Psycho

$summary = trim(str_replace('...', '.', $summary), '.') . '.'; Trims periods from beginning and end of string then adds a period to the end

Your query is failing or the function mysqli_stmt_execute() is not returning the result of the query $result = mysqli_stmt_execute($stmt); mysqli_stmt_execute() is not a valid PHP function according to the manual. Is that a custom function you created or using from a 3rd party class?

I already answered your first question in my first response under Tip#3. You have separate columns to indicate whether a record is a primary, secondary or tertiary. This is a poor structure. You only need columns for the category ID, the category Name and the parent ID. From that you can logically get the data for primary, secondary, tertiary or four, five, six, etc. levels deep. No need to create separate columns. id | name | parent 1 Cat One 0 <== 0 indicates a parent category 2 Cat Two 0 3 Cat Three 0 4 Cat 1-A 1 <== This is a secondary cat of Cat One 5 Cat 1-B 1 6 Cat 1-A-1 4 <== This is a tertiary category of Cat One - Cat 1-A I really am not interested in seeing all of your code it it is haphazard as what you originally posted. You can go ahead and post it, but if it is going to take me too long to clean it up just to try and make sense of it I may not be able to help further.

Impossible to really help you without knowing what the input values look like.

This is why we are not getting anywhere. You need to provide EXACTLY what you are seeing. But, I will *assume* from the above (since I have no other choice based on what you provided) that the problem is as mac_gyver says. You are not storing what you think you are for the password hash in your database. From the debug statement that I was gracious enough to provide it should be obvious. There is nothing after "DB Hash". So, you must be storing an empty value.

Sorry to be blunt, but your explanation are not very enlightening. But, your DB structure is still flawed. You're right that it should not have any impact on the current issue, but I almost bailed ont his thread because of the unnecessary work it entailed for me to replicate. If changes to another set of "chained" select lists are affecting another set it would have to be due to the logic you are applying in the code to determine what the lists should contain. Are you using multiple forms? If so, only the data from one form would be passed and that would cause the other set of select lists to think there was nothing selected. Or, the onchange event is not getting ALL of the selected values from all the set's of select lists. That is why I rebuilt the JavaScript to have a single onchange function instead of multiple. Did you create new ones for each set? Please say you didn't.

Or, it may even work to use a header() to redirect to the file.

You're welcome. But, the whole point of this exercise (for me) was for you to learn some simple debugging techniques. It's not hard, it just takes a little thought and a little bit of work. First understand the process. Then identify a certain point in the process that may not be working correctly. Add some debugging code to verify what the input data and the output data is from that process. From that you can determine if the problem is before or after that point. Then just move your debugging efforts forward/backward from that point and try again.

No, it does not. Did you even read my previous posts or look at the debug statements? It queries using ONLY the username and retrieves the hashed password from the database. Then it hashes the user input password from the POST data and compares to the value retrieved from the database. This is the proper way to perform this type of operation as it allows you to determine if the username is correct, but not the password so you can lock the user after X number of failed login attempts for security purposes I only modified the previous code to function in a more logical manner and added debugging code to help identify where the problem may be. Hashing the user supplied password and using that as part of the query does not let you know if the username would match an existing record or not when there are no results returned because of the password condition. That would require another query to find that out. being able to lock a record for multiple invalid login attempts is an industry standard practice that prevents a malicious user from brute-forcing a password. So, you should query for a record matching JUST the username first. If there is no match just state authentication failed and move on. If a record is returned THEN hash the user supplied password and compare to the result. If it matches, authenticate the user. If not, increment an invalid login attempts value. If more than n attempts then lock the user.

