roopurt18

POST data is not logged so you can present the user with a link to a login form and they can type the password; just make sure the form's method is set to 'post' and not 'get'. If you insist on passing the password via GET, then you should encrypt and base64 encode it. That way anyone viewing the logs will see a base64 encoded string; if they decode it (which they can do easily) they will get an encrypted binary string. If you pick a good encryption algorithm, then the password will be long expired by the time they can decrypt it. And just to be really clear about what is logged in Apache's logs, anything passed via GET is logged because Apache logs URL's accessed by site visitors (and GET data is part of the URL). So be careful about passing any sensitive data around via GET.

http://".$domain."?admin&loginid=".$pass." I know the password expires after 15 minutes, but keep in mind URLs are logged in Apache's logs. So your generated passwords will be logged in plain text files on the server.

Run this and post the output from the DEBUG dump. <?php require('includes/application_top.php'); // if the customer is not logged on, redirect them to the login page if (!tep_session_is_registered('customer_id')) { $navigation->set_snapshot(); tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); } ?> <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"> <html <?php echo HTML_PARAMS; ?>> <head> <meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>"> <title><?php echo TITLE; ?></title> <base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>"> <link rel="stylesheet" type="text/css" href="stylesheet.css"> <?php require('includes/form_check_coach.js.php'); ?> </head> <body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0"> <!-- header //--> <?php require(DIR_WS_INCLUDES . 'header.php'); ?> <!-- header_eof //--> <!-- body //--> <?php mydbg( 'POST: ' ); mydbg( $_POST );//%% if( !empty( $_POST ) ) { /** * If you print_r( $_POST ) you will find that you have an array named 'players'. * Each index into this array will be POSITIVE and the players database ID if they already exist in the database * The index will be NEGATIVE if the player is new and needs to be inserted. * * And then each player is an array where the associative names should match your column names, * so that you can easily generate your insert / update statements based on what I * showed you earlier. */ foreach( $_POST['player'] as $player_id => $player_info ) { foreach( $player_info as $k => $v ) { $player_info[$k] = "'" . mysql_real_escape_string( $v ) . "'"; } // ADDED A CHECK FOR IF THE PLAYER IS EMPTY! $emptyplayer = trim( implode( " ", $player_info ) ) == ''; // true if empty, false otherwise echo "1<br />"; if( $player_id < 0 ) { if( $emptyplayer ) { continue; // SKIP TO NEXT PLAYER } // OOPS! SINCE 'player_id' IS AUTO-INCREMENTING, WE DO NOT HAVE TO INSERT IT. // THEREFORE THE FOLLOWING LINE IS COMMENTED OUT (i.e. you can remove it from your code). //$player_info['player_id'] = "'" . mysql_real_escape_string( $player_id ) . "'"; $stmt = "insert into `rosters` ( " . implode( ', ', array_keys( $player_info ) ) . " ) values ( " . implode( ', ', $player_info ) . " )"; echo "2<br />"; }else if( !