Phi11W

Does your application know what to do with raw SQL passed as a QueryString argument? (If it does then I'd suggest that's a pretty poor design). if it doesn't then I see no point in defending against this. Hackers can throw this (and lots of other) stuff at your application, but it won't get them anywhere if your code doesn't try to do anything with it. Of course, you should vigorously validate and clean any inputs you do receive and that you do intend to do things with. Regards, Phill W.

Almost always - Yes. The only exception is when you only ever access or retrieve the whole value, commas and all, as a single unit via some other identifier (perhaps to supply that value to some application code that expects it in that "shape"). But ... as soon as you decide you want to pick that value apart, to extract part of the value or, worse, to find rows by part of that value, then you must reconsider its storage and "re-shape" it something that your database can better work with. Databases are generally: Really good at finding small pieces of "stuff" and bolting them together, but Really rubbish at taking big chunks of "stuff" and pulling them apart. Why do you think string manipulation functions are so "under-developed" in most DBMSes, compared to most programming languages? It's just not what they're built to do. Regards, Phill W.

Not should they! NEVER store passwords in plain text (i.e. as entered by the User). Put the entered password through a one-way hashing algorithm and store the output of that. When the user tries to log in, hash the entered password and compare that with what's in the database. That way, you have no character set issues (hashes are all plain ASCII characters) and no Reportable Data Breach if and when someone makes off with a copy [of a backup] of your database! Regards, Phill Ward.

Taking a wild guess at your database structure, your query should look more like this: SELECT v.field_1 . . . , v.field_n /* Don't use "select *" in Application code. */ , b.BrandName , b.brandID as bid , l.LocationName , l.locID as lid from tblvehicles v join tblbrands b on v.VehiclesBrand = b.brandID join tbllocations l on v.Location = l.locID Regards, Phill W.

BIG problem with this SQL. You want the total of total_value for each client, but which values of company_name, country, etc. should the query return? On any other DBMS (and even a properly-configured MySQL), this query would be thrown out with an error because the database cannot work it out which one you would want and so gives up. Your [poorly-configured] MySQL is simply returning any old, arbitrary value for each field that happens to be lying around in its buffer as it reads the data. In your query, you've aliased that value as tval, so you would access it using: $valByClient = $row['tval']; If you have a known "list" of client_id values before you execute the query, consider using the "in" clause to get the database to do the filtering (far more efficiently than your "looping" code ever will). SELECT c.id as clientid ... from client as c left join quote as q on c.id = q.client_id and 1 = q.open WHERE c.id in ( 1, 2, 3, 4 ) group by c.id order by c.id Regards, Phill W.

Can't be done ... unless your PHP code actually runs on the User's own machine, which it [almost certainly] doesn't. No part of the HTTP protocol shares that information from client to [web] server. I would suggest that this is also a Bad Idea. Never had your computer replaced or upgraded? New computer, new MAC address, User can't log in, complaints to the Service Desk and Application Bug Reports ensue. Lots of Grief that you really don't need. Not really. I assume that your company as some sort of Information Security policies or, at the very, very least, Terms and Conditions of Use and one of the really, really basic ones should include "not sharing passwords". If they want to do something stupid like hand their passwords around, they've got far bigger problems. Regards, Phill W.

Taking a step back and looking not at how to do this but, rather, why you want to do it in the first place ... What do the icons represent? Are they the icons chosen by clients to represent themselves on your site or are they just a list of possible icons that someone could choose from? If you're going to have a grid of links to each client then it doesn't matter if they're duplicated - that's why they chose. If it's something (an avatar?) to pick from, then use a Reducing Set - create one array with the icons in it and another, initially of the same size with the index of each one. Then, as you [randomly] pick each icon, remove it's index from the second array so you can't choose that one again. Regards, Phill W.

Fix the root cause of the problem (the duplicated data), not the symptom (the misbehaving application). As I have oft said elsewhere: Forget the Code and get into the Data. If you really do have duplicated [truck] data, then you'll likely have to do a lot of mucking about with the Application code to get something that looks right. Or you find and eliminate the duplicate Data and all the problems go away. I couple of things it might be: It might be genuinely duplicated data. If so, first sort out the duplication and then put database constraints in place (unique keys/indexes) to prevent it "creeping" back in. It might be that the queries getting the data are somehow bringing back multiple copies of the same thing. Some tables use multiple-column, Composite keys (despite MySQLAdmin's best efforts to not support them) and if a query is written that omits one of those key fields in its joins, you wind up with exactly this kind of duplication. Regards, Phill W.

