arianhojat

Love the Topic Solved mod... I wonder if there would be a way to implement a 'Topic Still Unsolved' Mod, Basically, when you have 0 replies to your thread, alot of peeps feel pretty good to get the 1st reply in or if no one answered the thread and its starting to get old, people seem to feel good that other people couldnt answer the question and they throw in their reply. Basically get alot of noob answers and your thread gets lost because it looks like someone replied to your post on the thread listing page.  I dunno about you guys but i also like replying to threads which only have no replies yet. Would be cool for a checkbox that when checked gives thread a title '[STILL UNSOLVED] thread title' so when you bump the thread, people know its still open. But their would need to be user motivation to get it solved like a ticket system otherwise would have alot of topics still unsolved even if someone solved it. Maybe an email is sent every couple days while it is still open, telling user to close it. Becomes annoying to user so he will go and update it. For those people with emails they never check or email filters, you can also try to notify them when they login, to can change the state of the 'ticket' to 'Topic Solved' or 'UNSOLVED... But Eh, Dont Care Anymore'. just a thought :)

I was looking for classes to read and write Excel files in php. Didnt seem to find anything built into php, but found 2 separate projects... For reading an Excel file: www.sourceforge.net/projects/phpexcelreader and for writing an Excel file: www.pizzaseo.com/php-excel-creator-class The writing part works perfectly. However the reader tries to see what excel data format the cell is in, and tries to format it. It goofs alot on dates... For example if a column has data of 9/30/2006 then it gives you a value of 29/09/2006. It would be nice to get the value without formatting, but unfortunately nothing i try works. anyone have any new php API's that read Excel files (easy API's to read rows/columns)? Thanks in advance.

bump, anyone can help?

Had a few questions (4 specifically ) regarding sprintf versus prepared statements to protect a query from injection etc. Here are my test examples that my questions are based off of... ##### sprintf example <?php function secure_query($var)//returns variable for database insertion { if (!is_numeric($var))//string return "'". mysql_real_escape_string($var) ."'"; //basically adds slashes to strings, (heard this is betetr than addslashes() as its custom to mysql's current char set ) else return $var;//number } $query = sprintf ( "UPDATE theDB.table SET Description=%s, Comments=%s, age=%i WHERE id=%d", , secure_query($description), (($comments!="") ? secure_query($comments) : 'NULL' ), (($age!="") ? secure_query($age) : 'NULL' ), secure_query($id) ); ?> #####prepared example <?php if ($stmt = $mysqli->prepare("UPDATE theDB.table SET Description=?, Comments=?, age=? WHERE id=?")) { $stmt->bind_param("s", $description ); $stmt->bind_param("s", (($comments!="") ? $comments : 'NULL' ) ); $stmt->bind_param("i", (($age!="") ? $age : 'NULL' ) ); $stmt->bind_param("i", $id ); $stmt->execute(); $stmt->close(); } ?> 1. Is a prepared statement in php safer than say a normal query with formatted with sprintf which is what i have currently? what are advantages/dis to each if there are any (i know prepared statements are faster if doing many of same query and i beleive dont need to add slashes to the variables you pass it.). 2. I know you have to secure the query for sprintf. But do I need to use the secure_query function (which is basically a shortcut to do mysql_real_escape_string on text vars), when i do a prepared statement?, or a prepared statement is already secure and takes care of this somehow internally so i dont need to? *** i think based on some research prepared statements take this into account, and hence i dont need to add slashes to any vars i pass it. 3. my $comments and $age variables can either have string/int data but if those textfields pretend werent filled out by user, i want to put NULL in the database. Since I can pass an string/integer or 'NULL' to sprintf in those variables, it seems like sprintf will definately complain that 'NULL' is not an integer or convert that value to 0. 4. So is Prepared Statements the way to go? or certain situations when def use one over other. I asked this question before but no one answered so giving this one more shot if anyone can help clear up things, Thanks in advance guys!

last bump attempt be4 start new post. hopefully someone out there knows answer.

For this line,... $file_contents = file_get_contents($fileUpload); .... Reading the php manual, i think u need to supply the filename itself to file_get_contents not the POST info. echo 'Folder temporarily uploaded to(make sure this path correct) ='. $_FILES['userfile']['tmp_name'][0]; $file_contents = file_get_contents($_FILES['userfile']['tmp_name'][0]); //maybe delete file when done unlink($_FILES['userfile']['tmp_name'][0]) ;

could be qoutes. ive had trouble with those. smart qoutes like microsoft puts in a word doc like a smart left qoute and right qoute, dont take up well when stored in database, maybe cause of database character set. anyway best option seems to be to loop through databaser and convert them into regualr qoutes... or convert the value to the entity on php output page... a fucntion to start u off: http://shiflett.org/blog/2005/oct/convert-smart-quotes-with-php

thinking about it more, prepared statements seem like better way to go? for example if an integer field can also accept NULL values, wont this screw up if using the sprintf method? $query = sprintf ( "UPDATE theDB.raceStats SET lapsRun=%d, WHERE userid=%d", , 'NULL', $id );

bump .