$emptyplayer ){ // player_id GREATER THAN ZERO, SO PLAYER EXISTS IN DATABASE. PLAYER IS NOT // EMPTY, SO WE UPDATE HIM! foreach( $player_info as $k => $v ) { // SLIGHTLY MORE READABLE $player_info[$k] = "`{$k}`={$v}"; echo "3<br />"; } $stmt = "update `rosters` set " . implode( ', ', $player_info ) . " where " . "`player_id`='" . mysql_real_escape_string( $player_id ) . "'"; echo "4<br />"; }else{ // player_id GREATER THAN ZERO SO HE EXISTS IN DATABASE. PLAYER IS EMPTY // SO WE DELETE HIM! $stmt = "delete from `rosters` where `player_id`='" . mysql_real_escape_string( $player_id ) . "'"; echo "deletestmt<br />"; } $r = mysql_query( $stmt ); // check for errors and success if( !$r ) { echo mysql_error() . "<br>"; } echo "5<br />"; } echo "5a<br />"; echo "6<br />"; } echo "<form action=\"roster.php\" method=\"post\"><table>"; mydbg( $sqlplayers );//%% $result = mysql_query( $sqlplayers ); $maxrows = 15; $insid = -1; // create a blank player template $cols = array( 'fname' => 'size="10"', 'lname' => 'size="10"', 'address' => 'size="15"', 'city' => 'size="15"', 'state' => 'size="2"', 'zip' => 'size="10"', 'phone' => 'size="10"', 'email' => 'size="20"', 'number' => 'size="2"', 'gradyear' => 'size="4"', 'height_feet' => 'size="1"', 'height_inches' => 'size="4"' ); $blankplayer = array(); foreach( $cols as $c => $extra ) { $blankplayer['player_roster_' . $c] = ''; // MODIFIED TO ADD player_roster_ prefix } // we now have a blank player template for( $i = 1; $i <= $maxrows; $i++ ) { echo "<tr>"; if( $result ) { $player = mysql_fetch_assoc( $result ); mydbg( $player );//%% } if( !$player ) { // We've run out of players, so create a blank one to insert $result = null; // stop trying to access result $player = $blankplayer; $player['id'] = $insid--; // first blank player is id -1, second is -2, third is -3, etc. } // dump the fields $firstcol = true; foreach( $cols as $c => $extra ) { $c = 'player_roster_' . $c; // MODIFIED TO ADD player_roster_ prefix echo "<td>"; if( $firstcol === true ) { echo "<input type=\"hidden\" name=\"player[{$player['id']}][customer_id]\" value=\"{$customer_id}\" />"; } echo tep_draw_input_field( "player[{$player['id']}][{$c}]", $row[$c], $extra ) ."</td>"; } $player = null; // important! echo "</tr>"; } ?> </table><input type="submit" name="editplayers" value="Submit" /> </form> <?php mydbg( null, false ); /*%%REMOVE ME dump debugging */?> <!-- footer //--> <?php require(DIR_WS_INCLUDES . 'footer.php'); ?> <!-- footer_eof //--> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?> <?php /** * Simple debugging function. If $add is true, it adds debugging message. If $add is * is false, it dumps debugging messages that were added. * * @param mixed $msg * @param bool $add */ function mydbg( $msg, $add = true ) { static $msgs = array(); if( $add === true ) { $msgs[] = $msg; }else{ echo '<pre style="text-align: left; font-weight: bold; font-size: 10px; background-color: #ececec;"> DEBUG:'; foreach( $msgs as $msg ) { if( is_bool( $msg ) ) { $msg = 'BOOLEAN [' . ($msg ? 'T' : 'F' ) . ']'; }else if( is_null( $msg ) ) { $msg = '__NULL__'; }else if( is_string( $msg ) && !strlen( $msg ) ) { $msg = '__EMPTY_STRING__'; }else if( is_array( $msg ) || is_object( $msg ) ) { $msg = print_r( $msg, true ); } echo $msg . "\n\n"; } echo '</pre>'; } }

