mac_gyver

your thread is about protecting included files against direct url requests. included files are support files that are incorporated into and used by a web page. included files should be accessed through the file system, not a url. you shouldn't have any intentional url links to an included file. if this doesn't address your question, please post an actual example showing what you are trying to do.

using a cookie to keep track of a score is going to allow anyone to set their score to anything they want. if you just need to keep track of the information for the duration of a quiz, you would use session variables. if you need to remember the results for all users you would need to store that on the server somehow (storing it in a cookie won't help in this case because the only time you know what the values in cookies are is when the visitor makes a request for your web site.) you can store these in a flat-file database (i.e. text file), by each line in the file having more than one field - a username, the score, ...

the issue with register_globals is you can set any php variable by setting the same name $_GET, $_POST, $_COOKIE variable. if someone knows your code in the included file is testing $including, they can simply add ?including=1 in the url when they request your included file and the if (!$including) statement will allow access to the file. there is/was a lot of open-source scripts that used this method, since the variable name was known by examining the script, and a lot of sites where taken over. fortunately, register_globals has finally been removed in php5.4. a better way is to use a defined constant instead of a variable (register_globals cannot supply a value for a defined constant.) an even better way, since it completely eliminates any processing time for the files, is to put the included files into a folder that cannot be directly accessed via url requests.

php code is executed on the server when the page is requested. so, all the php code you have shown has long since ran by the time the form code has been sent to and displayed in the browser. to use php code to validate the data, you would need to have your form submit to the .php page, then build the form that the payment gateway expects with the action set to the payment gateway.

since the only way to get an item in to an order would be for that item to exist, just a regular/inner JOIN would be all that you need. you can further reduce the code/logic if your 'extra' items and the 'product' items were all in one table. they are all things that you can select and add to a cart. putting them in separate tables only complicates what you must do at each step. once they are in one table, you can directly get all the details for an order using one JOIN query.

here are some programming/forum hints (yes one of them addresses getting only one result from a query) - 1) when posting code in a forum, surround it with the forum's bbcode tags (the edit form's <> button). this makes the code easier to distinguish from the rest of you post, highlights syntax problems, if any, in the code, and prevents the forum software from modifying the code so that someone could copy/paste it if needed and get the actual code. 2) if you only expect one row from a query, don't use a loop to fetch the results. this wastes processing time and confuses anyone reading the code since a loop implies there could be more than one row in the result set. 3) if you do expect more than one row from a query, use a loop to fetch the results. you must then either use the data from each row inside the loop or you must store that data in an array to be used later in the code. 4) your sql query statements are cluttered by unnecessarily repeating the (verbose) table name with each column reference. clutter in code generally makes it harder to pick out the actual meaning/logic. 5) your separate queries are related and should be JOIN'ed into just one (or two) query. this will also eliminate the need for the variables ending in numbers, which is a sign you are writing too much code to accomplish a task. at this point, no one here knows which of your queries you expect to return more than one row and that the data should be looped over, because you are looping to fetch the result from all the queries, but you are only storing the fetched data in scaler variables, so only the last result from each query will be available after the end of the loops.

during development, you should have your errors displayed, not logged.

nope, the code in the post does not produce that syntax error. some possibilities - 1) your actual code contains some smart/curly quotes or other non-ascii characters in the php code, and when you paste it into this forum, they are converted to straight quotes, 2) the actual file/line where the error is at is not the code you are looking at (perhaps you have multiple versions at different paths.) has this code ever worked? are you typing this code or are you copy/pasting this from some web site (code is often 'published' using characters/encoding that isn't valid code)?

the line of code you posted doesn't produce that error. the problem is on a line leading up to that one, usually a missing ; look at 2-3 lines before that one.

there's three things wrong with your post - a) the wrong forum section, moving thread to the php help forum section for you... b) no forum's bbcode tags around the posted code. c) no specific question, error, or statement of what you need help with.

i'm going to bump this thread, based on your additional thread/problem (it's probably caused by the same problem as in this code), by mentioning that the error in this thread is/was due to line 77, in post #15. did you by any chance alter line 77 of the code too, to try and fix an error that was occurring at it? if so, what was the original code and what was the error? the current code is fetching an array into $balance, not the value that the query returned. i'm also pretty sure you didn't ever check and show us the php version, that has been mentioned more than once as a possible problem with the code.

