ignace

I made some changes to your code @Goldeneye it is necessary imagine a constant named search having a value foobar, would take a long time to debug <? $top_form = "<form method=\"post\" action=\"{$_SERVER['PHP_SELF']}\"> <table border=\"2\" cellpadding=\"2\" cellspacing=\"2\" bordercolor=\"#333333\" bgcolor=\"#CCCCCC\"> <tr align=\"center\" valign=\"middle\"> <td colspan=\"1\">"; $bottom_form = "</td> </tr> <tr> <td>Enter your search word, name, or phrase</td> <td><input type=\"text\" value=\"{$_POST['search']}\"></td> </tr> <tr align=\"center\" valign=\"middle\"> <td colspan=\"2\"> <input type=\"hidden\" name=\"op\" value=\"ds\"> <input type=\"submit\" name=\"Submit\" value=\"Search\"></td> </tr> </table> </form>"; if ($_POST['op'] != "ds") { echo "In the if"; echo "$top_form"."$bottom_form"; } else { echo "in the else"; echo "$_POST['search']"; $item = $_POST['search']; echo "$item"; $sql = 'SELECT * FROM `ddoitems` WHERE `ItemDescription` LIKE "%$item%"'; database_connect(); $result = mysql_query($sql/*, $dbconnection check php.net for the right syntax */) or die(mysql_error()); echo "$top_form"."$bottom_form"; while($row = mysql_fetch_array($result)) { echo '<tr>'; echo '<td><div align="center" class="style1">'.$row['ItemName'].'</div></td>'; echo '<td><div align="center" class="style1">'.$row['ItemDescription'].'</div></td>'; echo '<td><div align="center" class="style1">'.$row['Type'].'</div></td>'; echo '<td><div align="center" class="style1">'.$row['QuestName'].'</div></td>'; echo '<td><div align="center" class="style1">'.$row['lvl'].'</div></td>'; echo '<td><div align="center" class="style1">'.$row['Notes'].'</div></td>'; echo '</tr>'; } } ?>

oh didn't know you were using zero-indexing the problem would be that $username is empty at the moment you perform your query or do you include something before your create the db connection? $goforit = ftp_get($conn_id, $file, $file, FTP_BINARY); your remote file is the same as your local file?

having: Personnel_info james jones 333 james .. james .. means that their is something wrong with your query

1. con: maintenance try normalizing (http://en.wikipedia.org/wiki/Database_normalization) it or post it, we could do it for you 2. join (http://dev.mysql.com/doc/refman/5.1/en/join.html) 3. a new row for every song coupled to the uploader

post your code, we can't guess the solution

line 4 is a comment

$textarea = $_POST['textarea']; $what = "foobar"; $init = substr($textarea, strpos($foobar)); if (empty($init)) {/* not in it */}

you can't prohibit them from adding characters to the url, you can however filter the input (http://be.php.net/manual/en/book.filter.php) referer can be set to whatever they want, so checking the referer really does nothing

empty or 0 is the same thing

Sorry the timelimit for editing has passed.. - consider using htmlentities() on your input - i would also use an if on the first and second mail before relocating to success.php, this way you are also able to relocate to failed.php for example - use a token to make sure they did use the form (when they click the submit button, the token is set) - reverse your check on "if (($secure!=$match) && ($secure!=""))" if the first failed the second won't even be evaluated - "if ($email == "") {} if ($email) {}" can easily be written as "if ($email == "") {} else {}" and still does the trick same for "if (!$secure) {} if (($secure != $match) .." - make sure no errors are displayed on your production server if they occur by adding ini_set('display_errors', "0"); to your code instead if an error occurs let it email you with the error report use the directives log_errors and error_log for this - use if (0 === strcmp($secure, $match)) {/* they are equal */} - your secure code is of a certain length validate the length also validate lengths of name and email address (name == a and email address == "a@b.com" are hardly usernames or email addresses) - use ctype (http://be.php.net/manual/en/ref.ctype.php) to validate that the given input is of a certain type - more to come..

- consider using htmlentities() on your input - i would also use an if on the first and second mail before relocating to success.php, this way you are also able to relocate to failed.php for example - use a token to make sure they did use the form (when they click the submit button, the token is set) - reverse your check on "if (($secure!=$match) && ($secure!=""))" if the first failed the second won't even be evaluated - "if ($email == "") {} if ($email) {}" can easily be written as "if ($email == "") {} else {}" and still does the trick same for "if (!$secure) {} if (($secure != $match) .." - make sure no errors are displayed on your production server if they occur by adding ini_set('display_errors', "0"); to your code instead if an error occurs let it email you with the error report use the directives log_errors and error_log for this - use if (0 === strcmp($secure, $match)) {/* they are equal */} - your secure code is of a certain length validate the length - more to come..

