JonnoTheDev

Get the members number (x) $result = mysql_query("SELECT x FROM members WHERE id='".$memberId."'"); $row = mysql_fetch_assoc($result); // use the number to lookup the required records $result = mysql_query("SELECT * FROM phonelog where x='".$row['x']."'"); // display records while($row = mysql_fetch_assoc($result)) { }

When I land on the index page there is absolutely nothing telling me what this site is about. I haven't got a clue what you do, what services you offer and how it will help me. There is no close of sale i.e telephone number, contact link, etc. I am distracted by the massive header graphic which also means nothing. I would click away instantly.

Syntax error if(luhn_check($luhn)) $errorluhn = true; or if(luhn_check($luhn)) { $errorluhn = true; }

$_FILES['userfile']['tmp_name'] The temporary filename of the file in which the uploaded file was stored on the server. This is only temporary. Your file should be moved and re-named using move_uploaded_file(). Read http://us3.php.net/manual/en/features.file-upload.post-method.php If you have all the security mentioned above then I fail to see how anyone will gain root access to your server! Please enlighten me.

Yes, I wish people understood and viewed other posts!

Next to the record have a link to the edit page while ($row= mysql_fetch_array($result)) { echo $count.") <a href='edit.php?id=".$row['id']."'>".$row["Contact"]."</a><br />"; $count++ ; }

Cant believe ive only just seen this thread! Neil, 28 years old, Liverpool United Kingdom. Big Everton FC fan (soccer for the Americans) & love golf, have a 14 handicap. Started web development back in 1997 and been a developer for a company in Manchester, England for the last 5 years using php, mysql, perl and the rest of the usual stuff. MCP & Novell certified. Trained in UNIX, and have a load of other programming qualifications. Hi everyone!

They sound like golf drivers!

wow

I have just given you the code. I have not passed any field names to the constructor, only the name of the table. They are stored in the $dbFields variable within the object.

Go through php/mysql tutorials. To select a record you need its id i.e SELECT name, email FROM users WHERE id='123' The id may be passed through the url to display the edit form (i.e ?id=123). Display the data within a form. When you click the submit button, perform an update query using the inputted data. UPDATE users SET name='xyz', email='abc@abc.com' WHERE id='123' Get a PHP beginners book.

Makes no sense. Where is your concern?

You dont use global variables within a class! I have used a similar database wrapper class. Ammend as needed <?php class foo { private $db; private $tableName; public $dbFields = array(); public function __construct($tableName) { $this->db = new dbSql(); $this->tableName = $tableName; $this->fieldNames(); } private function fieldNames() { $this->db->query("SHOW COLUMNS FROM ".$this->tableName); $array = array(); while($row = $this->db->nrecord()) { $array[] = $row; } for($x = 0; $x < count($array); $x++) { $this->dbFields[] = $array[$x][0]; } } } // usage $x = new foo("myTable"); print_r($x->dbFields); ?>

Use an SSL certificate on your domain and make sure your forms are requested via https: If your server is setup properly, decent firewall etc nobody should gain root access. Do not store user uploaded files in the website document root if you do already. Change your server root password regularly and use a wheel user as opposed to root login i.e Deny root login over SSH.

Data can remain persistent throughout HTTP via GET & POST i.e. Url Parameters, hidden form fields. Access to a secure area of a website will require a session to maintain your login. Some use cookies to maintain a persistent login (you return after your session is lost). You would never pass customer sensitive data through GET or POST requests.

rename the file to .htaccess

That is the entire file! Open notepad. Add the lines I posted. Save as .htaccess (make sure its not .htaccess.txt or anything similar). Upload to your document root i.e. The root directory where your web files sit.

Have you copied the code I pasted rather than just ammending yours? You are using php shorthand echo tags within a variable container (invalid) and also enclosing varaibles in singles quotes '. When used in a string this prints the syntax rather than the parsed code. What I have posted is valid.

I suggest you have a decent uploader as if you use a standard form the user will be sat there for a long time waiting for 30mb to be transferred over HTTP. The web server will probably time out!

Just upload a htaccess file in the document root containing the following, its not hard: php_value upload_max_filesize 30M php_value post_max_size 30M

Use a conditional statement. i.e if($userGroup == 'admin') { // display file upload }

No. There is simply no condition to state that if the directory already exists then do not create. Here: <?php $newDir = "/home/html/mynewdir"; // if the directory does not exist then create it if(!is_dir($newDir)) { mkdir($newDir); } ?>

What? It's plain & simple syntax errors: <?php $browse .= "<tr class=\"contentfont ".$background."\">\n <td><img src=\"img/".(($item_details["sticky"] == 1) ? "img1.gif" : "img2.gif")."\"><a href=\"".$nte_link."\">".$item_details['name']."</a>".item_pics($item_details)."</td>\n </tr>"; ?>

Why would you store this? Newlines should be maintained when text is inserted.

Data from a form post or url parameters is held in the $_POST or $_GET array (in the case of a form decided by the form method <form method="post>) You should clean this data prior to placing in any function or database query. Some simple functions: <?php // data from form is in post array $searchString = $_POST['searchterm']; // check that the value is not balnk if(strlen(trim($searchString))) { // remove any injected html $searchString = strip_tags(trim($searchString)); // perform search query and escape variable $result = mysql_query("SELECT * FROM tablename WHERE x LIKE '".mysql_real_escape_string($searchString)."%'"); print "Your search for: ".$searchString." returned ".mysql_num_rows($searchString)." results"; } else { print "Please enter a valid search term"; } ?>