Whoops started a new Topic on this thread. we dont really have other apps people would notice chnages in for dates. Users notice this app since its very visible on intranet, the main calender for company. Well its Windows 2000, no update unless u pay for extended support. I think some company, Intellimon? i think its called, has a free tool to upgrade win2000 to DST changes, but the boss unsure about applying it. the values were shifting 1hr down from the time the user enters. now the user noticed some that are 1 hr down. its actually a timestamp field. MYSQL just stores the timestamp text once its in right? its not always dependant on a system value right, like if time changes on system, it adjusts itself after mysql server restarted?

Once you enter a Timestamp, can it change depending on something on your server? Ive had times shift 1 hour up and down, and user seems to not be at fault. The change is not immediate, it occurs after correct meeting time is inserted. The correct system time is set on win2000 server (which since its old, has no DaylightSavingsTime patch from Microsoft ), Although the user manully inserts this time, so its not dependant on system time at all. I might run Intellimon's free win2000 DST patch n4xt week to see if helps, but again should make no difference on manually inserting times into database.

whoops double posted (correction: triple posted, heh doh! i feel retarted. wish there was a way to at least delete the last comment in thread if its yours.). anyway here are my questions without code mixed in... 1. For Querys (SELECT, UPDATE, INSERT, DELETE)... is a prepared statement in php safer than say a normal query with formatted with sprintf which is what i have currently? What are advantages/dis to each if there are any. I have an example of each below in how i think i would use them based on examples i read (please correct if i am wrong somewhere). 2. Do I need to use my secure_query function (which is basically a shortcut for mysql_real_escape_string), when i do a prepared statement, or a prepared statement is already secure and takes care of this somehow internally so i dont need to? 3. my $comments var can either have string data to insert or if the variable is empty i want to put NULL in the database. So does sprintf's "%s" and prepared statement's "s" (tells functions to format/look for string data) realize that "'a comment'" or 'NULL' which i would possibly give those fuctions are both strings and hence valid, or will they bug out at 'NULL' since once its actually substituted into the query, it is NULL and hence not a string?

whoops double posted.

had a few questions (3 specifically ) regarding sprintf versus prepared statements to protect a query from injection etc. For Querys (SELECT, UPDATE, INSERT, DELETE)... 1. is a prepared statement in php safer than say a normal query with formatted with sprintf which is what i have currently? what are advantages/dis to each if there are any. I have an example of each below in how i think i would use them based on examples i read (please correct if i am wrong somewhere). ##### sprintf example <?php function secure_query($var)//returns variable for database insertion { if (!is_numeric($var))//string return "'". mysql_real_escape_string($var) ."'"; //basically adds slashes to strings, (heard this is betetr than addslashes() as its custom to mysql's current char set ) else return $var;//number } $query = sprintf ( "UPDATE theDB.table SET Description=%s, Comments=%s WHERE id=%d", , secure_query($description), (($comments!="") ? secure_query($comments) : 'NULL' ), $id ); ?> #####prepared example I never have done a prepared statement in php so I had a couple questions here... 2. Do I need to use my secure_query function (which is basically a shortcut for mysql_real_escape_string), when i do a prepared statement, or a prepared statement is already secure and takes care of this somehow internally so i dont need to? 3. my $comments var can either have string data to insert or if the variable is empty i want to put NULL in the database. So does sprintf's "%s" and prepared statement's "s" (tells functions to format/look for string data) realize that "'a comment'" or 'NULL' which i would possibly give those fuctions are both strings and hence valid, or will they bug out at 'NULL' since once its actually substituted into the query, it is NULL and hence not a string? <?php function secure_query($var)//returns variable for database insertion { if (!is_numeric($var))//string return "'". mysql_real_escape_string($var) ."'"; else return $var;//number } if ($stmt = $mysqli->prepare("UPDATE theDB.table SET Description=?, Comments=? WHERE id=?")) { $stmt->bind_param("s", secure_query($description) ); $stmt->bind_param("s", (($comments!="") ? secure_query($comments) : 'NULL' ) ); $stmt->bind_param("i", $id ); $stmt->execute(); $stmt->close(); } ?>

ummmm CSS question really but... make this <a class=float /> into <a class="float"> u didnt close tags right

