gizmola

Agreed -- I wish more people would take that approach. There are lots of things you could try, for example, a gallery, or wordpress addon you think would be helpful, or pretty much anything.

Yes, as you can see, there is a 'desc' column in the table, but no value is being passed for that. The insert statement needs to be modified accordingly.

What is the database structure. When you do an insert query without specifying columns as you are doing, then the column count must exactly match the values list. insert into table foo values ('a', 'b') By specifying a column list you don't have that issue when omitting values for certain columns: insert into foo (col1, col3) values ('col1 value', 'col3 value')

Yes, good catch. I just type this stuff off the top of my head, but usually I don't make those types of blunders. Kuddos to you for actually reading the code. It seems all too often we get people asking questions here who really don't know php at even a beginner's level.

This code is naive and never checks the result of the query to determine if it actually succeeded. If I was placing a bet, my bet would be that a connection to the database is not occurring and this is why it not longer functions. I have a link in my signature to a page that describes how to check database results properly for mysql.

The data type is boolean, which in MySQL administrator is tinyint(1). The values stored in it are 1 for true and 0 for false. PFMaBiSmAd, the query isn't failing, but if mysql_result can return false then don't I want to make sure I can tell the difference between false for the field value and false in case the query fails? This is all highly academic, and I wouldn't use this function in this way as it shows how needlessly complicated this method is. $MyDataset = mysql_query.... if ($MyDataset && mysql_num_rows($MyDataset) > 0) { // There is no reason that you should have an error inside here, other than if your query is simply incorrect. // Just for academic purposes, here is how you could write some pessimistic code $value = mysql_result($MyDataset,0,'APPROVED'); if ($value === false) { // do whatever you want to do when you have an error getting the result of an otherwise valid query } else { $approved = ($value = 1) ? true : false; } }

This is great stuff. But I seriously think that we should consider promoting Kicken. I mean give it some thought people.

bulmer, You will have more luck using the php tags around your code. I edited your post this time to help you out. [code=php:0] // [/code] I'm not sure I completely understand what you are trying to do or why, but it's important to keep in mind that the major strength of php arrays is that they are associative (keyed by string). So let's say that you wanted to build a 2 dimensional array by subscriber, if I understand you correctly. Try this: foreach ($st->fetchAll() as $row) { $subs[$row['subscriber']][] = $row['plant']; } var_dump($subs); The first dimension will be keyed by the subscriber values. The 2nd dimension will be an array of 1-Many plants. Based on your description this might be what you're looking for. *update* Notice MMDE suggested the same thing

Right. Phpmyadmin is just a php script that gives you a web interface to your mysql. This page talks about the configuration file: http://wiki.phpmyadmin.net/pma/Config. Wampserver is simply a bundle with things configured in advance to make it simple for you. You'll have to analyze the config.inc.php file to see what they've done.

I'm at the end of my day here, so I'll try and hit the main points as I see them: Yes, that is exactly the problem. Apache tries to treat these types of files in a special way, and the upshot of it is that it will find the .php inside the filename and apply it's php handler to it, no matter what the rest of the filename looks like. -Like your previous test, make a "testfile.jpg" that has <?php phpinfo(); in it like you did before. Upload that file and load it throug the url. If properly configured your server will not run it -- you'll get an error. If you get the code again, then you have a configuration issue. -Debugging your upload script is something I can't do right now. Please make another thread for it, but I have to say that if you follow the example in the php.net manual for file uploads, you should not have any problem: http://us3.php.net/manual/en/features.file-upload.php Just read those pages carefully, as they go into great detail, and show you exactly what you have to do. Speaking generally, you will get the "user's" filename as one of a number of different items in the $_FILES[] array. It's an array of arrays, so that it can support multiple file uploads. Do a var_dump() on the variable and examine it until you understand what it contains. For detecting whether or not a file is actually an image: http://www.php.net/manual/en/function.exif-imagetype.php The crux of the htaccess rule is this: That is a regex expression: ^ matches the start of the filename \w+ matches a filename with characters, numbers and underscores in it. \. matches one period. (gif|jpe?g|png) matches gif or jpg or jpeg or png $ matches the end of the line. In short, this regex along with the allow deny rules, will simply not serve any file that does not match the regex, and that regex only matches files with a single period and one of the 3 image extensions. It will not allow the serving of a file named "something.php.jpg". Regex is a super powerful tech that permeates a lot of core web dev stuff. I seem to recall not long ago you were asking a questions that involved the use of regexes. I know they are confusing, but you have to put in the time and study them. There are some great tools for testing like the regex coach (pc), or similar tools if you have a mac that help.

