kelechi

$sql="INSERT INTO mytable(BidFile,'".implode("','",$sqlArr['columns'])."',SignInSheet,TabSheet) VALUES('$bidFile',".implode(",",$sqlArr['values']).",'$signSheet','$tabSheet') and rest of the fields. //Then declaration: $bidFile = "'".ms_escape_string($_FILES['BidFile']['name'])."'"; $sqlArr['values'][$i] = "'".ms_escape_string($_FILES['item']['name'][$i])."'"; $sqlArr['columns'][$i] = "Addend".$i; $signSheet = "'".ms_escape_string($_FILES['SignInSheet']['name'])."'"; $tabSheet = "'".ms_escape_string($_FILES['TabSheet']['name'])."'"; UPDATE: I was able to separate the files and everything seems to be in sync. For instance, now, I have the following insert statement above. Now, the files being uploaded match up with files saved to the database. *ONLY* thing left now is to get Addend to start at position 1 as opposed to 0. So, I know php like most scripting languages have array start at index 0 but how can I get Addend to start at 1 instead of 0? For instance, instead of Addend0, it starts at Addend1. Thanks

$file_name = $_FILES['item']['name'][$i]; $file_size = $_FILES['item']['size'][$i]; $file_tmp = $_FILES['item']['tmp_name'][$i]; $file_type = $_FILES['item']['type'][$i]; $sqlArr['values'][$i] = "'".ms_escape_string($_FILES['item']['name'][$i])."'"; $sqlArr['columns'][$i] = "Addend".$i; $sqlArr['columns'][] = "SignInSheet"; $sqlArr['columns'][] = "TabSheet"; $sqlArr['columns'][] = "BidFile"; Ok, good to know this. Thanks very much. However, I still need help figuring out this last part. Please bolded lines: When I debug the INSERT statement, I see that the code is trying to insert Addend to the database incorrectly. For instance, Here are the following file names on the database: BidFile, Addend has Addend1, Addend2, Addend3, Addend4, Addend5, Addend6, SignInSheet, and TabSheet. These are files that need to be uploaded to the server and their filenames saved to the database. When I debug the INSERT statement, it treats BidFile, which is the first one, as Addend0 and treats TabSheet which is the last file to be uploaded as Addend8. That's wrong and because of this nothing is getting inserted into the database. Can anyone please help?

