Psycho

"How" are you referencing the file in the download script - i.e. the path? Are you referencing the file using an http:// path or via the file system. If you are using a relative path via the file system, I can't think of why the htaccess file would have any reason to stop your script from reading the file. You should definitely not be referencing the file via http. But, as I stated above, you don't need to do any of this. Simply put the file in a folder that is not publicly accessible - i.e. outside of the root of your website. Then, there isn't any URL path that could ever point directly to the file and the only way to get the file would be through your download script. No entries in the htaccess file would be needed at all. So, if your website is in a folder with the name htdocs, put the downloads in a folder that is at the same level or above that folder. E.g.: | | - htdocs | | - about | | - contact | | - home | | - . . . etc. | | - Downloads //Not publicly accesible

I'm not really understanding you. What do you mean " to go to download page if accessed through your site". Are you saying if the user types in the URL that points directly to the file you want them to be redirected to the PHP page that does the download? If so, there's a much easier solution. Move the file outside of the public folders. Then the only way people can get the file is through the download script - there won't even be a url to access the file at all.

The link you provided brings up a "server not found" error. But, looking at the code, a few things jump out at me. The index page seems incomplete - e.g. html tags are missing, no opening body tag, a javascript is outside the head tags, etc. So, assuming the index page is complete, the javascript is loading data into a div from the data.php page. But, the data.php page has HTML elements that already exist int he main page (e.g. HTML and HEAD tags. Several javascript includes as well as a function. That doesn't make sense to me. I'm sure your problem is with that. The JavaScript in the index page should not be getting new dynamic javascript to be run.

LOL, you selected your response as the best answer?

function alter_page($page_data, $page_id) { array_walk($page_data, 'array_sanitize'); $setParamsAry = array(); foreach($page_data as $field => $value) { $setParamsAry[] = "`{$field}` = '{$value}'"; } $setParamsStr = implode(', ', $setParamsAry); $query = "UPDATE `paginas` SET {$setParamsStr} WHERE `id`= $page_id"; mysql_query($query)or die(mysql_error()); }

To expand on Barand's response. If you are ONLY using the value of a variable, then don't put it in quotes at all - as he stated. However, there are times that you want to concatenate the value of a variable with other string elements. In those case you can put the variable in a double quoted string. PHP has several ways of dealing with quoted text and in some variables are interpreted. In others the variable is treated as a string. Of course, you don't have the include the variable in the string at all and just concatenate the variable to the other string elements using the period. Read this: http://php.net/manual/en/language.types.string.php

And, what do you mean - exactly - that you cannot submit. Are you saying you are clicking the submit button and nothing happens. Or that you click it and it submits - but you don't see the results you expect. We are working in the blind and depend upon you to provide all the information necessary to help you.

Where is this data coming from? This would be a much simpler problem if the data in the array was structured differently. So, if you have the ability to restructure the data - that would be the better solution. But, with what you have, this would work <?php $records = array( '0' => '1159, 2013-09-03', '1' => '1157, 2013-09-03', '2' => '1257, 2013-09-03', '3' => '1257, 2013-09-13', '4' => '1340, 2013-09-04', '5' => '1335, 2013-09-03', '6' => '1340, 2013-09-13', '7' => '1410, 2013-09-03', '8' => '1340, 2013-09-18' ); $final = array(); foreach($records as $record) { list($catalogID, $date) = explode(', ', $record); //Check if a record exists for this catalog ID if(isset($final[$catalogID])) { //Check if this date is earlier if($date < $final[$catalogID]) { //This date is earlier - change it $final[$catalogID] = $date; } } else { //Record hasn't exist yet - add it with this date $final[$catalogID] = $date; } } echo "<pre>" . print_r($final, 1) . "</pre>"; ?> Output: Array ( [1159] => 2013-09-03 [1157] => 2013-09-03 [1257] => 2013-09-03 [1340] => 2013-09-04 [1335] => 2013-09-03 [1410] => 2013-09-03 )

A couple things: 1. No need to put your hard coded textarea tags int he echo 2. As mac_gyver and mentalist stated above, you should use htmlentities instead of trying to figure out the conversions yourself. <?php $edit_content_de = "<textarea>Text</textarea>asd"; ?> <p><textarea name="content" id="codeTextarea" style="width:90%; height:500px;"><?php echo htmlentities($edit_content_de); ?></textarea></p>