I feel pretty comfortable with above code after reviewing it. probably use that as my base form code if i ever need to start a form. The only thing i guess i have a question from reviewing my own code is... For Querys (SELECT, UPDATE, INSERT, DELETE)... is a prepared statement in php safer than say a normal query with formatted with sprintf which is what i have currently? Like what would you use? <?php $query = sprintf ( "UPDATE theDB.table SET Description=%s, Comments=%s WHERE id=%d", , secure_query($description), (($comments!="") ? secure_query($comments) : 'NULL' ), $id ); ?>

do the image thing now for new users/new posts/ Also can record their IP for the post if system doesnt already, then when u find out which IP was posting the bad posts, put that IP for a week in a ban users table. Then on the 'new post' page, redirects to a 'Sorry posting from this computer not allowed because of spammers' if it matches the IP stored in that table. if not, serve that webpage as usual.

try AJAX. write with javascript (prototype.js's AJAX class). //.html/.php side, of the form which will call the javascript function: <?php //.... in your current form echo '<input type="hidden" name="criteria" onchange="callAJAXfunction(this)" />'; ?> //some javascript file u included on previous page <script type="text/javascript"> function callAJAXfunction(theField) { var searchText = theField.value; if(searchText!="")//user entered info { var rand = Math.floor(Math.random()*1000); //adds random var to url so doesnt cache page on repeat requests var url = "getInfo.php"; var params = "searchText =" + escape( searchText ) +"&random="+ rand; var myAjax = new Ajax.Request( url, { method:'post', parameters: params, onSuccess: getInfoSuccess, onFailure: getInfoFailure } ); } else alert('You didnt enter any info to search.'); } function getInfoSuccess(transport) { var responseXML = transport.responseXML;//xml echo-ed back by getInfo.php var idNumber = (responseXML.getElementsByTagName('idNumber').length>0) ? responseXML.getElementsByTagName('idNumber')[0].firstChild.nodeValue : ''; //get xml node called '<idnumber>' if exists (or i could just report back getElementsByTagName('idNumber') and loop through all id's of products i am searching for, and create many textboxes dynamically and fill in their info, but i focusing on just 1 match right now/filling in 1 textbox) if(idNumber!='') { //$('id') shortcut in prototype js lib to document.getElementById('id') $('idNumber').value = 'Found a product id that possibly matches your search: '+ idNumber; } else alert('No matching products found.'); } function getInfoFailure (transport){ alert('Unsuccessful, Joe Smoe' + '[Error ' + transport.status + ' -- ' + transport.statusText +']'); } </script> //finally getInfo.php just make a normal php file that loops throguh database for search term <?php $searchTerm = $_POST['searchTerm']; //add your database connection code user/pass $query = "SELECT idNumber FROM xxx.yyy WHERE productName LIKE '%". $searchTerm ."%'"; $result = mysql_query($query ); $xml = '<rootNode>'; while($row = mysql_fetch_assoc($result)) { $xml .= '<idNumber>' . $row['idNumber'] .'</idNumber>'; } $xml .= '</rootNode>'; header("Content-type: text/xml"); echo $xml; ?> //your javascript AJAX 'success function' page will recieve this xml when request done, and u can loop through it to populate your fields.

google php.mailer class. i find it better to work with. code is easy... <?php require("../phpmailer/class.phpmailer.php"); $mail = new PHPMailer(); $mail->IsSMTP(); // telling the class to use SMTP $mail->IsHTML(true); $mail->Host = "192.168.1.101"; // your SMTP server IP $mail->From = 'test@bleh.com'; $mail->FromName = 'Joe Smie'; $mail->Subject = "testtt"; $mail->Body = "<h1>Hello</h1>'; $mail->AltBody = "hello";//for those without html reading clients // if need attachment, $mail->AddAttachment( htmlspecialchars($docPath) ); $mail->AddAddress('Joe@test.com'); if(!$mail->Send()) { echo "Message was not sent"; echo "Mailer Error: " . $mail->ErrorInfo; } else { //echo 'Sent Email to '. $to. '<br/>'; //echo 'at '. date('g:i a, n-j-Y'); } //*/ ?>