I appear to be fairly late to the party, but I feel it's worth stating that a simple trick for this type of problem, is to simply rtrim off the last ','. to do this, you build the string in a variable: $str = ''; $x = 1; // set $x for ($i=1; $i $str .= "'$i',"; } $str = rtrim($str, ','); echo $str;

Are you sure you are logging in as "Jim" and not "jim"? You might also have a password issue. Try resetting it to something simple like this: GRANT ALL ON *.* TO 'Jim'@'%' IDENTIFIED BY 'apple'; Then try to login, and if that works, take another pass setting your password back to what you want it to be. If this is a wamp test/development server, I'm not sure why it would matter much, as having a strong password isn't important when the server can't be accessed by anyone but you.

Let's clarify something first. You have this criteria: games.game_id BETWEEN $four_months_ago AND $four_months_from_now This seems to indicate that the games.game_id is both the primary key of the games table AND a DATETIME column storing the value corresponding with the date/time of the game. Surely this can't be true? Usually on a scheduling app you would have "startdate" + "enddate" or at least a "startdate" column for this. Until you can clarify this, I can't provide you anything I would expect to work.

The particular problem being pointed out in that article isn't showing an issue with images, but rather an issue with apache, and multiple extension files. The reason it works is that if you allow for: "somefile.php.jpg" then apache will decide to run the file. This same issue exists for somefile.php.foo.bar. There are ways to combat this, but it's really missing the point -- you are in control of what a file is named in the upload process. I don't want to get too far afield here, so let's go back to what the initial issue was. -You were concerned about .gif files that could run code. -I stated that there is not a reason to be worried about that. -You showed articles with people purposefully exploiting an apache hole (has nothing to do with .gif). Rather than completely get off the rails here the answer to this is: "Control the naming of your avatar files". I'm sure you know that handling of uploaded files is a multistep process with php which involves move_uploaded_file(). When you call move_uploaded_file you specify the destination (path + name) of the file that will be moved. Under no circumstances should the name be *anything other than what you specify it to be". Typically people will name these avatars something predicatable, and there is no real cause for that to be a secret, because the avatar name will be displayed in normal use anyways. If you have a user id system, the name of the avatar might be: "a1234.png" which might correspond to the picture uploaded by the user with id "1234". You are probably going to store this name in your database anyways, so it could be a random series of characters --- it really doesn't matter whatsoever. All that does matter is that you will set the name to something you control, and what you certainly will not do is name the file: "something.php.png". So long as you do this, there is nothing to worry about, and the same thing goes for other types of file uploads or image uploads. Simply do not allow for multiple extensions, and this apache issue will not be a problem for you. There are more complicated ways to insure this, like this htaccess rule for example: deny from all order deny,allow allow from all This is complex because you really need this rule to be in the parent directory of the image directory in question. I also am not going to talk about the permissions issues I mentioned previously because that is really an unrelated concern. In linux there is (for files) an execute bit that tells the linux operating system it can treat the file in question as being "executable". When you write shell scripts you have to set this bit to make them run. You don't want to have a directory where people upload scripts, set this execute bit on files, since it then becomes that much easier for an attacker to try and get your webserver to run code. That is not a php specific concern however, and exists outside of apache. What that also tells you is that you should never set all the files AND directories that contain your php scripts to have the permission 777. This is a common thing that people do when they are having problems getting their scripts to run, and that is never a good idea.

At the risk of sounding pedantic, I knew all about these when i asked the question. There is a difference between an image that allows "scripting" and one that includes script. Quite simply, this is a problem involving misconfiguration of a website -- not with the gif image itself. You would also be just as exposed if you allowed someone to upload something that your client claimed was an image, and your website accepted it and deposited it somewhere. A lot of things have to go wrong including: - the site "executing" an image as a .php file (it shouldn't) - uploads going into a directory where the "execute" bit is set (also shouldn't be setup that way) The point is, that you need to run down these assertions and understand them fully -- not just react to something someone wrote on a blog, or claims someone made. In no way, is the gif executing code. The problem here is php running a file that contains executable code. By itself, even a gif that contains code, poses no particular danger if your site is configured properly. If it's not configured properly, I don't need to even hide the code inside the image.