$subject = "a string with a placeholder"; echo str_replace("placeholder", "<?php echo 'lol';?>", $subject); // view source normally they write it to a file so when the file is loaded the php code is executed

function function_name($function_arg) { echo $function_arg; } $_SESSION['body'] = array("function_name", array("function_args")); call_user_func_array($_SESSION['body'][0], $_SESSION['body'][1]); $_SESSION['body'] = file_get_contents("path/to/file");

you are missing a parameter, what are you looking for?

first query: mysql_query("UPDATE last_check SET username = '$username'"); // note the ' // preferably you validate and filter $username against sql injection, imagine my $username being '; DROP TABLE last_check; -- second query: please post the full code

is it possible to post some code, it might provide us with some more insight how we may be able to help you in further securing your forms

<?php $filename = "../includes/top.html"; $file = fopen( $filename, "r" ); $filesize = filesize($filename); $text = fread( $file, $filesize ); fclose( $file ); ?> Above the Uploader<br> <form action="bodys.php" method="post" enctype="application/x-www-form-urlencoded"> <textarea name="top" id="textarea" cols="45" rows="5"><?php echo $text; /* see the html reference on textarea, value="" is not an attribute of textarea */ ?></textarea><Br> Below the Uploader<br> <textarea name="bott" id="textarea" cols="45" rows="5"></textarea><br> <input type="submit" value="Update"> </form>

isn't it <?php echo exec('ipconfig'); ?>

you did not declare $files. solve by typing somewhere $files = new YourClass();

In development, don't think in users, think in hackers, and think that they will be hacking every piece of your website and then go crazy!! Oh, I just love webdevelopment

Which browsers and which versions of them do you require as a developer? Currently installed: firefox 3 opera 9.25 safari 3.1.2 Internet Explorer (3.0, 4.01, 5.01, 5.5, 6.0, 7.0) - we webdevelopers know why... any other browsers i require or versions?

I think this is done through the Ajax drag & drop functionality, not sure though, to lazy to create an account on photobucket and check it out

sorry little typo, should be: SELECT * FROM table1 p INNER JOIN table1 c ON p.id = c.parentId WHERE p.id = ? ORDER BY c.parent_id DESC

@fearpig: your code should be: <?php $sql="SELECT * FROM table WHERE field = 'filter'"; $rs=odbc_exec($conn,$sql); if (!$rs) {exit("Error in SQL");} echo "<form action='your_target' method='POST'>"; while (odbc_fetch_row($rs)) { $Field1=odbc_result($rs,"field1"); $Field2=odbc_result($rs,"field2"); $Field3=odbc_result($rs,"field3"); echo " <select name='select_box' id='select_box'> <option value='$Field1'>$Field1</option> <option value='ol'>Ozone Layer</option> <option value='ae'>Alternative Energy</option> </select> ...and so on with the rest of your form... "; } echo "</form>"; however i strongly suggest you do not mix html and php as it gets very hard to maintain over time. This is called separating bussiness- from presentation logic, and i use the MVC pattern to accomplish that. However a simple example could be: // index.php <?php // i like to use overloading it's very nice for use as a templace mechanism class Template { protected $_vars = array(); public function __set($key, $value) { $this->_vars[$key] = $value; } public function __get($key) { if ($this->__isset($key)) { return $this->_vars[$key]; } } public function __isset($key) { return (null !== $this->_vars[$key]); } public function __unset($key) { unset($this->_vars[$key]; } public function render($script) { include_once($script); } public function __call($method, $args) { // does the helper exist? } } $tpl = new Template(); while (false != ($row = mysql_fetch_array($result, MYSQL_ASSOC))) { foreach ($row as $key => $value) { $tpl->{$key} = $value; } } $tpl->render('index.tpl'); ?> // index.tpl (this is also called a view, with it you can use view helpers, like populating a combo box) <form action="" method="post" enctype="application/x-www-form-urlencoded"> <fieldset><legend>Account Details</legend> <table> <tr> <td><label for="name">Name</label>:</td> <td><?php echo $this->textField($this->name /* name refers to the table field */); ?></td> </tr> <tr> <td><label for="select">Country</label>:</td> <td><?php echo $this->comboBox($this->comboBoxDetails); ?></td> </tr> ... </table> </fieldset> </form> </form>

no, wait here's an example: INSERT INTO category (id, parentId, name, ..) VALUES -- our main categories (ancestors) (1, 0, 'Women', ..), (2, 0, 'Men', ..), (3, 0, 'Kids', ..), -- subcategories for women (notice the 1 for parentId, which refers to row 1) (4, 1, 'Shirts', ..), (5, 1, 'Other', ..), .. -- subcategories for men (notice the 2 for parentId, which refers to row 2) (10, 2, 'Sweatshirts', ..), (11, 2, 'Other', ..), ... -- subcategories for kids ... INSERT INTO product (id, name, ..) VALUES (1, 'A sweatshirt'), (2, 'A shirt'), (3, 'A toy'), (4, 'Another thingy'), ... INSERT INTO product_to_category (productId, categoryId) VALUES (1, 10), -- 'A sweatshirt' is now categorized under 'Sweatshirts' which is a subcategory of 'Men' (2, 4), -- 'A shirt' is now categorized under 'Shirts' which is a subcategory of 'Women' ... using a self-join you can get the parent and his children example self-join: SELECT * FROM table1 p INNER JOIN table1 c ON p.id = c.parent_id WHERE p.id = ? ORDER BY c.parent_id DESC you may pm me, if you require some more explanation, we then may workout a working example