i just reviewed your code in that previous thread, post #15, where you showed the context leading up to the line with the error, and the problem in that code starts at line 77. you are fetching a row into $balance, so $balance is an array, which is supported by the var_dump() output. the comparisons using $balance in that code are not doing what you think and are not working based on the value in $balance. i recommend going back to that thread and fix line 77 so that it is putting the proper value into $balance, which will also cause the comparisons to work, and will also eliminate the original error you were getting.

or if you want code that would work for any php5 version/mysql driver - // dynamically produce function to return mysqli result/data, as quickly as possible, that can be iterated over using a foreach(){} loop // if php5.4.0 or above, mysqli_result object is traversable and can be used directly // if php5.3.0 or above w/mysqlnd driver mysqli_fetch_all() exists // else return array of fetched data // run this code once to dynamically define the appropriate function code, the resulting function name is in $get_mysqli_result if (version_compare(PHP_VERSION, '5.4.0') >= 0) { // result object is already traversable, just return it $get_mysqli_result = create_function('$a', 'return $a;'); } elseif (function_exists('mysqli_fetch_all')){ // fetch_all function exists, return array with all data in it $get_mysqli_result = create_function('$a', 'return $a->fetch_all(MYSQLI_ASSOC);'); } else { // none of the above, 'manually' fetch the data and return it as an array $get_mysqli_result = create_function('$a', '$b = array(); while($r=$a->fetch_assoc()){$b[] = $r;} return $b;'); } $mysqli = new mysqli( .... ); $query = 'select id from users'; // some query $result = $mysqli->query($query); // run query // loop over result foreach($get_mysqli_result($result) as $row){ echo "{$row['id']}<br>"; }

see item C) in the following post - http://forums.phpfreaks.com/topic/281753-mysqli-error/?hl=%2Bdecrypt&do=findComment&comment=1447791

from the mysqli documentation - you can only iterate over the result set like that in php5.4 or higher. it's best not to use the latests php features for a while. just use a traditional while(){} loop with a mysqli_fetch_xxxxxx() statement. edit: your code when running under php5.3 is looping over the 5 properties of a mysqli_result object - object(mysqli_result)#2 (5) { ["current_field"]=> int(0) ["field_count"]=> int(1) ["lengths"]=> NULL ["num_rows"]=> int(5) ["type"]=> int(0) }

1. the web server's error log is where php will be logging errors and it is different from the web server's access log. 2. only if the php settings are set to log errors. the point about trigger_error() is it makes use of php's error_reporting/display_errors/log_errors settings. you can configure where it will send the output just by changing the php settings, one set for development to immediately display the system level information, a different set for a live server to log the system level information. all of this is covered in the documentation. the trigger_error() link above doesn't directly go to the manual's page, try this one - http://us1.php.net/trigger_error 3. using die() will stop script execution. if your intent is to allow your script to continue running, don't use die/exit. the choice is up to the programmer and how he wants to handle a condition in his code. 4. as to code that demonstrates this, here's an example - // some statement or block of code that you want to detect and handle any errors for... if( ! statement_that_can_fail() ){ // note: the ! (not) before the statement // something failed, handle that here... $user_message = "Sorry, whatever it was that you tried didn't work, try at a later time."; $system_message = "things you know about the error, such as the error message the database returned"; echo $user_message; // display inline here or the code later on the page could display this where appropriate. trigger_error($system_message); // display or log this based on php's settings. } else { // something worked, use the result from that something here... } // continue with the remainder of the code on the page here...

there are conditions outside your control that can cause something to fail. for things like a database connection, even if you have successfully created a connection at one point in your code, that connection can break before or while you are trying to access the data. by having error checking conditional logic (or a try/catch exception block) around any statement(s) that can fail, your code will take an expected execution path and can deal with an error in a defined way. when a step fails, you need to insure that the code takes an execution path that makes sense (so that you don't produce errors in the following code that is trying to use the result from that step) and displays/logs useful information. you would want to display a 'user message' to let the visitor know the page isn't going to do anything and what he might, if anything, do about it, and display (during development) or log (when live) system level information about the problem. jcbones's suggestion above to use trigger_error() is the best way of controlling the display/logging of the system level error information. however, i disagree about using or trigger_error() on the end of a statement as that doesn't address the execution path the code takes when there is an error, unless you use E_USER_ERROR, in which case you might as well use a die() statement.

