NathanLedet

I found this function and it works well $dbh=mysql_connect ("localhost", "user","pass") or die(mysql_error()); function escape_data ($data) { global $dbh; if (ini_get('magic_quotes_gpc')) { $data = stripslashes($data); } return mysql_real_escape_string(trim($data), $dbh); } $firstname = escape_data($_POST['firstname']); Now...is it considered bad practice to put data into a database with \' or \" ? I would say yes, because Now I have to use stripslashes($firstname) whenever I'm pulling it out just so it looks right...but how do I put $firstname into the database and ensure it's safety?

I'm just trying to secure the form to prevent injection attacks. I thought it was supposed to add only 1 slash. Is it because of magic quotes?

Very simple form to put data into a database... $firstname = mysql_real_escape_string($_POST['firstname']); if i put in firstname as something like tes't, it outputs tes\\\'t ???

if (isset($_SESSION["myusername"])){ } by glimpsing at your code tho, It does appear that you're setting the session before validating that their username and password 1) exists and 2) is valid.

Thanks. Also, I screwed up that code a bit... it should be $result, not $result4...I fixed it in my first post...just for clarification beyond that... What I'm doing is comparing to make sure it doesn't already exist. $testVar = "test"; $query = "SELECT * FROM table"; $result = mysql_query($query) or die('Error selecting'); while($row = mysql_fetch_array($result, MYSQL_ASSOC)){ //code here for each result } How would I check to see if "test" already exists inside the field? I couldn't say SELECT * FROM table WHERE field = "test", because what if it didn't exist?

I'm using this simple script to pull multiple results from a database: $query = "SELECT * FROM table"; $result = mysql_query($query) or die('Error selecting'); while($row = mysql_fetch_array($result, MYSQL_ASSOC)){ //code here for each result } How would I modify that code to pull out only one result instead of an array with multiple results?

I did that....and then it just snowballed into an almost completed script...it just kinda, clicked I think it's probably not secure. Any suggestions for me? if (isset($_POST['submit'])){ $currentpw = md5($_POST['currentpw']); $query = "SELECT password FROM users WHERE username = '" . $_SESSION['MM_Username'] . "'"; $result = mysql_query($query); while($row = mysql_fetch_array($result, MYSQL_ASSOC)){ $dbpassword = $row['password']; } if ($currentpw == $dbpassword){ $newpassword = $_POST['newpassword']; $confirmnew = $_POST['confirmnew']; if ($newpassword == $confirmnew){ $newpassword = md5($newpassword); $query2 = "UPDATE users SET password = '$newpassword' WHERE username = '" . $_SESSION['MM_Username'] . "'"; $result2 = mysql_query($query2); $message .= "Your password has been updated!"; }else{ $message .= "Your new password does not match<br />"; $message .= "Please try again."; } }else{ $message .= "The password you entered does not match the current password<br />"; $message .= "Please try again."; } }

Where do you see this... /> ? is it displayed on a page? or is this data going into an e-mail? I noticed the same thing whenever testing a script out with my e-mail address. it would display that /> and I know my code is right...it's just Yahoo mail being silly...

I'm working on a little script within a bigger application to change a users password. When they're logged in and they click "Change Password", they're brought to a page where they enter their current password as well as two "new password" fields (one for verification). for my first step, I need the "current password" to match up with an md5 password that's stored in a MySQL database. Can I get some tips on doing this? Thanks!

Javascript: function validate() { if(document.form2.client.value==''){ alert('Fill in the Username before submitting'); return false; }else{ return true; } if(document.form2.project.value==''){ alert('Fill in the Password before submitting'); return false; }else{ return true; } } and the HTML form: <form ACTION="client_login_process.php" id="form2" name="form2" method="POST" onSubmit='return validate();'> <label></label> <table width="241" border="0" align="center"> <tr> <td colspan="2"><h2 class="style4">Project Login</h2></td> </tr> <tr> <td width="79"><span class="style3"><strong> </strong> </span> <span class="style2"> </span> <div align="right" class="style3"><strong>Client:</strong></div> </td> <td width="152"><input name="client" type="text" id="client" tabindex="5" maxlength="20" /></td> </tr> <tr> <td><span class="style3"><strong> </strong> </span> <span class="style2"> </span> <div align="right" class="style3"><strong>Project:</strong></div> </td> <td><input name="project" type="text" id="project" tabindex="6" maxlength="20" /></td> </tr> <tr> <td> </td> <td><input name="submit1" type="submit" id="submit1" tabindex="8" value="Login" /></td> </tr> </table> </form> When I test this, only the 'client' will show the error message, but the 'project' never validates.