I see another problem (not related to the issue at hand). You are redefining $username using this: $username = mysqli_real_escape_string($conn, $username); So, if authentication passes you are storing THAT into the session data. $_SESSION['username'] = $username; You should only escape a value at the time that you need it. Anyway, try the following code that has been rewritten to resolve some minor issues and will provide debugging details to help identify the issue you are facing. <?php session_start(); $conn = mysqli_connect("Connection String"); $username = trim($_POST['username']); $usernameSQL = mysqli_real_escape_string($conn, $username); $password = $_POST['password']; $query = "SELECT userpassword, cmspassword, userid FROM users WHERE username='$usernameSQL'"; $result = mysqli_query($conn, $query); if(!$result) { //Query failed $debug = "Debug: Query failed.<br>Query: <br>Error" . mysqli_error(); $location = 'Location: ../login.php?e=User not found'; } elseif(!mysqli_num_rows($result)) // User not found. So, redirect to login_form again. { //User not found $debug = "Debug: User '{$username}' not found. Use this condition to implement a lock feature for multiple invalid login attempts"; $location = 'Location: ../login.php?e=Unable to verify credentials'; } else { //User was found $user = mysqli_fetch_array($result); $passwordHash = hash('sha256', $user['cmspassword']."$password"); if($passwordHash != $userData['userpassword']) // Incorrect password. So, redirect to login_form again. { $debug = "Debug: Password does not match. Submitted PW: {$password}, PW Hash: {$passwordHash}, DB Hash: {$userData['userpassword']}"; $location = 'Location: ../login.php?e=Unable to verify credentials'; } else { //Authentication successful. Redirect to home page. $debug = "Debug: Authentication passed"; $_SESSION['username'] = $username; $_SESSION['user'] = $user['userid']; $_SESSION['sp'] = $user['cmspassword']; $location = 'Location: ../index.php'; } } //Perform redirect $conn->close(); //Comment out the debug and uncomment the header once fixed echo $debug; //header($location); exit(); ?>

return true should let the form POST to the 'action' parameter. However, if the JS modified anything in the form, then that would potentially affect what was sent in the form data.

I didn't ask for that - I only stated we couldn't see it. As I stated, you should have ONE process to do hashing and reuse it wherever you need it. But as ginerjm has pointed out, this query will never return a result $username = $_POST['username']; $password = $_POST['password']; $conn = mysqli_connect("Connection String"); $username = mysqli_real_escape_string($conn, $username); $query="SELECT * FROM users WHERE username='$username' AND userpassword='$password'"; You are looking for a match on the username and the UNHASHED password sent by the user. Hash the password before you run this query. Then only provide a single failure scenario.

Yes, but your query is looking for a match based on the user name and the password (before you hash the password). You should NOT write the hashing process multiple times (e.g. one where it is stored and another where it is compared). Write ONE hashing process and call it from wherever you need it. That way you are guaranteed to be 100% consistent. But, even if that is failing, I don't see that it explains your original issue. But, since this has been brought up. I see that you have a couple of different error conditions. One if the user was not found and another if the password does not match. That is considered a security flaw. A malicious user can use that to determine a valid user ID. Then they can use that ID to then try to find a valid password. You should just hash the password first, then look for a record that matches BOTH the user ID and the hashed password. If none is found then simply state "Unable to validate credentials" or something similar.

I see no problem in separating the logic as you have. To help debug this issue. comment out the header() that perform the redirect and put an echo in. That way you can see exactly where the problem is. You can also add additional debugging information to verify the contents of any relevant variables. Once you verify one redirect, uncomment it to see where the process goes next. I don't see an obvious reason why there would be an infinite loop, so debugging is in order.

As I said, I created a mock database and tested the script to ensure it works. However, based upon your queries the database appears to be poorly constructed. I mocked the database to how I think you have it constructed and made the script work. You should fix your database.

Probably, but since I didn't write that code and don't know anything about the form or the actin page, I can't say that there is a good reason to do it that way or not.

