.josh

Please use code tags! mail() is a function and takes certain arguments. The arguments are where you are sending it to, where it's coming from, what you are sending, etc... if you want to add more stuff to the actual email content then you need to add it to the $content variable.

Yeah I saw you asking how you could make it fail, but we can't tell you how to logically make it fail without knowing what's inside it. Hence the suggestion to just set your variable false, because that's the end result you want. And how can you not have the contents of filter_input()? If the script can access it, so can you. It has to physically be there somewhere.

In your function, change $value = "'" . mysql_real_escape_string($value) . "'"; to $value = mysql_real_escape_string($value); unless there was some reason you wanted your data to be wrapped in quotes.

windows. preferably vista. I hear it's leetsauce.

The short answer is that you cannot output anything before setting a cookie or starting a session, not even whitespace, unless you use ob_start()/ob_flush() which isn't really advisable.

well you could post the contents of filter_input() because we aren't psychic, or you could just do $realname = FALSE; instead of actually calling the function

yes. You already sanitize them with it in your function so you don't need to turn around and do it again. Not to mention you do it after your insert, which kind of makes it pointless. Calling the function to sanitize them before the insertion is all that's needed. Though, in your function, I'm kind of wondering why you are wrapping single quotes around the values...

You can easily change dropdowns and stuff. Well yes you can, but dropdown+whitelist = ... ?

The only "more" effective way is to not allow/use user input at all. Or at least, nothing that's not predefined from some dropdown or something. Prepared statements are secure in that once you prepare a statement, you can't change it (hence no injection later on). mysql_real_escape_string is secure in that it escapes quotes, which is what 99.9999% of sql injection is.

well, yeah... include(). Or if that's not what you're looking for, maybe you should further explain.

haha nope, just shorter post.

time

Depends on what you plan on storing in it and what your program uses it for. SQL doesn't care one way or the other it's a matter of your program logic.

$sql = "SELECT * FROM customers WHERE userid= {$_SESSION['userid']}";

And to make an array you would just do this: <?php $lastQ[] = ""; $lastQ[] = ""; $lastQ[] = ""; $lastQ[] = ""; $lastQ[] = ""; $lastQ[] = ""; $lastQ[] = ""; $lastQ[] = ""; $lastQ[] = ""; $lastQ[] = ""; ?> You can put a number (or string) inside the []'s to specify the array keys but if you leave it blank it will auto-generate a numerical key starting at zero then one then two etc... dunno what your actual data is but would be more efficient to loop it.

hmm...okay so it will not execute the script if the case evaluates false before the break, but it will after: <?php $animal = 'cat'; switch($animal) { case 'dog': echo "dog"; case 'cat': echo 'You requested : '. $animal; case 'pig' : echo "pig"; break; default: echo "none"; } ?> That will output You requested : catpig

$_SESSION[$userid] = $userid; needs to be $_SESSION['userid'] = $userid; ...unless you intended to make the session var name the same as the userid number, which I don't think you did. Then from another script you'd just do: session_start(); echo $_SESSION['userid'];

because putting 0 is the same as putting false when you do it like that. If you were to do like this: $x = 0; testing($x); or testing('0'); those will work.

To add to what wildteen said, it will execute the code if the condition evaluates true, for every condition. It just won't skip the other condition checks if you leave out the break. So in WT's examples, it won't execute the code if $animal != 'cat'

Show what you've tried. You can assign a posted var to a session var no problem. Do you have session_start() at the top of all the pages that use it (including where you set it)?

yes. Just don't put break; in it.

Well it's got to be somewhere. If it's nowhere then you'd be getting an undefined function error.

That's a user defined function. There's no way we can know what it does unless you show us the function itself.

haha not necessarily sayin' it's true, just pointing out the possibilities.

Well that could easily mean that the staff isn't very active or hasn't really been actively keeping an eye on people...