Psycho

** Moving to JS Forum **

Steve started this thread in 2011 and it went unanswered (which I thought was surprising). Markla posted here just recently as he/she was looking for a similar solution. Steve has posted in these forums as late as a couple months ago. But, I would guess he's still not looking for a solution to this. Well, if he is, he is certainly persistent.

if (!get_magic_quotes_gpc()) { $apt = addslashes($apt); $price = doubleval($price); $bedroom = addslashes($bedroom); $movein = addslashes($movein); } You should instead check of magic quotes are on and, if so, remove the slashes. THEN, use the appropriate methods to escape the data based upon the intended usage. In this case, you shoudl be using mysql_real_escape string(). However, you are also using doubleval() to enforce one of the values to be a float - which is appropriate - but you are ONLY doing that if magic quotes are off. So, if magic quotes are on you don't do anything with the value??? Lastly, you are performing those operations on what are assumed to be single input fields since none of those functions will work like that against an array (some may not generate an error, but they would definitely produce unintended results). But, in your query you are trying to reference array values from those variables mysql_query("UPDATE available SET apt='$apt[$i2]', price='$price[$i2]', bedroom='$bedroom[$i2]', movein='$movein[i2]' WHERE prim='$prim_id[$i2]'"); So, not sure how to help you without knowing if the inputs really are arrays or single fields. Either you are receiving non-array values and the variables in the query are wrong OR you are receiving array values and processing them incorrectly.

And, your question is??? I see definite 'problems' with that code, but you could at least provide a description of the problems you are having and any error message you are receiving instead of expecting us to read your code and magically know what you expect to happen and what the problem is.

Maybe not the most efficient, but this works This will return just the store IDs that do not carry all the parts SELECT s.store_id FROM store AS s JOIN parts AS p LEFT JOIN `stocks` AS st ON s.store_id = st.store_id AND p.part_id = st.part_id WHERE st.store_id IS NULL GROUP BY s.store_id Or, if you want to include the list of parts each store does not carry, then include the part_id in the SELECT clause and remove the GROUP BY. SELECT s.store_id, p.part_id FROM store AS s JOIN parts AS p LEFT JOIN `stocks` AS st ON s.store_id = st.store_id AND p.part_id = st.part_id WHERE st.store_id IS NULL -- GROUP BY s.store_id

I would suggest doing all your validations first - then hash the password just before you insert/compare it to the database. IMHO, it is always best to leave data in its "original" state and only transform/modify it at the point where it needs to be done. So, for data being submitted to be inserted into the database, I would not use mysql_real_escape_string() until just before it is used in a query. One example of why this makes sense is if there is a length check for the input. mysql_real_escape_string() (or any other escaping method) will introduce additional characters that would potentially create invalid length checks. The only general exception I have to this rule is with using trim(). I consider it a best practice to trim() all user input before doing any validation/escaping of data - except where there is a legitimate reason to maintain the leading/trailing white-space characters.

You should NOT try and make passwords sticky. As for making a select list sticky, you need to set the OPTION as selected. I prefer to use a list or array for creating my select lists to make this simple. $genders = array('Man', 'Woman'); echo "<select name='regender'>\n"; foreach($genders as $gender) { $selected = (isset($_POST['regender']) && $_POST['regender']==$gender) ? ' selected="selected"' : ''; echo "<option{$selected}>{$gender}</option>\n"; } echo "</select>\n";

The solution is very, very simple. DO NOT MAKE PASSWORDS STICKY! There is not one legitimate site, application, whatever that makes passwords sticky when there are errors. EDIT: All those functions you are running in the function protectx() are unnecessary and actually reduce security. You ONLY need to create a hash of the password. You do not need/want to be removing slashes, mysql_real_escape_string(), etc. etc.

Yeah, I'm a terrible person that doesn't want to help people. Of course, that would be overlooking the fact that I did post a solution in this thread earlier and, of course, that would be overlooking the 9,000+ posts I have made in this forum over the years. Whereas, you were given a solution but were too lazy to implement it or try it yourself to see what it would look like.

Yeah, I noticed that. But still, this is a "help" forum, not a "do it for me" forum.

So, you have data and you have the code Barand supplied, yet you want HIM to put it together and provide a screen capture of the results? Why don't you ask him to come over and rub your feet while he's at it.