I think making the client request a new password each time they want to log in is a bit excessive. If I were the client I'd probably get sick of that. I would use a self-signed certificate for the site and use mod_rewrite to force all requests through HTTPS. This allows the client to ensure the site is the actual site and not a spoof. It also ensures any sniffed traffic will be encrypted and thus protected. If the client will only be accessing this site from a single machine, you might even consider generating a self-signed certificate for the client to identify himself to the web site. In this way, the web site will only talk to the client. If the client is accessing this site from a specific IP-range, such as 143.238.*.* then you can configure Apache to serve this site only to that IP-range. Order allow, deny Allow from 143.238 AFAIK, if the client is using a certificate to identify themselves to the site, then they don't even need a login and password. But you could add one anyways. In this case I'd use a "regular" login page. Instead of forcing the client to request a password each time they wish to login, just use a scheduled task to regenerate a new password every morning, two days, week, or some other frequency. E-mail the new password to the whenever it changes. Just remember that if the client's e-mail is a free e-mail service, then that is an inherent security risk. I also don't like the idea of automatically generated passwords because people have a hard time remembering them. So ultimately what they do is save it some place in plain-text where anyone can view it if they know what it is.

I'd like to figure out why the blank rows are going in. At some point do me a favor and perform this experiment. 1) Delete all of the data from the table. 2) Add this modify some code for me: if( !empty( $_POST ) ) { to: echo 'POST OUTPUT:<br /><pre style="text-align: left;">'; var_dump( $_POST ); echo '</pre>'; if( !empty( $_POST ) ) { 3) Resubmit the form, filling in only a couple of the rows. 4) On the resulting page, copy and paste the output from the code I had you add in step two.

For #1: echo "<tr><td><input type=\"hidden\" name=\"player[{$i}][customer_id]\" value=\"{$customer_id}\"></td>"; Notice the name attribute? That will turn it into: $_POST['player_id']['customer_id'], just like the other fields. Then it will just work with the existing update and insert statements. I have to run so I'll check on what #2 was later...

No problem.

Specifying callbacks in OOP is done depending on which context you are in: object context (there is a $this variable) or static context (there is no $this variable). If there is a $this variable: array_walk( $_GET, array( $this, 'cleanArray' ) ); If there is no $this variable: array_walk( $_GET, 'Base::cleanArray' ); Also, it is wasteful to spend time cleaning $_GET, $_POST, $_COOKIE, etc. on each page request. Not every page will use all three of them, so why clean things that won't be used? You could write a "Getter" class for each one of them. The "Getter" class will clean the object if it is the first time it has been requested. Lastly, if you clean all of these values initially on page load, then you would have to unclean them determine what the original values where. This may not be a problem for you, but there are times when you want to see the original, unaltered data for debugging purposes without the extra characters added by sanitizer functions.

Post all of your code and identify which is line 396.

Woe be unto those that use the code posted by darkfreaks.

The security flaw is that your original code is blindly calling include() on whatever was passed through the URL. The URL comes from the user, which means the user can edit it to any path that they believe might exist on your file system. Without filtering what you call include() on, I can attempt to ask your script to open known files in known locations. These files could contain passwords, keys, or all sorts of information. CV's code creates an array of allowed values and only opens the page from the URL if it is one of the allowed values. Therefore users can't attempt to open any random file on your file system.

Since both names refer to the same IP address, you can not used IP-based virtual hosting. Refer to the details of name-based virtual hosting. http://httpd.apache.org/docs/2.0/vhosts/name-based.html

I looked at Crystal Reports about a year and a half ago. The report designer was easy to use and seemed to work well. However I couldn't find on clear, concise piece of information about how to render the report from my web application. All I was looking for was a service or executable that I could pass my report design into and get a report generated from; my application would handle giving the report to the correct users and other such tasks. All I could find for CR was how to deploy it in their own reporting suite that would have to be installed at client locations (that clients would have to pay licenses for). So I did what I always do and used BIRT. It's not perfect, but it sure is better than making reports "by hand" and it's better than dealing with a company that just wants to sell you something every time you want a simple solution.

Set up a test page on the same site that strips out everything: no SSL, no sessions, nothing fancy. Try and reproduce the problem. If the problem can't be reproduced, then slowly start introducing elements of your application back into it. Add the sessions. Add the SSL. Until it starts happening again. Also, see if you can't record the packets sent from the client machine and the packets received for this test page. Make sure that you aren't experiencing extremely high packet loss. It could be that one side is not catching all of the packets so the sender has to repeatedly send them (if that is indeed how networking works). It could just be that these few clients or users have bad networking environments or extra firewall rules or something somewhere that is preventing full throughput of the traffic. If that's the case no amount of PHP upgrading will help you.

The best approach is to learn how to use mod_rewrite to send all web requests that are not images through a single file index.php. This will make your URLs pretty. It also makes handling global application logic much easier since you only need to put session_start() in one place (at the top of index.php).

