Jacques1

Insecure code is insecure, regardless of where it runs. Of course you'll not get attacked as long as you only run this on an isolated PC and never make it accessible to the outside world. But isn't the whole point of learning PHP that you eventually publish your work? Security is a fundamental part of programming, so you should learn it right from the beginning.

For some strange reason, you regard a successful call of opendir() as an error: if ($dir_handle = opendir($image_path)) { trigger_error('error, path not found'); return; } If the function returns a resource (which it should), the conditions is fulfilled, and you complain about the path not being found. Shouldn't it be the other way round? But what's much more important: You have a gigantic security hole in your code which allows arbitrary users to delete any file your webserver has write access to. All they have to do is manipulate the file path through the delete parameter. Never trust user input. Never insert raw user data into file paths, queries or whatever. People will exploit this. I'm surprised this hasn't happened before. Or maybe you just didn't notice.

Note that your code is wide open to SQL injections, allowing any visitors to mess with your database and potentially compromise your entire server. The mysql_* functions you're using are also obsolete since more than 10 years and will be removed in one of the next PHP releases. How to properly access a MySQL database with PHP.

I think there are some general misconceptions. How do you expect the second function to be assigned to the onclick event? You're calling flippage exactly once, so it will assign exactly one of the two function to the event (namely increase). If you want to switch the event handlers, you need to call flippage again. However, it makes much more sense to use a single event handler and let it decide if the element should be high or low: <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>Test</title> <script src="http://code.jquery.com/jquery-1.11.0.min.js"></script> <style> #box { width: 100px; height: 100px; position: absolute; bottom: 0; background-color: green; } #box.high { background-color: red; bottom: 100px; } </style> <script> $(function () { $('#box').click(function () { // If the box is high, make it low and vice versa $(this).toggleClass('high'); }); }); </script> </head> <body> <div id="box"></div> </body> </html> You also confuse functions with function calls. If you want to bind the upward function to an event, you need to write “upward” without parentheses. Writing “upward()” means that you call this function.

That's an entirely different problem. When you try to access a POST parameter which does not exist, of course you get a notice. It doesn't help to check the $flag variable somewhere later, because the problem is caused by this very line.

Your query makes absolutely no sense to me. Are you saying you're pulling the rows from a single table? In that case, the wrong specs are a problem of your data. You've stored them like this in your database. No SELECT query will change that, you need to actually repair your data.

Yo Dawg ... No, you cannot have PHP sections within PHP strings within PHP code. Why do you even want that? You already are in a PHP context. Just terminate the string and concatenate it with any PHP value you want: ' ... <input type="radio" name="flag" ' . (isset($flag) && $flag == 'full' ? 'checked' : '') . ' value="full"> ... ' Or, which is probably more readable, terminate the PHP section before the giant HTML part and make small PHP sections within the HTML.

Your question doesn't get better through repetition. I know it's hard to describe a problem. But please realize that none of us can read your mind. To you, it may be totally clear what this code is supposed to do and how it fails. But we see the code for the very first time and know absolutely nothing about the thought process behind it. That means you have to actually give us this information: What do you expect the code to do? What is the desired result? What do you get instead? Again, we know nothing about your goals, your project, your ideas or why you're unsatisfied with the code. You have to actually write it down.

The manual will help. You cannot have output before setting a cookie. Since you have plenty of output before you finally call setcookie(), you need to restructure your application. It's generally poor practice to heavily mix PHP and HTML (also known as “spaghetti code”). Put the application logic on top of the script and echo the output at the very end of the script. This will prevent problems like this in the future.

You do not need to switch to PDO. MySQLi supports prepared statements just as well. You just need to learn how to actually use MySQLi.

The database users have nothing to do with the application users. Those are two entirely different things. For example, this forum has thousands of users, but of course there isn't a separate MySQL user for each one of us. That would be insane. We all connect to the forum database through the same MySQL user. I think you should postpone the login stuff and concentrate on getting the database connection right. As Clarkey already said, you'll want a configuration script. This script simply contains all configuration data including the database credentials: configuration.php <?php define('DATABASE_HOST', '...'); define('DATABASE_USER', '...'); define('DATABASE_PASSWORD', '...'); define('DATABASE_NAME', '...'); Then you'll want a database script which establishes a database connection using those credentials. Of course you could write this code into every single script, but this tedious and can lead to conflicting configurations. Better have one central script: database.php <?php require_once __DIR__ . '/configuration.php'; // turn on exceptions in MySQLi driver $database_driver = new mysqli_driver(); $database_driver->report_mode = MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT; // connect to the database $GLOBALS['database'] = new mysqli(DATABASE_HOST, DATABASE_USER, DATABASE_PASSWORD, DATABASE_NAME); // set character encoding $GLOBALS['database']->set_charset('utf8'); And now you can simply include this database script in any file that needs a database connection. For example: <?php require_once __DIR__ . '/configuration.php'; require_once __DIR__ . '/database.php'; $test_query = $GLOBALS['database']->query('SELECT 1'); $test_result = $test_query->fetch_assoc(); var_dump($test_result); When you got this running, you can move on to the login system.