I've written it out a little more explicit - with some comments //Trim the values $hoodAry = array_map('trim', $_POST['hoodselect'])); //Remove empty values $hoodAry = array_filter($hoodAry); //Prepare for DB query $hoodAry = array_map('mysql_real_escape_string', $hoodAry); //Implode into comma separated list (with quotes) $hoodList = "'" . implode("', '", $hoodAry) . "'"; $query = "SELECT * FROM available LEFT JOIN land ON available.building = land.building WHERE location IN ($hoodList)";

You set $N to the count of the array and then do an empty() check on the array? Then you use a for() loop to iterate through the array instead of a foreach() loop? You don't state what type of values would be in the array - which is important since you want to use the values in a query. Also, since these are checkboxes I assume you are getting the data from a $_POST variable (the checkboxes should be named as an array) //If hood will contain integer values $hoodAry = array_filter(array_map('intval', $_POST['checkboxListName'])); $hoodList = implode(', ', $hoodAry); //If hood will contain string values $hoodAry = array_filter(array_map('mysql_real_escape_string', $_POST['checkboxListName'])); $hoodList = "'" . implode("', '", $hoodAry) . "'"; $query = "SELECT * FROM available LEFT JOIN land ON available.building = land.building WHERE location IN ($hoodList)";

Really? I could write code to dynamically create an image with the same data in about 30 min. And, you work hard on something that you don't want to share, but expect US to take time out of our lives to help you for free. Interesting.

Huh? Did you meant to say you create r columns (or fields) for slot1_name - slot5_name? Otherwise it doesn't make sense. Based upon your query I am guessing you have one record in the table per player and each record has 5 static fields for those slots. Also, not sure what you meant about 5 if() statements since you should be doing the check in your query. Your current structure (If I understand it correctly) cannot be easily modified. So, only use it if you plan on never changing the number of slots. Otherwise I have a different solution below. but, with your current structure you can see if a play has any empty slots using a single query: SELECT * FROM fw_barn WHERE slot1_name = "" OR slot2_name = "" OR slot3_name = "" OR slot4_name = "" OR slot5_name = "" But, even with that you then have to figure out which field is empty when you update the records. A better way to handle this - especially if you ever want to change the number of slots, is to create the table so each record represents ONE slot associated with a player. So, each player can have up to five records in the table. You can then query the table to see how many records (slots) a user has. If less than 5 you know there is a slot available and you can just add the record - no need to see where the record will be added. Also, when a player removes an item you just delete that record to make the 'slot' available.

Hmm . . . I went ahead and coded around the missing 'http' problem (guess I need to update my PHP install) and I wrote a short script that seems to work the same as that linked script with far fewer lines of code. Not guranteeing it 100% but it worked for all the sample values of the OP and additional testng I did: <?php function returnDomainName($url) { //If does not begin with http, add it if(strtolower(substr($url, 0, 4)) != 'http') { $url = 'http://' . $url; } //Attempt to get components $components = parse_url($url); //If failed, return false if(!$components) { return false; } //Detemine how many parts are needed based on .uk at the end $partCount = (strtolower(strrchr($components['host'], '.')) != '.uk') ? 2 : 3; //Explode based on dots $partsAry = explode('.', $components['host']); //Implode the last $partCount parts back with a dot $domain = implode('.', array_slice($partsAry, -1*$partCount)); return $domain; } //Array of test values $urlList = array( 'google.com', 'www.google.com', 'https://google.com', 'http://www.google.cds', 'http://www.google.co.uk', 'http://www.google.co.uk/blah/blah/blah', 'http://sub1.sub2.google.co.uk:443', 'http://subdomain.google.com/blah/blah/blah', 'http://www.google.com?rg=value#anchor' ); //Test loop foreach($urlList as $url) { echo "URL: $url<br>"; echo "Domain: " . returnDomainName($url); echo "<br><br>"; } ?> Output URL: google.com Domain: google.com URL: www.google.com Domain: google.com URL: https://google.com Domain: google.com URL: http://www.google.cds Domain: google.cds URL: http://www.google.co.uk Domain: google.co.uk URL: http://www.google.co.uk/blah/blah/blah Domain: google.co.uk URL: http://sub1.sub2.google.co.uk:443 Domain: google.co.uk URL: http://subdomain.google.com/blah/blah/blah Domain: google.com URL: http://www.google.com?rg=value#anchor Domain: google.com

Yeah, I was just writing some code for that when I realized there is a bigger problem. The 'host' index for parse_url() returns the entire host name. A host name can have multiple subdomains and at least in some instances a host name can have multiple TLDs such as .co.uk. So a URL of 'http://sub1.sub2.google.co.uk' would return 'sub1.sub2.google.co.uk'. How would you programatically know which of those are subdomains? I don'k know if the .uk is the only one that allows for a "sub" TLD, but if so you could code a special case for that and have logic such as: If does not end in UK: - Return everything after second to last dot (if there are at least 2), else return entire string If does end in UK: - Return everything after third to last dot (if there are at least 3), else return entire string

That fails on his first two examples.