<?php echo $Backgroundcolour; ?> maybe print the color, u just declared the variable? u can inslude the css in the .php whioch is what i assuem you are doing, or include .css files to be parsed by php on your web server (google it)

okay so i incorporated i think what a basic edit/insert page should have based on feedback here and reading a few more threads/php manual... 1. if arriving at the page and need to get database values... Don't strip slashes from retrieving values from database. right now normal variable with no prepended slashes. 2. If POSTed the form, and magic qoutes are on, clean out slashes from the submitted (text) fields, as we need to do validation on the normal text. 3. When processing form (INSERT/UPDATing form), add slashes temporarily at this point, preferably with mysql_real_escape_string (or addslashes ) 4. When displaying form, use htmlspecialchars on the normal un-slashed variable. And here is a 'basic' form incorporating all of that (, well not a simple hello world form). Hopefully i understood everything previously mentioned as i tried absorbing everything i could from previous posters and other threads. But if i dont get it right still, let me know specifics again of how my logic went bad (sorry in advance if i goofed somewhere). <?php function secure_query($var)//returns variable for database insertion { //i heard mysql_real_escape_string is better than addslashes as its more specific to the connection's current character set, so i use that if (!is_numeric($var))//string return "'". mysql_real_escape_string($var) ."'"; else return $var;//number } function getValues() { global $submit, $description, $comments;//getting all values i need for this fucntion. simply set up global here. (usually i pass values i need into fucntion though) //set up database connection on arrival to page $host = "localhost"; $user = "test"; $pass = "pass"; $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); if( isset($submit) )//posted form { $id = isset($_POST['id']) ? $_POST['id'] : NULL;// if edit page, will use $id later to UPDATE versus insert new OR it might be a new entry, then i set the id later with mysql_insert_id() $description = get_magic_quotes_gpc() ? stripslashes(trim($_POST['Description'])) : trim($_POST['Description']); //start off with clean variable without slashes added(, as we are going to check and validate variables, so we need the strings without slashes for regex validation etc.) $comments = get_magic_quotes_gpc() ? stripslashes(trim($_POST['Comments'])) : trim($_POST['Comments']); } else //just arrived to this page via link to thisPage.php?id=### ('Edit this Entry' page) or thisPage.php (New Entry page) { if($_GET['id']) //get info from database as it came from thisPage.php?id=### { $id = $_GET['id']; $query = "SELECT * FROM theDB.table WHERE id=". $id; $result = mysql_query($query); if( $row = mysql_fetch_array($result) ) { $description = $row['Description'];//dont need to do anything here, comes out fine from database $comments = $row['Comments']; } } else //just arrived to this page via link to thisPage.php, put default values in for textfields { $description = 'ENTER TEXT HERE'; } } } function validateForm() { global $submit, $description, $comments; //data is all good for validation, no slashes added in at this point //pretend i do a regex here to see if user submitting annoying words i dont want if($description!="") //something written to textfield so check for validation { $arrayWords = array_map( "trim", explode("," , "lol, rofl, dallas cowboys, nazis, asparagus, durian, the shredder, OMG, paris hilton"); foreach($arrayWords as $word) { if( preg_match( "/$word/i" , $description ))//if finds this word in the textfield, dont process form, and report error $errors['wordNotAllowedInField'] = '<br/>Word not allowed: '. $word; } } return $errors; } function processform() {//pretend validation was good for all fields, then this fucntion runs global $submit, $description, $comments, $id, $databaseResults; if($submit=='Update') { //At this point you want to 'addslashes' via addslashes() or even better mysql_real_escape_string() $query = "UPDATE theDB.table SET Description=".secure_query($description).", Comments=".(($comments!="") ? secure_query($comments) : 'NULL' )." WHERE id=".$id; $query = sprintf ( "UPDATE theDB.table SET Description=%s, Comments=%s WHERE id=%d"; , secure_query($description), (($comments!="") ? secure_query($comments) : 'NULL' ), $id );//hmmmm, for any of the Querys (SELECT, UPDATE, INSERT)... is a Prepared statement safer than a normal query with formatted with sprintf? $result = mysql_query($query); if($result) { $databaseResults['update']['success'] = true; } else $databaseResults['update']['failed'] = true; } else { $query = sprintf ( "INSERT INTO theDB.table (id, Description, Comments) VALUES (NULL, %s, %s)"; secure_query($description), (($comments!="") ? secure_query($comments) : 'NULL' ) ); $result = mysql_query($query); if($result) { $id = mysql_insert_id(); $databaseResults['insert']['success'] = true; } else $databaseResults['insert']['failed'] = true; } } function showform() { global $submit, $description, $comments, $id, $databaseResults; //... pretend alot of html echo statements here $num_args = func_num_args();//if an errors variable passed to this function, set $error if( $num_args > 0 ) $error=func_get_arg(0); if(isset($error)&& (count($error)>0)) echo '<div class="error">*** Please Fix the highlighted errors below.</div>'; if(isset($error['wordNotAllowedInField'])) echo '<div class="error">* '.$error['wordNotAllowedInField'].'</div>'; if( $databaseResults['update']['success']===true) echo '<div class="success">Updated Successfully</div>'; else if( $databaseResults['update']['failed']===true) echo '<div class="success">Failed to Update.</div>'; else if( $databaseResults['insert']['success']===true) echo '<div class="success">Inserted New Field Successfully</div>'; else if( $databaseResults['insert']['failed']===true) echo '<div class="success">Failed to Insert New Field</div>'; if(isset($id))//hidden input which stores id for UPDATE/editing echo '<input type="hidden" name="id" value="'. isset($id) .'" />'; echo '<div><textarea name="Description">'.htmlspecialchars($description) .'<textarea/></div>';//should be without slashes at this point so dont need to use any stripslashes here, but need to do htmlspecialchars to make sure < > escaped so wont ruin my html. also good for making user inserted javascript useless? echo '<div><textarea name="Comments">'.htmlspecialchars($comments) .'<textarea/></div>'; echo '<div><input type="submit" name="SubmitForm" value="'. ( isset($id)? 'Edit' : 'Insert New' ) .'" /></div>'; } function runForm() { global $submit; $submit = $_POST['SubmitForm']; getValues(); if( isset($submit) )//POSTed { $formErrors = validateForm(); if(isset($formErrors))//errors { showForm($formErrors);//display errors } else { processForm();//process form (Insert or Update) showForm(); //display form (successly insderted/updated message etc) } } else//just arrived to page via thisPage.php?id=### or thisPage.php { showForm(); } } runForm(); ?>