Here is one more possible rewrite if MySQL supports it: select z.*, z.total_miles / z.num_team_members as avg_miles_per_team_member from (select *, sum(miles*(1-abs(sign(week-1)))) as week1, sum(miles*(1-abs(sign(week-2)))) as week2, sum(miles*(1-abs(sign(week-3)))) as week3, sum(miles*(1-abs(sign(week-4)))) as week4, sum(miles*(1-abs(sign(week-5)))) as week5, sum(miles*(1-abs(sign(week-6)))) as week6, sum(miles*(1-abs(sign(week-7)))) as week7, sum(miles*(1-abs(sign(week-))) as week8, sum(miles*(1-abs(sign(week-9)))) as week9, sum(miles*(1-abs(sign(week-10)))) as week10, sum(miles*(1-abs(sign(week-11)))) as week11, sum(miles*(1-abs(sign(week-12)))) as week12, sum(miles*(1-abs(sign(week-13)))) as week13, (select sum( miles ) from miles b where a.team_name=b.team_name) as total_miles, (select count(*) from members c where a.team_name=c.team_name) as num_team_members FROM miles a GROUP BY total_miles DESC ) as z

Let's take a look at the relevant portions of your query for the error: select *, # skipping weeks1 through weeks13 (select sum( miles ) from miles b where a.team_name=b.team_name) as total_miles, (select count(*) from members c where a.team_name=c.team_name) as num_team_members, total_miles / num_team_members as avg_miles_per_team_member FROM miles a GROUP BY total_miles DESC"; And the error: 'field list' is the list of columns we have chosen to select. The columns we are selecting are * (i.e. all of the table's columns), week1 through weekN, total_miles, num_team_members, and avg_miles_per_team_member. avg_miles_per_team_member is what is giving us the trouble: total_miles / num_team_members as avg_miles_per_team_member However, total_miles and num_team_members are values calculated from sub-selects! At that point in the query it does not look as if MySQL has processed the sub-selects and assigned them to the output columns we designated (total_miles, num_team_members). Try rewriting: (select sum( miles ) from miles b where a.team_name=b.team_name) as total_miles, (select count(*) from members c where a.team_name=c.team_name) as num_team_members, total_miles / num_team_members as avg_miles_per_team_member To: (@tm:=(select sum( miles ) from miles b where a.team_name=b.team_name)) as total_miles, (@ntm:=(select count(*) from members c where a.team_name=c.team_name)) as num_team_members, @tm / @ntm as avg_miles_per_team_member The explanation for this is found at (take note of the user's comments at the bottom): http://dev.mysql.com/doc/refman/5.0/en/user-variables.html If that doesn't work, you can re-perform the sub-queries (and MySQL may optimize them out anyways): (select sum( miles ) from miles b where a.team_name=b.team_name) as total_miles, (select count(*) from members c where a.team_name=c.team_name) as num_team_members, (select sum( miles ) from miles b where a.team_name=b.team_name) / (select count(*) from members c where a.team_name=c.team_name) as avg_miles_per_team_member