The browser is reponsible for passing the hostname. So long as your site supports resolution of mydomain.com, you get a webpage there, which is undoubtedly what you want. To redirect all requests for mydomain.com to www.mydomain.com you can forward them, using one of a number of techniques. With apache people frequently use mod_rewrite rules. As this is usuallly an SEO optimization seeking to insure that engines don't split results for the same thing due to subdomain confusion, the way to handle this is to have your webserver issue a 301 response, which tells the client that the url they are requesting has moved permanently. This will cause search engines to make sure that they aggregate/combine all their indexing to the desired domain. Here's a typical mod_rewrite ruleset: RewriteEngine on RewriteCond %{HTTP_HOST} !^www.mydomain.com [NC] RewriteRule ^(.*)$ http://www.mydomain.com$1 [R=301,L] Your framework could implement this type of thing itself, but it's faster and more efficient in most cases to use mod_rewrite.

I'm not sure what your concern is about the .gif format. Gif does allow for animation, where there are multiple frames inside one gif image, and that causes a problem for thumbnailing routines, but I know of no other concern. There is code out there you can find that will show you how to detect an animated gif and you can reject it, if that's what you're worried about. Most people support .jpeg, .gif and .png. Also it has become common practice recently for people to try and automate the process by looking for http://en.gravatar.com/ or if the site implements open id integration with facebook, youtube, or twitter -- to pull a default avatar from those services.

This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=353736.0

Pixel tracking involves specifying a url to a tracking script which returns a single pixel transparent image. The script uses parameters to update your email database to indicate that the email was actually looked at by the person it was sent to. What is your question?

I said you could omit it, by which I meant you could leave it empty or not include the action at all. They are essentially the same, but as far as picking one or the other, using action="" is probably better, as it will validate while omitting the action entirely probably will not. The main reason not to use action="" is that it triggers "magic behavior" in the browsers. All the main web browsers handle this situation fine, and redirect, however, there are fringe browsers used on some mobile phones that are known not to behave in the way you desire. So it is better to explicitly provide a uri, if you want to maximize your compatibility across all user agents. Whether you care about that or not, is up to you.

You can omit the action and it will default to itself, however most people will explicitly set the action programmatically using a variable. Of the available methods, there is PHP_SELF, REQUEST_URI and SCRIPT_NAME. I'll leave it to you to investigate the differences between those options, but one that is frequently the best choice is to use: </pre> <form enctype="multipart/form-data" action="<?php%20echo%20%24_SERVER%5B'SCRIPT_NAME'%5D;%20?>" method="post"> <

PHP could absolutely accomplish this goal. MP3's support a tag header that is read by players, and this same tagging system (known as id3) can be read in a number of ways, within a php script. There is an extension and several libraries out there that can ready the id3. Here's a link to 2: http://www.php.net/manual/en/function.id3-get-tag.php http://getid3.sourceforge.net/ In short what your script would need to do is: -traverse all the files in the directory -call one of the id3 functions -use this to create a row in your song table in the mysql database So in short, you are able to do this with php, but as stated, this is a help site, and you need to gain a modicum of skill, and actually create some code, before people will help you.

Debbie, I believe this is the 2nd of these threads that I've seen where you are asking what the ! operator does. I'd encourage you to put some time into understanding logical operators so that you don't have to repeat these types of questions. I would also encourage you not to use functions when a simple comparison will do. Functions always have some overhead, and with php language built-ins like isset() will always be preferrable to other ways of doing things from a performance standpoint. In this case: if (!(is_null($activationCode)) { //... } Can be written either as: if ($activation != null) { } or depending, on the nature of how $activation is getting its value: if ($activation !== null) { } In short, try not to use the not operator, not to mention the is_null() function when you don't have to, and this is a case where you clearly don't.

How can I make it clearer? It is neither. The php script runs on the server. It is for all intents and purposes equivalent to the server. Thus it only returns responses.