Here's what I'm trying to accomplish... I have a site that has a list of files. When you check a box next to the file name, click 'Email', it goes to a new page which brings up an addressbook with a list of e-mail addresses. Instead of going to another page and adding addresses (thus, losing the files i selected), I want a link that says "Add new address", which then pops up a window with the form to add an address to the addressbook (php, MySQL). When they click Submit, and the address is added successfully, I want the page that they're on to automatically update and display the entry we just added. Is this possible? I managed to find a similar topic on another forum, but it went unanswered...but it's still along the same lines as what I want, plus it has a screenshot for a better idea of what I'm after http://www.webdeveloper.com/forum/showthread.php?t=184877

Great tip! I appreciate it and will make a note of it

Indeed that was it. Thanks! *solved*

silly me. That reminded me to unset the session! What's in bold is what I just added...I will test and ensure that was my issue, and will respond to let you know that was the issue. Thanks! if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){ //to fully log out a visitor we need to clear the session varialbles $_SESSION['MM_Username'] = NULL; $_SESSION['MM_UserGroup'] = NULL; $_SESSION['PrevUrl'] = NULL; $_SESSION['isAdmin'] = NULL; unset($_SESSION['MM_Username']); unset($_SESSION['MM_UserGroup']); unset($_SESSION['PrevUrl']); unset($_SESSION['isAdmin']); $logoutGoTo = "index.php"; if ($logoutGoTo) { header("Location: $logoutGoTo"); exit; } }

I have inside a database with a column called isAdmin with a 1 or 0. 1 means they are an Admin and 0 means they are not. When they log in, I store a session, $_SESSION['isAdmin'] which returns a 1 or a 0 Now, when i go to a specific page, I have this script that's not working properly: session_start(); if ($_SESSION['isAdmin'] == 1){ echo "isAdmin is 1<br />"; //Admin options go here } When I'm logged out, and I go to the page, it seems to ignore the check to see if the session is 1 and displays the "isAdmin is 1" string.

Here's a few resources with some examples http://us2.php.net/stripslashes http://www.w3schools.com/php/func_string_stripslashes.asp

I would like to re-structure a project management site I've been working on. The way I currently have it is very difficult to follow and not very upgradable. For instance, each action that I take, a new page has to be created. Example: If i'm on AddressBook.php and I want to add someone to my address book, I have addressbook_add.php or if i want to delete someone, i have addressbook_delete.php. Each file querys the database and I have a lot of junk everywhere...it's complicated to follow. What I would rather do is use functions in a manner that I've seen used before, where it's something like admin.php?pg=main and for my addressbook I would use somthing like admin.php?pg=addaddress and deleting would be like admin.php?pg=deleteaddress&id=23 where 23 is the ID of the person being removed from the address book. So instead of having numerous pages, I have only admin.php which calls up an external functions file. Inside that file contains all of my functions which do whatever they need. Where can I start?

There seems to be a conflict between the Mac OSX operating system and any application I'm using, usually Flash and Dreamweaver, where if I push a keyboard shortcut meant for the application I'm in, OSX responds to the command. For instance, I push F8 inside Dreamweaver to pull up the Files window, but in OSX, that's the play/pause button and nothing happens. Also, Convert to Symbol in Flash is just F8, but nothing happens when I press it. Any advice? Thanks!

I have code putting data into a MySQL database divided by commas. Here's the break down: Before being put into the database: // file names selected from previous page $files = $_POST['files']; //Array which separates each file name with a comma, and then creates a single string foreach ($files as $f => $value) { $str_files_db .= $f . ","; } //Put it in the database $query = "INSERT INTO downloads (files) VALUES (\"$str_files_db\")"; mysql_query($query) or die(mysql_error()); Now, the string gets put into the database like so: filename1,filename2,filename3, Note the additional comma at the end of filename3 Onto another page where we get this data: //$dlcode is a random code in the browser bar $dlcode = $_GET['code']; //Just checking to make sure it works echo $dlcode; //Grab the data where the $dlcode matches up with randkey inside the database (It's there, I just didn't put it in my query above, to make it a bit easier to read) $query = "SELECT files FROM downloads WHERE randkey = '$dlcode'"; $result = mysql_query($query) or die(mysql_error()); $row = mysql_fetch_array($result, MYSQL_ASSOC); //Everything there? Ok! display it! echo $row['files']."<br />"; //Now just setting it up as a variable $files = $row[ "files" ]; //for each comma, split it up and make an array with each file name $strippedfiles = split(',', $files); //Display the Array print_r($strippedfiles); now, when i see the array, it looks something like this: Array([0] => filename1 [1] => filename2 [2] => filename3 [3] = > ) Because there is an extra comma at the end of filename3, the array has created a 4th position which has no data in it. How can I run my initial foreach loop and delete the comma on the very end? or am I doing this the hard way? Thanks for any assistance!

duuuuuude that's it. editL that's a perfect example of why, when I create a table, I name my rows according to the table's name. i.e. if my table name is downloads, I start ALL my column names with "dl_" or "d_" or something simialr. That way I never run a risk of naming a column after a keyword. Plus it's easier for me to identify which variables go to which values. I suggest you do the same. I may just have to start taking up that practice. I appreciate your assistance

DING! THANK YOU!!!!!

Sure thing [attachment deleted by admin]

Can you make another suggestion? The application this goes into is so that people can select x amount of files and send links to those files in an e-mail. When the user goes to a link with the random code that you saw up above (crp8lg3jw5tyku), it pulls the selected songs out of the database. ha. Checked, double checked, triple checked spelling and capitalization. Everything is correct.

Forgot to mention my PHP code for the Query: $query = "INSERT INTO downloads (files, key) VALUES ('$files', '$key')"; mysql_query($query) or die(mysql_error());

I'm trying to input some data, but it's throwing an error that i'm un sure about. This field in the database will store a list of file names, like so: song 1_01.mp3,song 1.mp3 but my query is wrong, some how You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'key) VALUES ('song 1_01.mp3,song 1.mp3,', 'crp8lg3jw5tyku' at line 1 So could it be the spaces? or the commas between each song title?