<?php error_reporting(E_ERROR | E_WARNING | E_PARSE); include("../Connections/Connect.php"); // this function is used to sanitize code against sql injection attack. function ms_escape_string($data) { if ( !isset($data) or empty($data) ) return ''; if ( is_numeric($data) ) return $data; $non_displayables = array( '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15 '/%1[0-9a-f]/', // url encoded 16-31 '/[\x00-\x08]/', // 00-08 '/\x0b/', // 11 '/\x0c/', // 12 '/[\x0e-\x1f]/' // 14-31 ); foreach ( $non_displayables as $regex ) $data = preg_replace( $regex, '', $data ); $data = str_replace("'", "''", $data ); return $data; } // You may want to add document root $target = $_SERVER['DOCUMENT_ROOT']."/uploads"; // I am filtering the files incase there are empty uploads // You need to have the proper file input name (item) $_FILES['item']['tmp_name'] = array_filter($_FILES['item']['tmp_name']); $_FILES['item']['name'] = array_filter($_FILES['item']['name']); $_FILES['item']['type'] = array_filter($_FILES['item']['type']); $_FILES['item']['size'] = array_filter($_FILES['item']['size']); foreach($_FILES['item']['name'] as $i => $value ) { $file_name = $_FILES['item']['name'][$i]; $file_size = $_FILES['item']['size'][$i]; $file_tmp = $_FILES['item']['tmp_name'][$i]; $file_type = $_FILES['item']['type'][$i]; $bidDate = ms_escape_string($_POST['txtBidDate']); $dueDate = ms_escape_string($_POST['txtDueDate']); $dueTime = ms_escape_string($_POST['txtDueTime']); $bidTitle = ms_escape_string($_POST['BidTitle']); $bidId = ms_escape_string($_POST['BidID']); $desc = ms_escape_string($_POST['Description']); $dept = ms_escape_string($_POST['Department']); $bidContact = ms_escape_string($_POST['BidContact']); $contactEmail = ms_escape_string($_POST['ContactEmail']); $contactPhone = ms_escape_string($_POST['ContactPhone']); $numBids = ms_escape_string($_POST['NumofBids']); $awardDate = ms_escape_string($_POST['txtAwardDate']); $awardrecip1 = ms_escape_string($_POST['AwardRecip']); $bidType = ms_escape_string($_POST['BidType']); $lastUpdate = ms_escape_string($_POST['txtLastUpdate']); $notes = ms_escape_string($_POST['Notes']); $status = ms_escape_string($_POST['Status']); $sqlArr['values'][$i] = "'".ms_escape_string($_FILES['item']['name'][$i])."'"; $sqlArr['columns'][$i] = "Addend".$i; $sqlArr['columns'] = "SignInSheet"; $sqlArr['columns'] = "TabSheet"; $sqlArr['columns'] = "BidFile"; // At this point you are only notifying user. // You have no code to prevent this limitation. if ($file_type!="application/pdf" || $file_type!="image/gif" || $file_type!="image/jpeg") $echo = 'You can only upload PDFs, JPEGs or GIF files.<br>'; // So far, this is just for notification, you haven't // actually done anything about this limitation if($file_size > (8 * 1024 * 1024)) $echo='File size must be less than 8 MB'; // Makes the folder if not already made. if(!is_dir($target)) mkdir($target,0755,true); //Writes the files to the server if(move_uploaded_file($_FILES['item']['tmp_name'][$i], $target."/".$file_name)) { //If all is ok echo "The file ". $file_name. " has been uploaded to the directory and records saved to the database"; } else { //Gives and error if its not echo "Sorry, there was a problem uploading your file."; } } if(isset($sqlArr['columns'])) { $sql="INSERT INTO bids (BidDate,DueDate,DueTime,BidTitle,BidID,Description,,'".implode("','",$sqlArr['columns'])."',Department,Xcontract,ContactEmail,ContactPhone,NumofBids,AwardDate,AwardRecip1,BidType,LastUpdate,Notes,BidStatus) VALUES ('$bidDate', '$dueDate','$dueTime',$bidTitle','$bidId','$desc',".implode(",",$sqlArr['values']).", '$dept','$bidContact','$contactEmail','$contactPhone','$numBids','$awardDate','$awardrecip1','$bidType','$lastUpdate','$notes',$status')" ; $objQuery = sqlsrv_query($conn, $sql); sqlsrv_close($conn); } ?> php Hi again, The following code is supposed to upload atleast one file or as many as 9 files to the upload folder called uploads and then save the rest of the data to the database. When I run the code, I get my custom message that file(s) successfully uploaded to the folder and records successfully saved to the database. When I check the db, no records. When I check the folder, no files. I have verified that folder has proper permission and that form has POST method with encype attributes. When I debugged the insert code, I see one major problem. Addend should be Addend1 through Addend6. Then three others called SignInSheet, TabSheet and BidFile. Instead, the INSERT statement shows Addend0 as well as Addend8. I a .net guy and got over my head unfortunately by accepting to do php project and this part is a bit over my head. Your kind help is greatly appreciated.

Thank you so much sir for your help

$hash = password_hash($password, PASSWORD_BCRYPT); $strSQL = "INSERT INTO member (Username,Password,Name,Status) VALUES ('".$_POST["txtUsername"]."', '".$_POST["txtPassword"]."','".$_POST["txtName"]."','".$_POST["ddlStatus"]."')"; $objQuery = sqlsrv_query($strSQL); $strSQL = "SELECT * FROM users WHERE username = '".ms_escape_string($_POST['txtusername'])."' and password = '".ms_escape_string($_POST['txtpassword'])."' "; Thanks very much. I really appreciate that advise. So, in the event that I am creating a user and saving the username and password in the db, how would I integrate the code from github to my register and login samples above? Sorry, it is not quite clear to me.

Greetings mates, I found this awesome article on hashing BCrypt algorithm in SQL Server and using it with php. http://blog.tcs.de/using-the-bcript-hash-algorithm-in-ms-sql-server/ I have completed the install and setup in sql server management studio. I am a bit confused as to how to apply it in both my register.php user and login.php pages. Can someone please give me? Sigh!! The post is not allowing me to copy and paste and it is not allowing me to attach the file as .txt or .sql or .rar. Basically, I am trying to do an insert statement to insert user's username, password and type. Type means whether admin or regular user. Then I am doing a basic select username, password from mytable where username='varuser' and password='varpassw' I will read up on how to copy and paste and what is allowed as attachment. Thank you

Great response! Thanks so much for the quick response. Works great. Ok, I lied. It is not populating the dropdown.