OK, using the same table structure as the original poster, this appears to work. But, not sure if it is the most efficient. SELECT * FROM (SELECT homeTeam.team_name as home_team, homeGames.all_games_id, home_goals, homeGames.date, homeGames.time FROM teams AS homeTeam LEFT JOIN all_games AS homeGames ON homeTeam.team_id = homeGames.home_team) AS home LEFT JOIN (SELECT awayTeam.team_name as away_team, awayGames.all_games_id, awayGames.away_goals FROM teams AS awayTeam LEFT JOIN all_games AS awayGames ON awayTeam.team_id = awayGames.away_team) AS away ON home.all_games_id = away.all_games_id ORDER BY home_team ASC, away_team ASC

@Barand, The poster was looking for a matrix where every team is listed down the left to represent where they are the home team, and every team is listed across the top to represent where they are the away team. Then the value of each cell is the score of that particular matchup. I don't think your solution really get that - at least not with additional work. I'm trying to solve this, but I'm sure you'll come up with something before me. I'm guessing one option is to have two subqueries. One with all teams listed joing out to the games/results tables and retireve the score for the home team in the matchups. Then do another subquery for every team to get the data where they are away. Then JOIN those two subqueries together based on game_id. At least that's my first thought.

So, I would assume he had a script to add records that should be secured in some manner and wasn't. Seems like it was probably a good thing that he did that. Will teach a lesson to always secure pages appropriately.

I was thinking the same thing.

On an unrelated note, there is a flaw in your logic. You have a loop that iterates over a query and in each iteration of the loop you are referencing specific POST variables based upon the index of $a. So, you are "assuming" that the item $_POST['qty0'] is necessarily associated with the first record in your query. This is a very poor way to associate data. Never assume that the order of items will be the same or that the number of records will be the same. Think about what would happen if someone deleted a product between the time the the form was opened and when it was submitted. Everything from where that product was in the order would be associated with the wrong product. There is a much simpler and fool-proof method to handle this. 1) Make the field names arrays and 2) Use the record ID as the index for those arrays. In this case I would create the fields something like this: <input type='text' name='qty[5]' /> Where '5' is the ID for the product that that field is associated with Creating them dynamically might look like this $result = mysqli_query($con,"SELECT id, name FROM formatted"); while($row = mysqli_fetch_array($result)) { echo "{$row['name']}: <input type='text' name='qty[{$row['id']}]' /><br>"; } Now, when you receive your POST data you will be 100% certain that you are matching the POST data with the right records from your query. Also, you are only processing records from the query IF the submitted value was not 0. That is inefficient. With the revision above you can also modify your query to ONLY pull the records needed. So, no need to query 1700 records when the user only input values for 5 fields! Your logic above could then be simplified to this: <?php // Check connection if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } //Ensure POST value are integers and remove those that are 0 $valuesAry = array_filter(array_map('intval', $_POST['qty'])); //Create an array of the IDs from the indexes (also ensure they are ints) $IDsAry - array_map('intval', array_keys($_POST['qty'])); //Query ONLY the items that had non-zero values in POST $query = "SELECT * FROM formatted WHERE id IN (" . implode(', ', $IDsAry) . ")"; $result = mysqli_query($con, $query); $currentCategory = ""; while($row = mysqli_fetch_array($result)) { if($currentCategory != $row['subcategory']) { $customerInfo .= "<tr><th colspan = '7' style='background-color: #104E8B; color: #FFF;'>{$row['subcategory']}</th></tr>\n"; $currentCategory = $row['subcategory']; } $qty = $valuesAry[$row['id']]; $ttl = $qty * substr($row['price'],1); $customerInfo .= "<tr>\n"; $customerInfo .= "<td>{$row['size']}</td>\n"; $customerInfo .= "<td>{$row['description']}</td>\n"; $customerInfo .= "<td>{$row['upc']}</td>\n"; $customerInfo .= "<td>{$qty}</td>\n"; $customerInfo .= "<td>{$row['price']}</td>\n"; $customerInfo .= "<td>{$ttl}</td>\n"; $customerInfo .= "<td>{$_POST['notes']}</td>\n"; $customerInfo .= "</tr>\n"; } echo "</table>\n"; mysqli_close($con); ?>

Hmm . . . the fact that you say you don't want to actually upload the file is irrelevant because you are using a FILE input field. The sole purpose of that field is to upload a file. And the reason you were not getting the file name (which is included as part of the file upload) is specifically because you didn't configure your form for a file upload. If you had actually read the tutorial I linked to, that should have been apparent. To do a file upload you must set the form enctype to "multipart/form-data". Since you were not doing that, none of the information for that FILE field was being passed. So, even though you say you don't want to upload the file, it is still being passed in the form submission. If you aren't going to actually save/read that file and only want the name, there is another option. If this is for an internal tool where you have a known user base and can be certain they have JavaScript enabled, you can set the form to NOT upload the file. Then, include the FILE field in the form and add an onchange event to the field to populate a hidden field with the value of the FILE field. Then, when the form is submitted the FILE field will not be included in the POST data, but you will have the name in the hidden field. File: <input type="FILE" id="file" onchange="document.getElementById('filename').value=this.value;" /><br> FileName: <input type="text" name="filename" id="filename" />

Considering that would be behavior specifically implemented within each browser and not a valid HTML event, I doubt there is one. You could use onchange to determine when the field is changed, but you wouldn't know if the value entered was manually entered vs. selected from the browser lookup.