sorry ignore this post (accidentally pressed twice), look at one above it. would be nice if u can delete Posts here.

sorry if i am not understanding... //1st let me get to the meat of your update to the script... <?php if( isset($submit) ) { // this way all data has slashes no matter what. foreach ($_POST as $key => $val) { $_POST[$key] = get_magic_quotes_gpc() ? $_POST['theTextfield'] : addslashes($_POST['theTextfield']); //i think you really meant here $_POST[$val] : addslashes($_POST[$val]), right? } //below should really be... $id = isset($_POST['id']) ? $_POST['id'] : NULL; // if edit page, will use hidden form element of the id in UPDATE query later $textfield = $_POST['theTextfield']; //anyway $textfield here uses the value with the slashes added u updated in your for loop } ?> Now when you do showForm(), shouldnt you be concerned that the variable has the slashes added for you? Like if user entered 'cool' in the textfield, on post, it will add slashes no matter whats turned on, and the line echo '<div>'.htmlspecialchars($textfield) .'</div>'; would output <div>\'cool\'</div> Again really sorry if i am being retarded. I am really trying to understand what is best practice.

So... basically u only use stripslashes if magic qoutes was turned on and therefore it added slashes on submitting the form? Seems like then you would only use stripslashes on form submission part of your script then. Would the followjg below be a good example of how to take on magic qoutes in each part of a submission form (pretned is a page u can insert a new entry into database or update an existing one ). $submit = $_POST['submitBtn']; function getValues() { global $submit, $textfield; //getting all values i need for this fucntion. simply set up global if( isset($submit) ) { $id = isset($_POST['theTextfield']) ? $_POST['theTextfield'] : NULL;// if edit page, will use $id later to UPDATE versus insert new $textfield = get_magic_quotes_gpc() ? stripslashes($_POST['theTextfield']) : $_POST['theTextfield']; } else { if($_GET['id']) //get from database as it came from { $id = $_GET['id']; //...database connection/query code left out $textfield = $row['Description']; } else //just arrived to page, put default values { $textfield = 'ENTER TEXT HERE'; } } } function processform() {//pretend validation was good for all fields, then this fucntion runs global $submit, $textfield; if($submit=='Update') { //at this point variables cleaned up in getValues should be cleaned up and have no slashes, so have to use addslashes $query = "UPDATE table SET Description="'.addslashes($textfield).'" WHERE id=".$id; //..rest of database code left out } else { $query = "INSERT INTO table (id, Description) VALUES (NULL, '". addslashes($textfield) ."')"; } } function showform() { global $submit, $textfield; //... pretend alot of html echo statements here echo '<div>'.htmlspecialchars($textfield) .'</div>';//should be without slashes at this point so dont need to use any stripslashes here ... }

so u probably getting the value via ... $someValue = $row['theField']; ... echo $someValue; //or echo htmlspecialchars($someValue); i dunno why 0 would output as anything else unless u r doing something funky to the number echoing it