OK, I'm pretty sure I found the issue. I had to construct some working pages using the code you provided above, and the problem is actually pretty simple. You are submitting the page via AJAX! In other words, the user is NOT clicking the submit button. You made the submit button an input field. Input buttons are only passed if they are clicked! I was able to verify this by just doing the simple debugging I proposed above. The return value that was alerted in the java script showed that the to_email was included in the POST data, but that was it. So, this line in the method is always returning false: if($_POST['to_submit']) { That's a poor implementation. I see it a lot, but checking to see if a submit button was clicked is not the best way to check if a form is posted. For a form with multiple input fields you can check the $_SERVER super global for the request method. But, in this case, the user in only submitting one field. So, you should just check that. This should resolve your problem class Users extends CI_Controller { public function forgot_pass() { if(!$_POST['to_email']) { //No email post value return 0; } $this->load->model('user'); $email = $_POST['to_email']; $email_addr = $this->user->get_email_address($email); if(empty($email_addr)) { //Email address not found return 0; } $password = $email_addr[0]['password']; $this->load->library('email'); $this->email->from('[email protected]', 'Your Name'); $this->email->to($email); $this->email->subject('Password'); $this->email->message($password); //Return true false based upon result of send() response echo ($this->email->send()) ? 1 : 0; } }

OK, so what IS in the POST data? I'm doing my best to help you, but I feel I have to spoon feed you everything. I am not very strong in AJAX, plus these types of problems can be difficult to debug since the data is crossing multiple technologies. I provided guidance above on how you should approach debugging an issue, but it seems as soon as you find a problem you throw up your hands in despair. So, let's take inventory of where we are at. You can now confirm that the PHP method is being executed. But, it is not receiving the data that it expects. So, the logical question (at least to me) is what data IS being sent? YOU can answer that by adding some more debugging code to that method. Change exit("No post value"); To $msg = "No post value<br>"; $msg .= "POST: <pre>" . print_r($_POST, 1) . "</pre>"; exit($msg); Now you will know what is being sent with the AJAX request. I think the problem is in how you are sending the form data data:$(from).serialize(), But, as I said, AJAX is not my strong suite.

Yes, the submit() method will submit a form. A simple Google search for "javascript submit" found that answer right off.

The process I provided is very flexible. I'm not sure where the confusion lies. You need to add logic to the top portion to determine what data will be displayed in any of the select lists (same as you have now for the first three). Then run the necessary query to get the data and call the function createOptions() just like I did for the other three lists.

That's not what I was saying at all. You are making this difficult to try and help you because there is some miscommunication here which I believe is due to the misuse of the wrong terminology. Also, I explained the process to try and debug the problem yourself, but I've not seen that you actually attempted that process in any meaningful way. I still haven't seen a single piece of code that ever instantiates the Users class or calls the forgot_pass() method. The fact that your alert was empty shows that the method is never getting called OR it is going into one of the conditions that has no output - because the method is poorly written. You could at least change your method so it would always have an output. class Users extends CI_Controller { public function forgot_pass() { if(!$_POST['to_submit']) { exit("No post value"); } $this->load->model('user'); $email = $_POST['to_email']; $email_addr = $this->user->get_email_address($email); if(empty($email_addr)) { exit("Email address not found"); } $password = $email_addr[0]['password']; $this->load->library('email'); $this->email->from('[email protected]', 'Your Name'); $this->email->to($email); $this->email->subject('Password'); $this->email->message($password); echo ($this->email->send()) ? 1 : 0; } } If you still do not see anything int he alert then you know the method is not being called - which is what I believe is happening.

If this is being sent as an email, then you need to format the email as HTML - otherwise it will be sent in plain text format and HTML code will be displayed instead of parsed as code.

