maxxd

Hey y'all. Hopefully quick question on something I've not come across before. I am doing a quick and dirty update on an existing site that is using the mysql_* functions to use PDO, and I'm wondering how much of a corollary there is between the mysq_real_escape_string() function and PDO::quote() method. We had a sanitization method that returned the submitted string after running mysql_real_escape_string() on it, and I've updated it to return the string after passing it through quote(). What I'm noticing in phpMyAdmin, though, is that new records inserted using the quote() sanitize don't encode quotes or add slashes or evidence any of the things that apparently mysql_real_escape_string() used to do (I always used a different scrub method in the past so I'm really not familiar with how it works under the hood). Is using quote() going to offer an equivalent level of protection against injection? Hopefully I'll get the go-ahead to take the time and revamp all the queries to use prepared statements, but right now that's not in the cards. At least the old site did abstract database interaction so I'm not chasing mysql_* functions all over the site... Any opinions and thoughts are very much welcome and thanks in advance!

ignace is right - if class second extends class first, it's already got access to any public and protected methods and properties of the first class. So in your code, you would instantiate the second class, then call methods from either the first or second class. The only things you wouldn't have access to are private properties or methods, as you would expect. Inheritance is useful and easy to use, but also pretty heavily coupled. If you're trying to learn OOP in php, I'd recommend the book PHP Objects, Patterns, and Practice by Matt Zandstra. Personally, I found it an informative and fun read. Of course, I'm kind of a nerd, so fun is subjective, but hey.

You're also going to want to edit your post to remove the database credentials. Won't help your problem (listening to Barand will do that), but it will certainly increase your db security.

If you're going to load all the options at page load, you can output a select with <optgroup> tags. If you want to dynamically fill the drop-downs as your user makes selections (for instance, select 'Ontario' from the 'province' drop-down, then the separate 'cities' drop-down populates with the cities in Ontario - I've always called it cascading selection, but not sure if a Google search on that will result in anything as I may be the only person to refer to this setup that way...) you'll want to look at AJAX. Which may actually be easier as you don't have to store each individual selection between page loads because the page is only going to load once. So you just need to read the values of the form once the user fills out and submits the entire form.

Hunh - it is valid. Never seen it in the wild, myself, but thanks for the info!

Unless it's a variation on the syntax with which I'm not familiar, your insert statement is malformed. It looks like you're using UPDATE syntax. The syntax in your first post "INSERT INTO [table] ([columns]) VALUES ([values])" is correct. The [column]=[value] syntax is used for updating.

You can do this using javascript, not php. <a href='#' onclick='alert("You clicked it!");'>click me</a>

"WHERE MONTH(date) = MONTH(CURRENT_DATE) AND YEAR(date) = YEAR(CURRENT_DATE)" should do it.

Couple things to add to mac_gyver's answer. First, ID in a table is typically (not always, so I'm making an assumption) an auto-increment field, which means you won't insert a value into that field at all. Drop it from the column and values lists. It also looks like you're missing the closing parenthesis in the values list of your query. Finally, strings need to be quoted, so $coment would be '$coment', etc. Turn on error reporting - it'll help.

Yeah, 32 characters for the hashed password value is not enough. I'd up that to 64 or 128, then - as mac_guyver suggests - go back to the beginning and revisit your logic. Also, make sure you've got error reporting enabled.

So what exactly is the purpose of the form? If it doesn't really do anything, why is it there? What is the not much that it does? For instance, a contact form may not insert any data into the database, but a malicious user could inject to: and from: headers into the comment section and use your contact form as a spam launcher to send mail to users. If the actual body of the spam mail contains malicious code, then yes. This could be a problem. I think what Jacques1 is saying is that any and all data needs to be carefully considered before anything is done with it, regardless of its eventual purpose - whether it's stored in the database, displayed to the current user, or e-mailed anywhere. I don't know that you need to validate the contents of the specific form element because I don't know the purpose of your form, but you should definitely handle all the other data - which I'm sure you're considering, given the fact that you've asked this question. Jacques1, please correct me if I'm wrong regarding my understanding of your post.

Possibly a dumb question, but what's your mySQL column settings for both salt and password? Make sure they're able to hold the complete strings of both values and aren't truncating upon insert. The code looks fine to me (admittedly, I haven't had my second cup of coffee yet), so I'd start there.

Try assigning the return value of the function to a variable, then dump that. $thumb = get_field('thumbnail'); print("<pre>".print_r($thumb,true)."</pre>"); die(); That should show you what you're dealing with, assuming get_field() is returning anything.

You need to reconsider your approach. By trying to 'make things as simple as possible', you're twisting things way out of control. Consider using comboboxes for the your filters. <select name='type'> <option value='newcars'>New Cars</option> <option value='new'>New Whatever</option> <option value='newmake'>New Make</option> </select> <select name='year'> <option>2014</option> <option>2013</option> <option>2012</option> </select> <select name='color'> <option value='blue'>Blue</option> <option value='red'>Red</option> <option value='rusted'>Rusted Out</option> </select> Then you build it in php $link = "http://ebay.com/{$_GET['type']}/{$_GET['year']}/{$_GET['color']}/"; I've honestly never used ebay so I don't know if that link makes any sense at all to it, but I think it's close to what you're trying to do?

A couple options in addition to cyberRobot's suggestion come to mind. You could use a checkbox group and a per-determined list of options, which is probably the safest and most controllable method. Or you can explode the $_POST['brand'] value on a comma (or other character). This, however, leaves you at the mercy of your users and whether or not they're going to read and follow the instructions.