your second query is missing a back-tick, producing a sql syntax error. however, you should never run a select query inside of a loop, and your two queries are related. just run one JOIN'ed, prepared query and be done with it.

it's likely your URL is changing between not having and then having the www. (host-name/sub-domain name) in it and the session id cookie isn't set up to match all variations of your domain name, only the exact variation where it was first set at. then once you redirected to the variation with the www. in it and logged in, the session id cookie matches the current variation of the URL of the pages. you need to set the session id cookie domain to be .your_domain.com (with the leading dot) so that it matches all variations of your domain name. this needs to be set before every session_start() statement. ref: http://us2.php.net/manual/en/function.session-set-cookie-params.php it's also possible your code is outputting something before the session_start() statement and the session variables aren't actually working in some situations. do you have php's error_reporting set to E_ALL and display_errors set to ON in your php.ini so that all the php detected errors will be reported and displayed?

encapsulation refers to enclosing, putting a shell around, isolating the code so that the only interaction with an instance of the class is though it's public methods/properties. once you have written and tested the code for a class, you should not need to remember (or document) anything about the actual internal implementation, just that it has methods/properties, what those methods accept as inputs, and what values are returned by the methods/properties. in short, you should be able to search through the main code in a program and find all the interaction with any class just by searching for the variable holding the instance of the class. by using the global keyword to bring a variable into the class, this isolation, general purpose nature, is broken. you must now remember that any one class needs you to set up an external variable and what the names are of all the global variable's for all the different classes that are using global variables in. you have also tied the class to using a specific external variable name, so it's not possible for you to us that variable name for anything else in the main code or for you to make additional instances of a class that needs a different value in a global variable. an example. your class is apparently a user class. what happens when you need two (or more) instances of your user class (you are writing a user administration page where one instance is the admin, another instance is the user he is editing), each with a different database or requiring a different database connection? using the global keyword creates a bunch of more work to accomplish this. however, if the code is written without using the global keyword, all you need to do is create another instance of your database class for the different database/connection, i.e. $db2, then create another instance of your user class, where you pass the database connection into the user class either in the constructor or through a specific setter method.

i suggest you read post #7 in the existing thread you have for this problem.

so, i tried your actual code and your code IS doing what i stated in reply #2 and #4. upon a successful login, it is redirecting to header("Location: $url");, where $url is $url = BASE_URL; and BASE_URL is define ('BASE_URL', 'http://www.site_name.com/');. This will cause the browser to request your default index.php document. if your expected result was to see the messages you are echoing in the nm_login.php code, you won't because you are specifically and deliberately using output buffering in your actual script. this buffers any output you (or php) try to send to the bowser and the buffered output is a) discarded upon the header() statement and b) you are specifically calling ob_end_clean(), which is cleaning/discarding the content in the buffer. two recommendations - 1) remove all of the output buffering statements from your code and if output_buffering is turned on in your php.ini, turn it OFF. the net effect of using these is to hide what is really happening in your code. you would only want to use output buffering when you want to buffer and/or capture the output. 2) remove any @ error suppressors in your code. again, the net effect of them is to hide what is really happening in your code.

it depends on what your code is doing/detecting. when validating/using user supplied input, just about every conditional test could have an else statement to do something with the value(s) that failed the test.

the information you are logging should be as specific as possible. exactly why the login is failing, along with what the inputs are, the ip address, date/time... while you need to give the user helpful information (is the login failing due to the values they entered, which if they re-enter correctly would work or due to a system error they cannot do anything about), you don't want to make it easy for someone to brute force/automate guessing usernames and passwords. unless you have bad-attempt counting and lockout, you would not want to tell the user if it is the username or the password that is causing the login to fail, just that it failed due to the values they entered ... try again.

this thread is exactly the same issue at the start of your previous thread. which means you are not getting the gist of what is actually being returned/stored in the variables in the code. you are getting an instance of a mysqli result object back from a method/function call, User::find_all(); in this case, and assigning that to a php variable $find_all. in the previous thread, you were directly calling your database class's ->query() method and storing the result object in a php variable $result. so, you have instance of a result object in a variable. to access any properties/methods of that result object, you would use $variable_holding_object->some_property or $variable_holding_object->some_method();