That was the idea all along. When receiving help on forums or internet chat, unless you're question is really, really simple, you'll rarely get a complete working answer straight away. Many times we use placeholders for values since we don't know the details of your application. In this instance I didn't know exactly what you had named your primary key field so I used the word 'primary_key,' it was up to you to figure out that you should replace it with the actual primary key. Anyways I'm glad you're not just copying and pasting code and then coming back and saying "It doesn't work what now?" At least your partially trying to process it yourself and find the solution on your own; that's a great start for learning how to program and best of all become a self-sufficient programmer. This should take care of #1 and #3. If it works I'll help you with your other question. <?php require('includes/application_top.php'); // if the customer is not logged on, redirect them to the login page if (!tep_session_is_registered('customer_id')) { $navigation->set_snapshot(); tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); } ?> <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"> <html <?php echo HTML_PARAMS; ?>> <head> <meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>"> <title><?php echo TITLE; ?></title> <base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>"> <link rel="stylesheet" type="text/css" href="stylesheet.css"> <?php require('includes/form_check_coach.js.php'); ?> </head> <body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0"> <!-- header //--> <?php require(DIR_WS_INCLUDES . 'header.php'); ?> <!-- header_eof //--> <!-- body //--> <?php if( !empty( $_POST ) ) { /** * If you print_r( $_POST ) you will find that you have an array named 'players'. * Each index into this array will be POSITIVE and the players database ID if they already exist in the database * The index will be NEGATIVE if the player is new and needs to be inserted. * * And then each player is an array where the associative names should match your column names, * so that you can easily generate your insert / update statements based on what I * showed you earlier. */ foreach( $_POST['player'] as $player_id => $player_info ) { foreach( $player_info as $k => $v ) { $player_info[$k] = "'" . mysql_real_escape_string( $v ) . "'"; } // ADDED A CHECK FOR IF THE PLAYER IS EMPTY! $emptyplayer = trim( implode( " ", $player_info ) ) == ''; // true if empty, false otherwise echo "1<br />"; if( $player_id < 0 ) { if( $emptyplayer ) { continue; // SKIP TO NEXT PLAYER } // OOPS! SINCE 'player_id' IS AUTO-INCREMENTING, WE DO NOT HAVE TO INSERT IT. // THEREFORE THE FOLLOWING LINE IS COMMENTED OUT (i.e. you can remove it from your code). //$player_info['player_id'] = "'" . mysql_real_escape_string( $player_id ) . "'"; $stmt = "insert into `rosters` ( " . implode( ', ', array_keys( $player_info ) ) . " ) values ( " . implode( ', ', $player_info ) . " )"; echo "2<br />"; }else if( !$emptyplayer ){ // player_id GREATER THAN ZERO, SO PLAYER EXISTS IN DATABASE. PLAYER IS NOT // EMPTY, SO WE UPDATE HIM! foreach( $player_info as $k => $v ) { // SLIGHTLY MORE READABLE $player_info[$k] = "`{$k}`={$v}"; echo "3<br />"; } $stmt = "update `rosters` set " . implode( ', ', $player_info ) . " where " . "`player_id`='" . mysql_real_escape_string( $player_id ) . "'"; echo "4<br />"; }else{ // player_id GREATER THAN ZERO SO HE EXISTS IN DATABASE. PLAYER IS EMPTY // SO WE DELETE HIM! $stmt = "delete from `rosters` where `player_id`='" . mysql_real_escape_string( $player_id ) . "'"; echo "deletestmt<br />"; } $r = mysql_query( $stmt ); // check for errors and success if( !$r ) { echo mysql_error() . "<br>"; } echo "5<br />"; } echo "5a<br />"; exit(); return; // whatever is appropriate to stop processing echo "6<br />"; } echo "<form action=\"roster.php\" method=\"post\"><table>"; $result = mysql_query( $sqlplayers ); $maxrows = 15; $insid = -1; // create a blank player template $cols = array( 'fname' => 'size="10"', 'lname' => 'size="10"', 'address' => 'size="15"', 'city' => 'size="15"', 'state' => 'size="2"', 'zip' => 'size="10"', 'phone' => 'size="10"', 'email' => 'size="20"', 'number' => 'size="2"', 'gradyear' => 'size="4"', 'height_feet' => 'size="1"', 'height_inches' => 'size="4"' ); $blankplayer = array(); foreach( $cols as $c => $extra ) { $blankplayer['player_roster_' . $c] = ''; // MODIFIED TO ADD player_roster_ prefix } // we now have a blank player template for( $i = 1; $i <= $maxrows; $i++ ) { echo "<tr>"; if( $result ) { $player = mysql_fetch_assoc( $result ); } if( !$player ) { // We've run out of players, so create a blank one to insert $result = null; // stop trying to access result $player = $blankplayer; $player['id'] = $insid--; // first blank player is id -1, second is -2, third is -3, etc. } // dump the fields foreach( $cols as $c => $extra ) { $c = 'player_roster_' . $c; // MODIFIED TO ADD player_roster_ prefix echo "<td>" . tep_draw_input_field( "player[{$player['id']}][{$c}]", $row[$c], $extra ) ."</td>"; } $player = null; // important! echo "</tr>"; } ?> </table><input type="submit" name="editplayers" value="Submit" /> </form> <!-- footer //--> <?php require(DIR_WS_INCLUDES . 'footer.php'); ?> <!-- footer_eof //--> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

