if you don't close the connection in your code, php closes it when php finishes processing the page. when php finishes running the code on a page, either normally (reached the end of the page or an exit/die/return statement) or abnormally (a fatal error occurs) it runs a 'clean up' routine that destroys all the resources used by the code on the page, which would close the database connection. inline html, that's outside of any php tags, is still actually php code. there's an inline html php token it gets converted to (T_INLINE_HTML), which simply outputs the inline html when that token is interpreted when the php code runs on the page.

it's a deprecated alias -

you would write the information about each error to a log file. you would then scan the log file and only send an email when you want. you would normally use a cron job to trigger the scanning of the log file.

you are correct, each database connection is only open for a fraction of a second. by the time the browser renders the page and someone actually starts playing a video, the instance of your script that output that page has long since ended, closing any database connection that was open on that page request. 25 concurrent connections is fairly low. large sites handle this problem by not using shared web hosting. your page could be partially at fault if it is opening more than one database connection per each invocation of your script or of opening/closing a connection for each database operation on the page. you would need to look at the web server access log to see if there really are 25+ concurrent requests to your page and where they are coming from.

you are going to need to debug what your code IS doing in order to find out what is causing the problem. some value(s) are either not being set (given the number of html errors on the page, this is a possibility, the browsers it works in may be more forgiving of the errors) or are being set to an value that the code isn't expecting (different browsers send different things in the same situation that code needs to take into account.) i did notice that the form is setting a hidden field, that hopefully is being tested in the php code to determine if the form has been submitted, so the php code should at least be able to detect that a form was submitted. unless there's an obvious problem or a specific error message that points to the problem, there's isn't a single answer to 'Contact form not sending in IE or Safari'. you must track down what is happening to reduce the possibilities to just one or two that can be investigated further. if your site receives a lot of visitors, it would be best if you logged all the data values that get submitted when the contact form is submitted, along with the browser's user agent string. you can then look at the logged data and determine why the code isn't doing what you expect it to do.