OK, I created a mock database so I could test. If I understand your database schema correctly, this should work Although you should really consider changing the DB schema. <?php //Function to create HTML for options list function createOptions($optionList, $selectedValue) { $options = ''; foreach ($optionList as $option) { $selected = ($option['value']==$selectedValue) ? ' selected="selected"' : ''; $options .= "<option value='{$option['value']}'{$selected}>{$option['label']}</option>\n"; } return $options; } //Determine selected options passed on query string $primary_category = isset($_GET['primary_category']) ? intval($_GET['primary_category']) : false; $secondary_category = isset($_GET['secondary_category']) ? intval($_GET['secondary_category']) : false; $tertiary_category = isset($_GET['tertiary_category']) ? intval($_GET['tertiary_category']) : false; //Generate options for primary category $query = "SELECT DISTINCT category_id AS value, primary_category AS label FROM category_query ORDER BY primary_category"; $optionList = $dbo->query($query); $primary_category_options = createOptions($optionList, $primary_category); //Generate options for secondary category if($primary_category) { $query = "SELECT DISTINCT secondary_id AS value, secondary_category AS label FROM category_query WHERE category_id = $primary_category ORDER BY secondary_category"; $optionList = $dbo->query($query); $secondary_category_options = createOptions($optionList, $secondary_category); } //Generate options for tertiary category if($secondary_category) { $query = "SELECT DISTINCT tertiary_id AS value, tertiary_category AS label FROM category_query WHERE secondary_id = $secondary_category ORDER BY tertiary_category"; $optionList = $dbo->query($query); $tertiary_category_options = createOptions($optionList, $tertiary_category); } ?> <!doctype html public "-//w3c//dtd html 3.2//en"> <html> <head> <title>Demo of Three Multiple drop down list box from plus2net</title> <meta name="GENERATOR" content="Arachnophilia 4.0"> <meta name="FORMATTER" content="Arachnophilia 4.0"> <script language="JavaScript"> function getSelectValue(selectID) { var optionObj = document.getElementById(selectID); return optionObj.options[optionObj.selectedIndex].value; } function reload(form) { //Adding the unselected options should work fine var locationURL = 'dd3.php'; locationURL += '?primary_category=' + getSelectValue('primary_category'); locationURL += '&secondary_category=' + getSelectValue('secondary_category'); locationURL += '&tertiary_category=' + getSelectValue('tertiary_category'); //Perform the reload self.location = locationURL; } </script> </head> <body> <form method=post name=f1 action='dd3ck.php'> <select name='primary_category' id='primary_category' onchange="reload(this.form)"> <option value=''>Select one</option> <?php echo $primary_category_options; ?> </select> <select name='secondary_category' id='secondary_category' onchange="reload(this.form)"> <option value=''>Select one</option> <?php echo $secondary_category_options; ?> </select> <select name='tertiary_category' id='tertiary_category' onchange="reload(this.form)"> <option value=''>Select one</option> <?php echo $tertiary_category_options; ?> </select> <input type=submit value='Submit the form data'> </form> <br><br> <a href=dd3.php>Reset and Try again</a> <br><br> </body> </html>