In set mathematics, a UNION merely combines one or more sets into a single set. Example: (a, b, c, d) UNION ( x, y, d, z ) => (a, b, c, d, x, y, d, z) UNION performs the same operation in SQL. It combines one or more result sets into a single result set. Each result set must have the same number of columns in the same order with the same data types or it will not work. Example: Name (varchar) Age (int) Larry 23 George 57 Ralph 62 UNION Name (varchar) Age (int) Sally 78 Betty 57 Susan 46 Tiphany 23 GIVES Name (varchar) Age (int) Sally 78 Betty 57 Susan 46 Tiphany 23 Larry 23 George 57 Ralph 62 So a UNION is not what you want to use. Nor do you want to use a JOIN. Instead, how about another sub-query? <?php $qry="select *, sum(miles*(1-abs(sign(week-1)))) as week1, sum(miles*(1-abs(sign(week-2)))) as week2, sum(miles*(1-abs(sign(week-3)))) as week3, sum(miles*(1-abs(sign(week-4)))) as week4, sum(miles*(1-abs(sign(week-5)))) as week5, sum(miles*(1-abs(sign(week-6)))) as week6, sum(miles*(1-abs(sign(week-7)))) as week7, sum(miles*(1-abs(sign(week-))) as week8, sum(miles*(1-abs(sign(week-9)))) as week9, sum(miles*(1-abs(sign(week-10)))) as week10, sum(miles*(1-abs(sign(week-11)))) as week11, sum(miles*(1-abs(sign(week-12)))) as week12, sum(miles*(1-abs(sign(week-13)))) as week13, (select sum( miles ) from miles b where a.team_name=b.team_name) as total_miles, (select count(*) from members c where a.team_name=c.team_name) as num_team_members, total_miles / num_team_members as avg_miles_per_team_member FROM miles a GROUP BY total_miles DESC"; ?>

We have a license for this at work but have yet to spend any resources exploring how well it works: http://www.nusphere.com/products/phpdock.htm

That right there.

<?php $qry="select *, sum(miles*(1-abs(sign(week-1)))) as week1, sum(miles*(1-abs(sign(week-2)))) as week2, (select sum( miles ) from miles b where a.team_name=b.team_name) as total_miles FROM miles a GROUP BY team_name"; ?>

Format it after all calculations are made or just before display.

<?php $qry="select *, sum(miles*(1-abs(sign(week-1)))) as week1, sum(miles*(1-abs(sign(week-2)))) as week2 FROM miles wc1 GROUP BY wc1.team_name ORDER BY total_miles"; $result=mysql_query($qry); if( !$result ) { echo mysql_error() . '<br />'; } ?> <table width="100%" border="1" cellspacing="1" cellpadding="1"> <tr> Go 100 For Health </tr> <br> <tr> <td>Team Name</td> <td>Week 1</td> <td>Week 2</td> <td>Total Miles</td> </tr> <?php while ($row = mysql_fetch_array($result)) { echo "<TR>"; echo "<TD>".$row[team_name]." </TD>"; echo "<TD>".$row[week1]." </TD>"; echo "<TD>".$row[week2]." </TD>"; echo "<TD>".$row[total_miles]." </TD>"; echo "</TR>"; } echo "</TABLE>"; ?>

IIRC you also have the fact that not all CSS events are supported by all tags. I could be wrong though.