Hi, manual escaping is extremely error-prone and should be avoided like the plague. It's simply too easy to forget it, break it by fucking up the encoding, break it by forgetting the quotes etc. Use prepared statements. This is really the only actual solution for the problem of SQL injections.

I'm sorry, but your wording again is just weird. It always sounds like you literally have hundreds of hard-coded HTML files on your server which you overwrite as soon as new data comes in. Don't you generate the table dynamically from a query?

What on earth is an “sql file”?

As mac_gyver already said, you need to post your query. You've obviously made a mistake when associating the two tables.

He just told you how to solve the problem: Hardcode the database credentials instead of waiting for the user to provide them (which makes absolutely no sense whatsoever; I wonder how you even got this idea). Or are you saying you want to keep this very bug that's causing the trouble, somehow create a half-assed workaround for your local machine and finally throw everything away to write the real code? That sounds rather silly, don't you think? Why not write correct code from the beginning? Besides that, I find it funny that so many programmers seem to view security as some kind of “bonus feature” which they can add at the very end (they never do). Programming doesn't work like this. Security is a fundamental part of writing code and shapes the structure of the program. You cannot “add it later”. If you write insecure code, you either end up with an insecure program, or you have to rewrite large parts of the code.

Hi, the GROUP BY clause has absolutely nothing to do with your case. I know that many people get confused by the word “group” and think this clause is for any kind of “grouping”, but it has a very specific meaning and may only be used in conjuction with aggregate functions (like COUNT(), AVG() etc.). It's probably best to forget it for now. You'll know when you actually need it. What you want is the DISTINCT keyword. This gives you all distinct rows from the result set: SELECT DISTINCT company , spec FROM whatever ; This does not leave the “company” field empty if it occurs more than once (if that's what you wanted). MySQL is not Excel. It's only for fetching data, not printing pretty tables.

Manipulating the browser history Of course your site will be unusable for many people. But I guess you know that already.

The values range from 0 to 1. If you want a scale from 0 to 255, you need to multiply the value with 255 and round the result.

I think you're just confused because of all the fancy JavaScript. You have four input elements, right? The first one holds the hexadecimal value of the color. That's also the one you've called “color”, so the “color” parameter will contain a string with 6 hexedecimal digits. Not exactly surprising. You want to use the other input fields? Well, then give those a name. Call them “r”, “g”, “b”. Or call them “color[0]”, “color[1]” and “color[2]” to make the “color” parameter an array.

Neither your code nor your comments have anything to do with the question. Did you even read the question? I have no idea why you think it's helpful to recycle random code snippets from the 90s. At best, this is an example of how not to do it.

That Azerex guy is a troll. He's posting the same garbage script into every thread, regardless of the question.

What's your question? Do you want the tree of all categories and articles?

I strongly recommend that you forget about the code above and implement the profile yourself using up-to-date PHP. I mean, it's just silly: You came here with one problem (writing a profile script), now you got two problems (writing a profile script and fixing bugs of other people). You should start by learning how to use PDO. This is basic knowledge for every modern PHP application

... and I forgot: The code is wide open to SQL injections, because the name isn't quoted. Escaping without quoting does absolutely nothing. That makes no sense to me. You expect no errors after you've written the code? That's some statement. In reality, however, applications do fail for all kinds of reasons: bugs, server issues etc. It's better to acknowledge this and log those errors. And why would you want to go through your entire code to remove this die() stuff everytime you put the application online? Wouldn't it make much more sense to skip this stupid routine and simply write sensible error handling from the beginning? Modern database interfaces (PDO and MySQLi) make this easy, because they already do it for you. If you absolutely must stick to the old MySQL extensions, use proper PHP errors: $user_query = mysql_query('this will fail'); if ($user_query === false) { trigger_error(mysql_error(), E_USER_ERROR); } Now the error is treated correctly according to the environment: During development, you'll want to see the message on the screen. In a live environment, you do not want to see it on the screen but write it to the error log.