<?php $tsql = "SELECT bids.BidType +'[' + CAST(COUNT(*) as varchar)+ ']' solicitationName FROM bids inner JOIN status ON bids.Bidstatus = status.statusid where status.status='Open' GROUP BY bids.BidType UNION SELECT status.status +'[' + CAST(COUNT(*) as varchar)+ ']' solicitationName FROM bids INNER JOIN status ON bids.Bidstatus = status.statusid where status.status='Open' GROUP BY status.status UNION SELECT status.status +'[' + CAST(COUNT(*) as varchar)+ ']' solicitationName FROM bids INNER JOIN status ON bids.Bidstatus = status.statusid GROUP BY status.status"; $stmt = sqlsrv_query( $conn, $tsql); if( $stmt === false ) { echo "Error in executing query.</br>"; die( print_r( sqlsrv_errors(), true)); } while($row = sqlsrv_fetch_array($stmt,SQLSRV_FETCH_ASSOC)){ echo '<option value="' . $row['solicitationName'] . '" name="' . $row['solicitationName']. '">' . $row['solicitationName']. '</option>'; } ?> </select> Hello gurus, I am querying sql server database and trying to dynamically populate the values into a dropdown. So far, I don't even see a dropdown, let alone the values. Any ideas?

Thanks very much for your reply. Trying to log was extremely frustrating with the new extremely sensitive captcha. Then I tried as hard as I could to just copy and paste the error and it would not paste. So, I included as part of the code. I am surprised to see that it dropped off. Any way, here is the error I am getting: Warning sqlsrv_num_rows() expects parameter 1 to be resource, Boolean given in ... And I had to type this error as I could not copy and paste. I am sure there is a method to the madness. I just need to figure it out. As for not using where clause. I did something similar with asp and I am not sure how that would be different with php. I tried echoing it but could not go beyond the error. It is clear that I am newbie. Conversely, you have demonstrated your expertise so far. I am sure there is a better way to do this. Do you know if a link that I could perhaps use?

$sbidDate = trim("".@$_POST["bidDate"]); $sdueDate = trim("".@$_POST["dueDate"]); $sprojectTitle = trim("".@$_POST["projectTitle"]); $sbidId = trim("".@$_POST["bidId"]); $sBidType = trim("".@$_POST["BidType"]); $sBidStatus = trim("".@$_POST["BidStatus"]); $sdepartment = trim("".@$_POST["department"]); if (@$_POST["SEARCH"] == "Search for Solicitation") { // yes...user pushed the SEARCH button in the <FORM> // Now build up the WHERE: $where = ""; echo $where; if ($sbidDate != "") { $where = " AND b.BidDate = '".$sbidDate."' "; } if ($sdueDate != "") { $where = $where." AND b.DueDate = '".$sdueDate."' "; } if ($sprojectTitle != "") { $where = $where." AND b.ProjectTitle = '".$sprojectTitle."' "; } if ($sbidId != "") { $where = $where." AND b.BidID = '".$sbidId."' "; } if ($sBidType != "") { $where = $where." AND b.BidType = '".$sBidType."' "; } if ($sBidStatus != "") { $where = $where." AND b.BidStatus = '".$sBidStatus."' "; } if ($sdepartment != "") { $where = $where." AND b.Department = '".$sdepartment."' "; } //Now build the query. This query should allow users to search by one or more parameters $sql = "Select b.ID,convert(char(10),b.BidDate,101) BidDate,convert(char(10), b.DueDate,101) DueDate,b.BidTitle,b.DueTime,b.BidID, d.Department,b.BidType,CASE WHEN b.AwardDate ='01/01/1900' Then NULL ELSe convert(char(10),b.AwardDate,101)END AS AwardDate, convert(char(10),b.LastUpdate,101) LastUpdate,s.Status FROM bids b inner join dept d on b.Department=d.DeptID inner join Status s on b.BidStatus=s.StatusId WHERE ".$where; $params = array(); $options = array( "Scrollable" => SQLSRV_CURSOR_KEYSET ); $query = sqlsrv_query( $conn, $sql , $params, $options ); $num_rows = sqlsrv_num_rows($query); echo $num_rows; Dear gurus, please forgive me if this is the wrong forum for this thread. We are trying to build a dynamic where clause where a user can search by one or more parameters to get results. So far, my attempts are producing the following error: Any ideas how to fix this? Thanks a lot in advance