KevinM1

Did you set the permissions of the folder to allow readable access?

When you run a query, you must fetch the results. Right now, the value of your $approved variable is undefined because you didn't bind the results of your query to it. In other words: $data = mysql_query("SELECT * FROM XXX ORDER BY id DESC"); while($row = mysql_fetch_assoc($data)) { if($row['approved'] == 1) //more on this line below { //display candidate data } } Keep in mind that when using array notation (i.e. $row['approved']), the name within the quotes is supposed to be the column name in the DB you want to access.

It's possible by using hidden form inputs: Page 1 - <form action="page2.php" method="post"> <input type="hidden" name="hidden" value="something" /> </form> Page 2 - <?php $hidden = $_POST['hidden']; . . . ?> <form action="page3.php" method="post"> <input type="hidden" name="hidden2" value="<?php echo $hidden; ?>" /> </form> Page 3 - <?php $hidden2 = $_POST['hidden2']; . . . ?> And so on. Keep in mind, this isn't a secure way to transfer data. Hidden inputs aren't displayed on the screen, but still show up in the source code of the document. So, don't use it for anything sensitive.

For this kind of DOM manipulation, you'd be better off using JavaScript to create the new rows and append them to the table after you populate their data from the database.

Simply use a form with hidden inputs: Page 1 - <form action="page2.php" method="post"> <input type="text" name="user" /> . . . </form> Page 2 - <?php $user = $_POST['user']; . . . ?> <form action="page3.php" method="post"> <input type="hidden" name="user" value="<?php echo $user; ?>" /> . . . </form> Page 3 - <?php $user = $_POST['user']; ?>

Nope, your code is just wrong. First, in your HTML, put quotes around the word post: <form action="processpoints.php" method="post"> Then in your PHP, try: <p><?php echo $_POST['korisnickoime']; ?></p> <br /><br /> <p><?php echo $_POST['points']; ?></p>

I thought I read/heard something like that before, but it's nice to get confirmation. Thanks!

Is it true that using prepared statements automatically escapes any string variables used in/bound to those statements?

You don't have anything within the variable $connect. Replace all instances of it with $db, the variable you assigned to with your mysql_connect() function call.

Hmm...I'm wondering if there's a conflict between what you've entered in the form and what's actually in the DB stemming from using mysql_real_escape_string. How did you originally enter the stored user name and password? In any event, you can shorten that code down by a lot: require_once("dbconnect.php"); session_start(); $_SESSION['username'] = mysql_real_escape_string(stripslashes($_POST['username'])); $_SESSION['password'] = mysql_real_escape_string(stripslashes($_POST['password'])); $sql = "SELECT * FROM users WHERE username = '{$_SESSION['username']}' AND password = '{$_SESSION['password']}'"; $result = mysql_query($sql); $count = mysql_num_rows($result); if($count == 1) { header("location: admin.php"); } else { echo "Wrong Username or Password"; } Keep in mind, it's never a good idea to store a password in a session. So, hopefully, you're just using this example as a learning exercise.

Well, using any kind of non-validated data is dangerous. It doesn't matter if you're using it like: $query = "INSERT INTO my_dbtable (my_column) VALUE ('". $_POST['someField'] ."')"); $result = mysql_query($query); Or: $someField = $_POST['someField']; $query = "INSERT INTO my_dbtable (my_column) VALUE ('$someField')"); $result = mysql_query($query); Neither one is innately more secure than the other. In fact, both are dangerously insecure if left as is. Remember: all incoming data is potentially bad. I tend to assign scrubbed (i.e., validated) data to variables because it makes it easier on me to refer to them by a simple variable name than to deal with the cumbersome superglobal syntax every time I want to use form data.

If there's no space between the commas and a permission setting within the 'permission' DB field, then simply rewrite explode as: $permissions = explode(",", $row['permission']);

Comes from a typo I had in the code. Try: $permissions = explode(", ", $row['permission']);

You can't use access modifiers (i.e., private, protected, public) in an inline manner. Instead, you declare or define your members with a modifier, then use them. Also, to refer to them within a function, you need to use the 'this' keyword (same goes for calling member functions within a class). So: class buildNavMenu { private $firstRow; private $nextRow; private $nextRowCount; private $itemCount; private $navData; private $navDataArray; public function __construct() { db_connect(); } public function buildMenu() { $this->firstRow = $this->findNavItems(); . . . } private function findNavItems($pageIdRel = 0) { . . . } } I don't see anything glaringly wrong (other than what I mentioned above) upon a quick first glance. Put: error_reporting(E_ALL); At the top of your page after you make the fixes I suggest and report any errors you come up with.