If you always, always, always retrieve and use that comma-separated text as a single unit and never, ever, ever query individual elements of it then (and only then) you can store it in a single field. Treat it like a BLOB and you can store it like a BLOB. As soon as you suspect that you might, one day, possibly, want to find those records that have one (or more) of these elements in them, then you absolutely must store the data "properly" and split it out into separate tables, as others have described. Failing to do so will give you major problems in finding the data, most of them relating to performance as you Table-Scan through millions of records, substring-ing into this field for each and every one of them. Remember, relational databases are really, really good at finding little bits of stuff and bolting them together. They are generally pretty rubbish at finding big chunks of stuff and pulling them apart. Regards, Phill W.

Your problem is this line: A private function is accessible only within the class in which it is defined (your class, "C"). A final function is one that is known to subclasses (of "C"), but those subclasses are not permitted to override that function. Since a private function is not known to subclasses, it cannot be meaningfully marked as final, hence the Warning. Either remove the final modifier or change the "private" modifier to "protected". Protected functions are known to subclasses and, by default, can be overridden by those subclasses. Neither private nor protected functions are available to any other class. See also Visibility in the Documentation. Regards, Phill W.

I would guess that you're building your SQL in a string variable, complete with values entered by the user, and then trying to execute that string against the database. If that's the case, you're falling foul of a classic SQL Injection Attack. $sql = "select * from table1 where username = '$uName'" But here the User is entering something like O'Brien, so your SQL string looks like this ... $sql = "select * from table1 where username = 'O'Brien'" ^ Boom! ... and blows up! Read up about prepared statements (a.k.a. Parameterised Queries). Obligatory XKCD Reference: Little Bobby Tables. Regards, Phill W.

Or even, delving a little deeper into the Documentation: printf( '<a href="cacau_type_chocolate.php?type_chocolate=%1$s">%1$s</a>', $row[ 'type_chocolate' ] ); Regards, Phill W.

DO NOT use the root user for Applications. ALWAYS create a dedicated account for each Application and grant that account the correct privileges in the database. Why? You should always keep the biggest and best tools in the toolbox for yourself, because it will be you cleaning up the mess made by other people and processes. Regards, Phill W.

The former is an implementation of the Singleton Pattern. Every time you call the instance() function, you get the same instance of the object returned. The latter simply creates a new instance of the class each and every time. Regards, Phill W.

Think about how PHP works. The echo statement displays the result of an Expression. Expressions can be nested inside one another, so ... echo 1 + ( 2 + ( 3 * 4 ) ); ... returns 15 (3 times 4, plus the 2, plus the 1). In your case, you have the same sort of nesting. echo $_SESSION[ $_GET["animal"] ]; First, PHP works out the value of $_GET[ "animal"], and then uses that to index into $_SESSION, and then echo's out the result of that. PHP expressions can be nested to almost any level, limited only by PHP's internal constraints and, more importantly, your own Sanity, when you come to try and read what you've created, even just a few days later! You probably want to do some validation on the QueryString value (of "animal") being submitted, because it could be absolutely anything! (Trust nothing that comes from the Client.) Regards, Phill W.

I would suggest taking another look (or two) at this query. "select distinct" - This is big Red Flag for me. I usually see this used as a "sticking plaster" over a bad query that is "somehow" getting "duplicate" records, but "distinct" makes them go away. It can be a hugely expensive operation for the database to go through all the values to be returned and prune out those "duplicates", which are most often caused by incorrect table joins. "select a, b, c group by a" - Most DBMSs will simply throw an error at this. Exactly which value of b and c would you expect the query to return for each "grouped by" value of a? You haven't told the database how to work out those values (using Aggregate Functions, like max() & min()). MySQL will hand you any old value it happens to find and that could change every time you run the query. Other, more sensible, DBMSs can tell that they can't work this out for themselves and throw an error instead. You can (and, I would suggest, probably should) configure MySQL to work in the same, definitive fashion. I'd expect to see something more like: select participationid , group_concat( usernames ) unames , sum( totaldonated ) ttl group by participationid order by 3 desc ; Regards, Phill W.

I suspect there might be a typo - most unexpected - in Barand's answer. Perhaps this makes it a little clearer: $stmt->execute( [ $enteredCity, $enteredZipcode ] ); Personally, I'd choose to build the query dynamically, based on which search criteria were entered, then bind the entered values into that, but that may be a bit overkill in this case. Regards, Phill W.

You probably face more problems if you do explicitly close PHP blocks. Unless those "?>" characters are the very last in the file - and they almost certainly won't be, because we naturally hit [Enter] after typing anything on a line - then the whitespace after them will be sent as part of the HTTP response. If, somewhere later on in your code, you try to alter one of the HTTP Headers - BOOM! The web server will complain that it's already sent some "content" - you can't see anything, but the server insist it's there. Omit the closing tags completely and all that whitespace will just be sitting between PHP tokens, where it matters not a jot! Some coding standards actually enforce this. Regards, Phill W.