Just store the results in a session variable. When the code is run, check if the POST data was sent. If so, save it to the session variable. Then check if the GET request was sent. If so, check the session data for the matching value. Here is a "possible" solution - not tested so there may be some changes needed. <?php /* * * Use the examples below to add your own servers * */ session_start(); if(isset($_POST['kunde'])) { $kunde = trim($_POST["kunde"]); $ip = trim($_POST["ip"]); $port = trim($_POST["port"]); $note = trim($_POST["note"]); //Should add some validation of the data here //Add entry to session array $_SESSION['servers'][$kunde] = array( 'ip' => $ip, 'port' => $port, 'note' => $note ); } if (isset($_GET['host'])) { $host = $_GET['host']; if (isset($_SESSION['servers'][$host])) { header('Content-Type: application/json'); $return = array( 'status' => test($_SESSION['servers'][$host]) ); echo json_encode($return); exit; } else { header("HTTP/1.1 404 Not Found"); } } $names = array(); foreach ($_SESSION['servers'] as $name => $info) { $names[$name] = md5($name); } ?>

If I understand your problem as it is poorly worded. You are stating that if you use the variable $ip in defining the 'ip' element in the array it is not getting set as you expect. but, if you use $_POST["ip"] (which is what was used to define $ip) it is getting set as you expect. There is no reason that should not work the same. So, I have to assume there is more to the code than you are showing.

Ch0cu3r, good catch. I assumed the issue was with the query failing and $result was FALSE - but the mysql_affected_rows() take an optiona parameter of the mysql link resource - not the result source.

It means your query is failing. You need to check for errors.

Probably not long. The fact that you have not provided any code makes me think that the strength of the encryption is dependent upon the method of encryption being unknown to the attacker. That is not how a good encryption process should work - obfuscation is not security. There are plenty of current encryption methods that are currently, for all intents and purposes, uncrackable.

I'm guessing it is your hash is not matching. Since I don't know how you are originally creating the hash I can't tell you if you are doing it right in the comparison logic. But, this is debugging 101 - you need to verify what is and is not working as you expect. Add some echo's to the page to see what is going on. If the hashes do not match you need to show the code you use to create the original hash that is set in the DB. You SHOULD create a function to create your hash and call that function both when you create the initial hash and when you create the hash during login for comparison. Right now you are coding the process independently for both processes (bad idea). By having a single function you are guaranteed to get the same results no matter where you call it. <?php include("config/connect.php"); if(isset($_POST['username']) && isset($_POST['password'])) { $username = mysqli_real_escape_string($dbc, trim($_POST['username'])); $password = $_POST['password']; echo "Debug: username and password were sent<br>\n"; echo " - Post username '{$_POST['username']}'<br>\n"; echo " - Escaped username: {$username}<br>\n"; echo " - Post password: {$password}<br><br>\n"; $query = "SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result = mysqli_query($dbc,$query); echo "Debug: SELECT Query {$query}<br><br>\n"; if(!mysqli_num_rows($result))//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username was not found.Please sign up <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } $userdata = mysqli_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userdata['salt'] . hash('sha256', $password)); echo "Debug: Passowrd hash created:<br>\n"; echo " - DB salt: {$userdata['salt']}<br>\n"; echo " - db Password Hash: {$userdata['password']}<br>\n"; echo " - Created Password Hash: {$hash}<br><br>\n"; if($hash != $userdata['password'])// incorect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } echo 'you are logged in'; //header('Location: index.php'); } ?>

You should never have different error messages about whether the username or password is wrong. You should only provide a generic error message that you are unable to verify the credentials. By telling the user that their username is or is not found provides a malicious user information to try to gain entry. But, as requinix was saying you are doing the same thing for every condition. The echo's you have before the header() redirects are pointless. The output will never get displayed. Output is sent to the browser once the script completes. The redirect will prevent that from happening and will take precedence. So, all three conditions are currently redirecting to index.php. Also, the first redirect incorrectly uses "locations" <?php include("config/connect.php"); if(isset($_POST['username']) && isset($_POST['password'])) { $username = mysqli_real_escape_string($dbc, trim($_POST['username'])); $password = $_POST['password']; $query = "SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result = mysqli_query($dbc,$query); if(!mysqli_num_rows($result))//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username was not found.Please sign up <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } $userdata = mysqli_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userdata['salt'] . hash('sha256', $password)); if($hash != $userdata['password'])// incorect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location: index.php'); exit(); } echo 'you are logged in'; //header('Location: index.php'); } ?>

If each line is to be duplicated, just create the line one as a variable and output it twice. <?php $contadorHTML = ''; //Variable to hold the total output $contadorMax = 9; //Max value of records $contadorStep = 3; //Max value for each step, i.e. row for($contador=1; $contador<=$contadorMax; $contador+=$contadorStep) { //Create the output for a single step (row) $contadorLine = ''; for($step=0; $step<$contadorStep; $step++) { $value = $contador + $step; $contadorLine .= "<td>{$value}</td>\n"; } $contadorLine .= "<tr>\n"; //Add the content for the line to the output twice $contadorHTML .= $contadorLine . $contadorLine; } ?> <table width="100%" border="1" cellspacing="0" cellpadding="0"> <?php echo $contadorHTML; ?> </table>

I would assume you also have a users table, correct? SELECT * FROM users WHERE userid NOT IN ( SELECT userid FROM posts WHERE postuserid = $loggedInUserID ) EDIT: Moving to MySQL forum

Hiding/securing the salt is unnecessary. The explanation of why would take a lot of content - but there's plenty of resources on this. The main thing is to ensure that the salt is unique to each user and that it will not change (e.g. don't use IP address unless you are using the original IP of the user and that it will never get updated in the DB).

