cyberRobot

It looks like they're using two different hashing methods. The web builder uses md5 $crypt_pass = md5($_POST['password']); While the forum uses sha1 password = '" . sha1($_POST['password']) . "'";

If you use Barand's suggestion, you'll need to use $_POST in your query instead of $_GET. Note that you probably don't need a form for the Look buttons. You could get away with using a simple link and an image for the buttons. Also, you'll want to make sure the ID is valid before running the query. Assuming the ID is a number, you could run it through the ctype_digit() function: http://php.net/manual/en/function.ctype-digit.php

Is loadPage() a PHP function? If so, you need to switch to a client-side language like JavaScript. Sorry, I just reread the original post. What does your current code look like?

I'm still unsure what you mean by the div tag...are you talking about an HTML <div> tag? Or are you just referring to the PHP variable called "div"? The code provided should work as long as the POST variable actually comes from somewhere like an HTML form. And that the query is being executed: http://php.net/manual/en/function.mysql-query.php Note that you don't need the curly brackets in this case. <?php $sql = "INSERT INTO divs (contents) VALUES ('$div')"; ?> .

In some cases, you may want to consider removing the quotes altogether. $database_info = array("db_table_name" => tbl_detentions, "db_field_names" => array("rel_student_uid", "detention_date"), "form_fields" => array($rel_student_uid, $detention_date));

Have you tried array_count_values()? http://php.net/manual/en/function.array-count-values.php

What do you have so far?

Note that since the form is using the POST method, the information isn't going to be visible in the URL. It's passed behind the scenes. Are you getting any errors? Did you look at the source code (in your browser) for the form to see if the values have been populated? Did you check to see if the information was passed to cart.php? To do that you can use something like var_dump() to display the POST variables.

There are many tutorials online: https://www.google.com/search?q=how+to+create+an+online+quiz+with+php

Could you provide a little more information about what you're trying to do?

The if construct should do what you're looking for: http://php.net/manual/en/control-structures.if.php

There are a few alternatives mentioned in the comments section of XSS article (http://seancoates.com/blogs/xss-woes). My preferred method is to hard code the page name. So, if you're page is called "myform.php", the <form> tag might look like the following: <form class="form_id" class="appnitro" action="myform.php" method="post"> Others perfer to leave the action attribute blank: <form class="form_id" class="appnitro" action="" method="post">

Hmm...part of my message after the code tag was cut off. I would recommend reviewing what's available regarding XSS attacks. Using PHP_SELF as the action for your form makes you susceptible to these attacks. More information can be found here: http://seancoates.com/blogs/xss-woes

I personally find this a little easier to follow: <?php //...snip } else { ?> <div class="content-container1"> <div class="content-container2"> <div class="section-navigation"> </div> <div class="content"> <div class="submitinfocell"> <div class="updateerrorcell"> <?php if($success["success"]) print '<div class="valid">' . $success['success'] . '</div>'; ?> </div> </div> <div class="submiteventarea"> <div class="submiteventbox"> <form class="form_id" class="appnitro" action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="post"> <ul> <?php if($success["success"]) print '<div class="valid">' . $success['success'] . '</div>'; //...snip ?>

I'm not entirely sure I follow. Does the form collect both the first and last name at the same time? If so, you should be able to modify the query to something like: mysqli_query($con,"INSERT INTO SmallBook (FirstName, LastName) VALUES ('$FirstName', '$LastName')");

You're missing a few dollar signs in the if/elseif lines if(accesslv1=="admin"){

You could loop through the $_POST array: http://forums.phpfreaks.com/topic/208279-loop-through-the-post-array/ Note: if you haven't done so already, you might want to review what's available regarding e-mail injection attacks. https://www.google.com/search?q=php+email+injection

For the date/body issue, have you tried switching the variables in the bind statement to match the column order in the prepare statement? <?php //... $stmt = $mysql->prepare('SELECT id, title, date, author, category, LEFT(body, 600) AS excerpt, body from posts ') or die('Problem preparing the query'); $stmt->execute(); $stmt->bind_result($id, $title, $body, $author, $category, $excerpt, $date); //... ?>

You've passed the value in some links (see code at the end). As gristoi mentioned, you just need to do the same for your page links. Side note: data being passed through GET variables needs to be validated / sanitized. As far as I can tell, I don't see that happening in the script. Since the information isn't being cleaned, the potential for someone to inject code into your SQL query(ies)...or tamper with your page since the variables are being displayed back to the screen. echo '<p><a href="blogPost.php?board=' . $_GET['board'] . '"><font color="green">New Article</a></font></p>';

Did you post your real database credentials? If so, you should change your connection script(s) immediately.

I just re-read your post and it sounds like you actually have a two-step process. The first process uses the ID number to grab the user's information from the database...which is likely to be fine. In the next step, however, they fill out a form to supply information to be included in the e-mail. What does the following mean? Is the e-mail address stored in a hidden field, disabled field, or something else? It might be helpful to see the code for the form. Note that any information being passed through a form (even the disabled/hidden ones) can be modified. Also, it sounds like the form allows visitors to type in an address in the form...and it sounds like this address is being used in the headers argument. Are you using PHP's mail() function. If so, the "additional_headers" argument allows addresses to be added as Cc and Bcc. So the potential for someone to use the form for spam might be there.

As monkeypaw201 suggested, you'll want to sanitize the GET variable (id) before running the query. Since you're dealing with a number, you can make sure it's a number using ctype_digit(): http://php.net/manual/en/function.ctype-digit.php If you don't sanitize the information, there's a potential for someone to tamper with your database.

What do you mean by "save this for button click event"? Are you looking to process the query using PHP...or with a client side language like JavaScript? In other words, is it okay for the page to reload or are you trying to get the update to happen without the page going anywhere?

Note that multiple headers should be separated with "\r\n". For more information, see: http://php.net/manual/en/function.mail.php Also, for validating e-mail addresses, have you considered the filter_var() function? http://www.php.net/manual/en/function.filter-var.php

If you haven't done so already, you'll also want to look into e-mail injections: https://www.google.com/search?q=php+email+injection