Try fetching the results: $q = mysql_query("SELECT permission FROM users WHERE username = '$username'") or die(mysql_error()); $row = mysql_fetch_assoc($q); $permissions = explode(", ", $row[permission]); print_r($permissions); if ( $permissions['0'] == 0 ){ die('You do not have permission to access this administrative function'); }

Exactly. She's an idiot for basing her decision on her own ignorance of the terms Google has and her resulting fears of potential legal action. Not exactly high-level managing there....

Are you sure that non-integers will be truncated and not converted to their ASCII value? I don't have time to test it myself at the moment, but that immediately came to mind when I read this. Probably because I've been spending too much time in C-family-land lately. If I know that the range of acceptable incoming URL query values is small, I tend to create a whitelist of those acceptable values and test against that. Anything not on the list causes either an error message or (in most of my cases) the user to be redirected to the homepage. Regardless, the OP should be ready to handle any errors that stem from an invalid URL query value.

Well, this class already has a query method: class MySQL { . . . public function query($query) { if(!$this->isError()) { $result = mysql_query($query, $this->dbc); return $result; } else { echo "Cannot return records from database due to connection failure.<br />"; } } } I think this class, in and of itself, is pretty adequate for getting the job done, so long as you're certain that you'll be dealing with a MySQL database. If you're unsure of what kind of DB you'll be working with, you should employ the Factory Method pattern to return the right kind of DB object based on the actual DB you're working with. In other words, you should have an abstract DB class that has a function (either its constructor or a static function) that analyzes the connection string passed into it and returns a concrete, subclass object of the particular DB type. So, if the function gets passed a MySQL connection string, it returns a MySQL DB object. If it gets passed a SQLite connection string, it returns a SQLite DB object. You should also be weary of how errors are handled here. Is it enough to merely spit something like "Could not connect, try again later" to the screen? At the very least, you should log any fatal errors like those automatically. Write to a file, send an e-mail to you with the error message...something. Just some ideas. Again, if you're certain you're going to be sticking with MySQL, then don't sweat the stuff I mentioned about the Factory Method.

I believe your problem is... Your getDatalink function returns a database connection. So, you need to assign a variable to it to capture that information, like so: $myDBC = getDatalink(); //DBC = database connection Other than that, I strongly suggest updating to PHP 5 (latest version is 5.2.6, I believe). Its OOP syntax is much clearer, IMO, and, on the whole, its OOP capabilities are much more powerful than what PHP 4 offers.

Mind showing some code? There could be a small difference between the way the dynamic selects are handled compared to the non-dynamic (static?) selects that you may not be seeing.

Definitely a good point. With my solution, if there are any "non-word" spans floating about, they'll all have the same onclick function. This could cause problems, as you probably don't want every span to be clickable, and you certainly wouldn't want those spans without ids alerting the user to an undefined property. Like Obsidian said, there are ways around that. I'd probably start off the same way as above - get the array of all spans by using getElementsByTagName - then I'd loop through those to see which had an id of "word_xx". Those with such an id get added to another array, which I'd then loop through and add onclick event handlers to.

JavaScript sometimes has issues with scope, especially when coders try assigning event handlers by using a for-loop. Try doing something like: for(var x = 0; x < tmp.length; x++) { (function() { ins = tmp[x]; arrvalue = tmp[x]; row1[x] = document.createElement('div); row1[x].onclick = function(){sett{ins}; return true;}; val[x] = document.createTextNode(ins); elem.appendChild(row1[x]); row1[x].appendChild(val[x]); })(); } Sometimes placing the code that dynamically creates/assigns event handlers within a self-executing anonymous function fixes the problem.

Is every word wrapped within a span tag? If so, unobtrusive JavaScript is your best bet: <script type="text/javascript"> window.onload = function() { var words = document.getElementsByTagName('span'); for(var i = 0; i < words.length; i++) { words[i].onclick = function() { alert(this.id); } } } </script> . . . <span id="word_56">blah</span> As you can see, all JavaScript is placed within script tags and not embedded in the markup, which is the way JavaScript should be used. Keeping it separate from the rest of the document ensures that both are easy to edit and maintain, and allows you to apply scripting logic to the entire document in a top-down manner. As you can see, it's much more efficient to access an array of span elements and apply an event handler to each in a simple for-loop than it is attempting to add an onclick event handler to each element manually within the markup.

You can do it with setTimeout. Something along the lines of: <script type="text/javascript"> window.onload = function() { var submit = document.getElementById('submit'); var spin = document.getElementById('spin'); submit.onclick = function() { var myTimeout = setTimeout("spin.innerHTML = '<img src=\"images/wheel.gif\" />Search Database...'", 5000); //continue submission } } </script> More info on the function here: http://www.w3schools.com/js/js_timing.asp I escaped the inner double-quotes in the first argument just to be safe. To be honest, I'm also not sure if an assignment will work there, but it can't hurt to try.

For the first problem, mind showing the PHP that's supposed to handle the newly formed images? And for the second, are all for-loops screwing up, or just the first?