Tip #1: Don't put your PHP code in-line with your HTML. It makes it difficult to maintain your code and is harder to debug. Put the PHP code at the top of the page, before you start the <HTML> tag, and create the dynamic data and store in variables. Then just echo the variables in the HTML code. Tip #2: Don't copy/paste code. If you need to do the same thing multiple times, create a function/process that takes the necessary parameters to produce the similar outputs. This applies to both your PHP and JavaScript code. When you try and copy/paste code it becomes easy to miss a simple mistake. Tip #3: Your database seems to have a flawed design. You don't need separate columns for primary, secondary & tertiary. Instead each category can have a parent ID. The primary IDs would use 0 for the parent. The secondary categories would use the ID of their associated primary category and the tertiary categories would use the associated ID of the secondary category. I didn't read through all of your code because, to be honest, it was very unorganized. So, I don't know what the problem is. But, here is a rewrite in a much more logical format. I didn't test as I don't have your database. So, I am sure there are some minor syntax errors to fix. But, the logic is sound. <?php mysql_connect('localhost', 'root', ''); mysql_select_db('tab_test'); //Functions to create HTML for options list function createOptions($optionList, $selectedValue) { $options = ''; foreach ($optionList as $option) { $selected = ($option['value']==$selectedValue) ? ' selected="selected"' : ''; $options .= "<option value='{$option['value']}'{$selected}>{$option['label']}</option>\n" } return $options; } //Determine selected options passed on query string $primary_category = isset($_GET['primary_category']) ? intval($_GET['primary_category']) : false; $secondary_category = isset($_GET['secondary_category']) ? intval($_GET['secondary_category']) : false; $tertiary_category = isset($_GET['tertiary_category']) ? intval($_GET['tertiary_category']) : false; //Generate options for primary category $query = "SELECT DISTINCT category_id AS value, primary_category AS label FROM category_query ORDER BY primary_category"; $optionList = $dbo->query($query); $primary_category_options = createOptions($optionList, $primary_category); //Generate options for secondary category if($primary_category) { $query = "SELECT DISTINCT secondary_id AS value, secondary_category AS label FROM category_query WHERE category_id = $primary_category ORDER BY secondary_category"; $optionList = $dbo->query($query); $secondary_category_options = createOptions($optionList, $secondary_category); } //Generate options for tertiary category if($secondary_category) { $query = "SELECT DISTINCT tertiary_catergory AS value, tertiary_id AS label FROM category_query WHERE secondary_id = $secondary_category ORDER BY tertiary_catergory"; $optionList = $dbo->query($query); $tertiary_category_options = createOptions($optionList, $tertiary_category); } ?> <!doctype html public "-//w3c//dtd html 3.2//en"> <html> <head> <title>Demo of Three Multiple drop down list box from plus2net</title> <meta name="GENERATOR" content="Arachnophilia 4.0"> <meta name="FORMATTER" content="Arachnophilia 4.0"> <script language="JavaScript"> function getSelectValue(selectID) { var optionObj = document.getElementById(selectID); return optionObj.options[optionObj.selectedIndex].value; } function reload(form) { //Adding the unselected options should work fine var locationURL = 'dd3.php?'; locationURL += 'primary_category=' + getSelectValue('primary_category'); locationURL += 'secondary_category=' + getSelectValue('secondary_category'); locationURL += 'tertiary_category=' + getSelectValue('tertiary_category'); //Perform the reload self.location = locationURL; } </script> </head> <body> <form method=post name=f1 action='dd3ck.php'> <select name='primary_category' id='primary_category' onchange="reload(this.form)"> <option value=''>Select one</option> <?php echo $primary_category_options; ?> </select> <select name='secondary_category' id='secondary_category' onchange=\"reload(this.form)\"> <option value=''>Select one</option> <?php echo $secondary_category_options; ?> </select> <select name='tertiary_category' id='tertiary_category' onchange=\"reload(this.form)\"> <option value=''>Select one</option> <?php echo $tertiary_category_options; ?> </select> <input type=submit value='Submit the form data'> </form> <br><br> <a href=dd3.php>Reset and Try again</a> <br><br> </body> </html>

It sounds as if that where $message is ultimately output the application may be using htmlentities() or htmlspecialchars(). Those functions are used to ensure content cannot be interpreted as HTML code. The reason is a user could potentially enter content into a forum post, for example, that would be interpreted as HTML. So, a user could do something potentially benign such as wrapping their name in bold tags. Or worse, they could put in HTML code that totally screws up the site layout. Or worst, they could put in JavaScript code creating a Cross site scripting vulnerability. You should never trust any data that was entered by a user. It should always be escaped/cleansed based upon the context of how it is being used (Using in a DB query, outputting to HTML page, etc.). So, my guess is that Wordpress is automatically doing this where $message is used. If so, you would have to find where $message is actually output to the page and change the code to not escape the content. However, that would create a potential problem if a user entered HTML code into their username. So, you would need to implement one of those functions on the original value of $user_login where you are defining $message