Actually, that's not what's going on. The only value returned on line 7 is the last_login_date - student_id is pulled from _POST on line 16. The problem is this assumes that the submitting form (the log in form) already knows the student_id. Which it quite literally can't. The solution to this specific problem is to add student_id to the list of fields returned from the query on line 7, then assign that value to $_SESSION['student_id']. The security issues and outdated mysql_ functions are other matters entirely.

If running the query in phpMyAdmin only returns 1 row when you're expecting 3, you need to re-evaluate your query. Only 1 row is matching the criteria, so something is amiss. Work on the query in phpMyAdmin until you're actually getting back all the results you know you should have, then worry about getting those results from and into php.

I didn't even think about array_map() - much better for readability.

'&&' is a logical operator - it doesn't work the way you're trying to use it. Check http://us3.php.net/manual/en/language.operators.logical.php for more details. In the meantime, try foreach($fields_to_cap as $field){ $cap_fields[] = strtoupper(str_replace(' ','',rgpost($each))); } I'm assuming rgpost() is a custom function that should be called on the raw data?

There could be any number of reasons this isn't returning what you expect - a little more detail would help. If you run the query in phpMyAdmin or MySQLWorkbench, is it returning 1 row or 3? Is there some php display code - obviously, if there is display code we'd need to see that as well.

That's how I would handle it, yes. Something along the lines of the following: $query = mysql_query("SELECT id ,location ,description ,name FROM `images` ORDER BY `id` DESC LIMIT 4"); while($row = mysql_fetch_assoc($query)) { echo "<img src='{$row['location']}' alt='{$row['description']}' name='image_{$id}' id='image_{$row['id']}' title='{$row['name']}' />\n"; } Of course, I'd also recommend you use either the PDO or MySQLi libraries instead of mysql_* functions as those are well and truly deprecated and slated to be removed from the language soon.

Remove the width attribute in your table opening tag.

You're overwriting $imageData on each loop through the 4 returned rows from the database and only outputting the results after the loop. Are you actually storing the image in the database, or a path to the file on the server? I'm not sure how the browser's going to respond to trying to write the image header for each of the images, but you'd need to put the lines header("content-type: image/jpeg"); echo $imageData; before the closing curly brace of your while() loop. Also, if you're trying to display 4 images, why do you care if $_GET['id'] is set? If you're only trying to display the selected image (the image corresponding to 'id' in $_GET['id']), the user Ch0cu3r's code.

OK - it's actually not a bad start at all for a beginner. Couple things (please keep in mind that this is how I code and there are a million other opinions and ways of working) First, your constructor method actually was doing what it was supposed to do, it just wasn't storing the result anywhere or returning anything so it looked like it wasn't doing anything. Notice in the code below that there are two property declarations before the constructor - these set up object-scope variables (also called properties). The scoping here means that the methods in the Greeting class can access the values in the properties, but, because they're declared private, an external class will *not* be able to access them directly. The same visibility caveat applies to the functions (called methods) in the class itself - an external class won't be able to call setGreetingPhrase() without an error. Now, I have a tendency to break my functionality into the smallest units I can think of when I create my methods. Some would say they're too small, but I like to know exactly what I'm looking at when I have to debug a method. So, in this example, your constructor explicitly calls setTime() to set the hour of the day in the local property, then explicitly calls setGreetingPhrase() which uses the value in hour_of_day to set the string value you eventually want to return. Finally, you've got the getGreetingPhrase() method which acts as the public access point in order to return the string built by the constructor. Obviously, there's a ton of different things you can do here - it's just a quick and dirty example. For instance, make setGreetingPhrase() and setTime() public and other objects can modify the eventual output, you can do value checking, etc. class Greeting{ /** * The hour * @var int */ private $hour_of_day = 0; /** * The actual greeting phrase * @var string */ private $greeting_phrase; /** * Class constructor. * @param string $dateString Date string */ public function __construct($dateString=null){ if(!is_null($dateString)){ $this->setTime($dateString); $this->setGreetingPhrase(); } } /** * Sets the time of day. * @param string $value Valid date string to parse and store * @return void|string Error code and message on DateTime exception */ private function setTime($value){ try{ $dt = new DateTime($value); }catch(Exception $e){ print("<p>Error: {$e->getCode()} :: {$e->getMessage()}</p>"); die(); } $this->hour_of_day = $dt->format('G'); } /** * Sets the actual phrase to return as a greeting. * @return void */ private function setGreetingPhrase(){ if($this->hour_of_day < 12){ $this->greeting_phrase = 'Good morning!'; }elseif($this->hour_of_day >= 12 && $this->hour_of_day < 18){ $this->greeting_phrase = 'Good afternoon!'; }else{ $this->greeting_phrase = 'Good evening!'; } } /** * Returns the greeting phrase if set up. * @return string|null */ public function getGreetingPhrase(){ if(!empty($this->greeting_phrase)){ return $this->greeting_phrase; } return null; } } $greeting = new Greeting('2014-06-19 12:45:00'); //$greeting = new Greeting('12:45pm today'); echo $greeting->getGreetingPhrase(); So, that's my two cents - hope it helps!

I've always considered legacy code to be existing code in a project - class code written for version 1.0 and not updated for 1.2 is legacy code. And, honestly, version 1.2 code is legacy as soon as development on 1.3 starts. Legacy code can be ugly or pretty, as can code under test, code in development, or deployed code. Ugly is ugly regardless of state or stage. That's the way I've always thought about it, anyway.