.josh

With magic_quotes on, you want to stripslashes prior to mysql_real_escape... hence the ( if necessary ) Ah true true.

AFAIK there's no special term for calling a function from inside another function. AFAIK the only "multidimensional" anything out there is multidimensional arrays.

The if..else is just an example to show that if the condition is true, the value is on the whitelist and is safe. If the condition is false, then the value is not on the whitelist. Is it necessarily a sql injection attempt? Maybe, maybe not. But it's not on your list of acceptable values, which is all that matters. You can do anything you want to if it's not on the whitelist. You can throw an error message, assign a default value, log the error, all of the above, none of the above. Choice is up to you.

There's no reason you should be having to sanitize data coming out of your database... The "best" way to keep from being a victim of sql injection is to not put user inputed values into your database at all. You know what they say, abstinence is the best policy But of course, that is not an option in many many cases. The next "best" thing is to make a white list of acceptable input, if at all possible. Example: $whitelist = array('a','b','c'); if (in_array($_POST['blah'], $whitelist)) { // info is good } else { // info is bad } Failing that, mysql_real_escape_string is good for adding slashes to attempts to use quotes to escape and add extra sql code. Therefore it's not necessary to stripslashes before mysql_real_escape_string, and you certainly shouldn't stripslashes after using it. Just use mysql_real_escape_string by itself.

There's really no way we can give you any kind of relevant advice without details (link to your site, code, etc...). There are lots of different mistakes people make; you can fill a whole book up with them. For example, for all I know, you could be using superglobals. I'd tell you not to use them. Or you could tell me that you already know not to use them. The point is, we're not psychic. That's the whole point of beta testing: to find the relevant mistakes/issues.

haha QFT

you pretty much do math the same way with code as you do with paper.... how would you convert 60 to .6 on paper? 60 / 100. I'm not trying to be mean, but this isn't a math forum, it's a programming forum...

you need to be more specific. Like, give a before/after number example. I vaguely remember back in school "convert to a decimal" meant for instance, taking 12345 and making it 123.45 is that what you mean? edit: ah responses already posted.

inside your condition that checks if user is logged in, before the header redirect, do $_SESSION['currentpage'] = 'page.php'; or $_SESSION['currentpage'] = $_SERVER['PHP_SELF']; and then in your login script, where you send them to the default logged in page upon successful login, before the header redirect, do $location = ($_SESSION['currentpage'])? $_SESSION['currentpage'] : "profile.php"; header("Location: $location"); edit: or yeah, you can pass it via GET method like darkwater mentioned

Are you implying that Windows is an amazing product?

Faster, yes. Much faster? No. Cramming code together like that has not yielded noticeable differences in a very long time. The processing time difference between those two are so minute that it's not even considered anymore. Even with a thousand lines of code with another 1000 lines of comments, 1 for each line of code, we're talking like .000000000000001 second differences here. And you would have to have a considerably large chunk of code to even measure it. And you're not even looking at this from a larger perspective. Let's say you really wanted to save those extra pennies. 6 months down the road something changes and the script no longer works. So some poor soul would have to tredge through all that crap trying to find out what went wrong. I think all that downtime before he figures it out would be a hell of a lot more than any amount of time you managed to save by doing that.

I don't really advise you to allow a customer to purchase something from you without having to register and login. That just begs for people to scam you. Allowing the user to anonymously add items to a shopping cart is a convenience for them and is okay for you to do. Letting them come back later anonymously and still having their cart info is also a convenience, but it isn't 100% accurate. For initial anonymous shopping, you can use their uniquely generated session id to keep track of their shopping cart. For follow-up anonymous shopping, you can store their session id in a more permanent cookie and check if it's there, but the user could have cleared his cookies since then, so it's not accurate. You could also store their ip address in a db table and search and re-associate with that, though again, that's not 100% accurate, because ip addresses can change. A better method is to have a "Save my cart" type of button, which would require the user to register. It can be minimal, just requiring an email address and choose a password (allow them to fill out all info on form, of course, only make those 2 the only 2 mandatory fields at that stage). That way, you can store that info in your db and associate items with those things, and the user can always login anytime, anywhere, and access their cart.

I know, but I can't find direct link. Can you please give me the name, or version or something. Thank you. Okay after much research and stuff, I finally figured out that when I click the "customize" link on the first page there, and enter in "topic solved" in the search field, there it is. They sure don't make it very intuitive over there. Maybe you should write to SMF and tell them they need to work on making their UI more user friendly. It's outrageous. Why would anyone ever think that a mod could be found like that? I just don't understand why SMF could possibly think that the average Joe would associate "customize" with "mod." Even more preposterous that they would assume I would randomly put "topic solved" into a search field to find it. It makes no sense whatsoever. Maybe you should consider using a different board system, one that's more user friendly.

What are your goals for your shopping cart? Let's say random Joe user comes to your site. He's window shopping and he sees something he might want to buy. Do you want him to be able to add the item to a shopping cart without having to first register/login? If so, let's say that Joe user decides not to buy at this time, so he leaves. Now let's say he comes back later on. Do you want that item to still be in his shopping cart?

There is no built-in php function for this. You can go the route of trying to compile a list of timezones for every location, or you can simply make a dropdown and allow the user to pick their own timezone. You could possibly find a website that already has all that work done for you and you could possibly use curl to send/get the results, but that makes your script dependent on someone else's. Most people opt for option #2.

what are you trying to accomplish with cookie_id?

www.simplemachines.org

If you had really bothered to search, you would have found out that I'm psychic.

yes, gmail removes style tags. Have you tried doing <img src = '...' style = '...'> ?

You know what? When I was his age, I had to walk to work in the snow, uphill, with no coat. And I didn't have shoes; all I had was a pair of roller skates. And when I got to work, I had to feed punch cards into machines and do all my math in binary. Yeah.

well I see you marked it as solved so I'm going to assume you figured out what order to put it in?

And that's the problem with kiddies today. They try to justify laziness by saying they aren't perfect.

more than likely they have a cookie saved on the computer that includes info like ip address or maybe you entered in somewhere on their site that it's your "home" computer, so when you login from somewhere else, even though your name/pw is correct, the cookie isn't there so it knows you aren't at the same computer.

what error messages? only thing i can think of offhand is maybe you put it before your code that connects to your db? seriously, it's really hard to help when you're being so vague.

put the condition and query that deletes it before your stuff that queries the info and displays it.