I agree with vinny42, that if you need to secure the data between the form and the server. Trying to do it with JavaScript creates complexity that could cause breakages in your application. Plus, what if the user has JS turned off. But, as for storing the password, you should NOT do a strait hash. If a malicious user gets the data they can create a "rainbow" table of common words and their hash to find matches. Instead, every password should have a "salt" a unique string for each user that is added to the password before it is hashed. Or, just use an existing hashing framework such as phpass (http://www.openwall.com/phpass/). This is an open source framework. So, many people have reviewed this code for potential flaws giving a higher level of confidence in the overall security of the process than you could do in a custom-built solution.

Email issues can be very difficult to debug. In addition to making sure all the proper headers are included, one possible issue is the domain of the from address and the sending email server. You are apparently sending the email through GoDaddy. But, is the GoDaddy server the authoritative email server for the domain used in the From address? For example, if you send the emails using "me@mydomain.com", the DNS records for that domain should specify what SMTP server is used for that domain. If that SMTP is not the GoDaddy SMTP server this could cause problems for some recipients. Some email server, upon receiving an email from an outside source will do a sort of reverse lookup to see if the domain used for the sender is valid for the SMTP server that sent the email. If not, the email may be dropped completely. No response to the intended recipient and no bounce-back to the originating email server or From addressee.

Do you already have a form for creating new users? You should use the same form, but modify it to populate the input fields with the data you retrieved from the database. Here is one possible workflow. Upon retrieving the user information from the database, put the array of data into an array (say $user, for example) and then call the form. The form could have logic such as this //define default values to populate form $fname = ''; $lname = ''; $phone = ''; //If user defined replace default values with user values if(isset($user)) { $fname = $user['fname']; $lname = $user['lname']; $phone = $user['phone']; } //Then use the variables for populating the form input fields echo "First Name: <input type=\"text\" name=\"fname\" value=\"{$fname}\" ><br>\n"; echo "Last Name: <input type=\"text\" name=\"fname\" value=\"{$lname}\" ><br>\n"; echo "Phone: <input type=\"text\" name=\"fname\" value=\"{$phone}\" ><br>\n";

Are the instances of 'sun' that you don't want replaces ALWAYS within italic tags or are there other tags that should cause the replacements to be ignored? Also, your current regex would only replace lower-case instances. You can create it so it will match any case of the word and replace it with a matching case.

I agree with you that suppressing the error is a poor solution in this case. But, your advice is wrong. If the query succeeded and there were no results, then calling mysl_fetch_assoc() will simply return false - it would not produce an error. So, checking mysql_num_rows() would not apply in this scenario. The ONLY reason that mysl_fetch_assoc() is if the parameter (the result resource) is not a valid result resource. In 99% of cases this is because the query failed. But, in 100% of cases, if you used that same invalid parameter in a mysql_num_rows() call you would get the same error. So, your suggestion would cause the same error to occur, it would just happen on the mysql_num_rows() call rather than the mysl_fetch_assoc() call! You need to check if the query failed. //Ensure all values are integers and remove 0 values $prodIDs = array_filter(array_map('intval', $_SESSION['cart'])); //Create comma separated list $prodIDList = implode(', ', $prodIDs); $sql = "SELECT * FROM products WHERE id_products IN ($prodIDList) ORDER BY id_products ASC"; $result = mysql_query($sql); if(!$result) { //Query failed echo "Query: $sql<br>Error: " . mysql_error(); } elseif(mysql_num_rows($result)) { //Empty result set echo "No records found"; } else { //There were results while($row=mysql_fetch_assoc($query)) { //Output the data } }

OK, so by "someone converted this to html" you mean YOU converted it to HTML. I'm still confused, if it was working as a PHP file, why did you feel the need to change it? But, the bigger issue is you can't simply convert that file to HTML. It has programming in it. You can't connect to a database, and execute logic in an HTML file. The page is meant to be dynamic. however, if you just want a single HTML "snapshot" of the page, then run the file normally as a PHP page, then save the page in your browser as HTML. But, that page will be static, i.e. it will never change based upon data in the database for example.