[Begin Architectural Sanity Check] Are you are doing this in a Web Application, accessed by remote Users, via a URL? If so, you cannot do this (not with PHP). PHP runs on your Application server and can, therefore, only print to a printer connected to your server. That's not much use to a User potentially on the other side of the planet and who has no physical access to your DataCentre, which is where the printed piece of paper would wind up! Nor can you access any printer connected to the User's computer. PHP has no knowledge of this. In short, if the User wants to print a document, then that's entirely up to them. (These days, who's to say they even have a printer!?) [End Architectural Sanity Check] Of course, if this is a "local" PHP [console] application that only needs to talk to your own printer, that's a whole other ball game - forget everything I said above. Regards, Phill W.

The period is the String concatenation operator and PHP isn't fussy about having whitespace around its operators so it should work with either. Personally, I like the spaces. Other people I work with detest them. Go with whichever fits your Coding Standards. 😉 Personally, I would also question the use of ".." in your paths. To me, it suggests that you should be "anchoring" your paths "further up" the directory tree. As it is, you're making assumptions about what's "outside" the directory your script lives in and, if you refactored and moved things around, you could end up breaking things. (That said, this might just be a hang-over from my spending too many years writing ASP running under IIS). Regards, Phill W.

It's not a question of not wanting to help. We do. "Helping" means guiding you, clarifying what confuses you and generally working with you to complete a piece of work. It absolutely does not mean us doing it [all] for you. You've shown us nothing in terms of what you've tried so far, so we can only assume you want us to do for you. We're not going to do your work for you. We're all volunteers around here. We're absolutely not going to do your homework for you. It would be dishonest (both to you and to your fellow students) and you would learn nothing from it. The most effective Learning involves doing - Trying, sometimes failing, learning from those failures and, ultimately, succeeding. So make a start, trying some things out, see what works and what doesn't and come back with specific questions - then we might be able to help. Regards, Phill W.

What creates the IFRAME? Show us your modified code. I'd hope it looks something like this: while( $row = $result->fetch_assoc() ) { printf( '<iframe width="420" height="315" src="%s"></iframe>', $row['url'] ); } Regards, Phill W.

For starters, do you actually care about the individual referrers' names or just the [total] number of them? Your code currently retrieves each and every referrer and "manually" counts them. It's far, far more efficient to get your database to do that for you: $find_referrals = $db->prepare("SELECT count( user_id ) tally FROM user_referrals WHERE sponsor = :sponsor"); This will return you the number of referrers directly. Now, at first glance, you might think that your second level referrers query needs those user_ids in order to find their referrers. Doing this in code is a really Bad Idea - it's called the "1+N Query" Model and it's a nightmare for Application performance. As the number of "secondary" queries ("N") grows, your Application slows to Run like a Slug(TM). It's unscalable and untunable; there's nothing that can be done at the database end of things to improve matters. Instead, you can get your database to retrieve the second level referrers based on the original sponsor and their referrers, something like this: SELECT count( lvl2.user_id ) tally FROM user_referrals lvl1 LEFT JOIN user_referrals lvl2 ON lvl2.sponsor = lvl1.user_id WHERE lvl1.sponsor = :sponsor ; Regards, Phill W.

"in phpmysql I have a table ..." Google Chrome is an Application that lets you work with Web Pages (that run inside a Web Server process like Apache). PHPMyAdmin is an Application that lets you work with Databases (that run inside the MySQL DBMS process). "... a table with one of the columns... I want to show a live price in ... At the moment I the column is set as varchar(30) do not know if this is correct." In short - It's not. Always store your data values in columns of the correct Data Type. You will want to do numerical things with these values (like adding them up) so you want then in a numerical column type. If you don't do this then: your queries will run more slowly because the database has to convert the character value into a number each and every time you use it, and You run the risk of losing numerical accuracy (e.g. rounding errors) during those "implicit" Type Conversions. "In my html table I want to add 3 or more if/else in, so when I update my html it must show 0.03234523 (depending on the price) I do not want all the rows to show this information" If you only want to hold values in your table for particular rows, then you need to consider making the column NULLable so that you can "leave out" that particular field in any given row. If you only want to suppress the value visually in the HTML (which, if I'm honest, seems a bit odd to me, given that this is the price of something) then you'll need to keep track of (or go and find) the price value from the previous row and, only output the current value if it is different from that previous one. Regards, Phill W.

Something like this? for ( var i = 0 ; i < length ; ++i ) { if ( ( 0 = ( i % 5 ) ) && ( 0 != i ) ) result .= '-' ; result .= characters.charAt(Math.floor(Math.random() * charactersLength)); } Regards, Phill W.