KevinM1

The problem is that your code isn't PHP. It seems to be a mishmash of PHP and HTML. PHP doesn't use tags for statements -- only if you're going from HTML to PHP, or vise versa. So, an if-statement does not look like: <if something> { ... } </if> If-statements, in PHP, look like: <?php if(something){ ... } ?> Note: I used the PHP start and end tags to turn on this message board's syntax highlighting. In order to answer your question, we'll need to see more code and know exactly what you're testing against.

For free Windows antivirus programs, the big two seem to be AVG and Avast! Most of the people I've encountered like AVG more, but I'm an Avast! guy. It's a bit more user friendly, IMO. Both do the job well, though. For anti-spyware, I go with Spybot Search & Destroy. The newest version comes with a registry protector and hooks into IE. There are also frequent updates. For your laptop, your best security option is probably to use your Ubuntu partition while networking. Simply use Firestarter (the firewall program) to open up the ports for http, https, dhcp, and maybe SSH (if you're thinking of remoting to another computer) and you'll be all set.

It's not how fast you study, but how well you study. I can read through a programming book in a day. That's pretty fast. Can I retain all that information after the first try? Hardly.

Thanks a bunch!

Yes. Hmm..I can't see how to put it into a variable. Mind giving me the link? I'm looking at php.net right now, but haven't found the bit about x yet.

A bit confused here...is /x more or less like regex's version of a heredoc? Could I place the above in a variable for preg_match's first argument?

Sorry for the double-post, but I think that this is the wrong philosophy to take. Trying to blacklist all of the bad things that could be entered is: 1. Not efficient. 2. Not truly possible. Something will always get through the cracks. Like I said before: code defensively. Instead of allowing all but the blacklisted data in, deny all but the whitelisted data. Only allow what you want into the system. Discard everything else. This is where regular expressions come in. Regex is just pattern matching. If data matches the pattern you're looking for, then you can process it. If not, don't let it in the system. One key is to use common sense. Most form inputs don't require the entry of parentheses or commas, or any other special characters. So, since that's the case, don't allow them to be processed. If an input is for numbers only, check that only numbers are in the field. Another key is to escape the data you're going to put into the database. This step happens last, after you've already screened the data. I use the following function which does slightly different things whether or not magic quotes are on: <?php function myEscape($string){ return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string); } ?> Some sample form validation: <?php /* This checks to see if the input only has a number -- if not, it's false. It uses the myEscape function from above */ $errMsg = ""; if(isset($_POST['submit'])){ if(!empty($_POST['numInput']) && preg_match("/^[0-9]+$/", $_POST['numInput'])){ // More on this below $numInput = myEscape($_POST['numInput']); } else{ $numInput = NULL; $errMsg .= "Only numbers allowed!<br />"; } . . . if(numInput){ //insert into/update database } else{ echo $errMsg; } } ?> The pattern in the preg_match function says "Give me one or more (+) characters in the range 0-9 ([0-9]) for the start (^) and end ($) of the pattern." If the value ($_POST['numInput']) matches the pattern, the function returns true. If not, it returns false. Since there's nothing else in the pattern, only a positive integer value will pass the test.

Two words: form validation. One of the most common mistakes by newbie coders is that they never check to see if the input a user enters is valid/legit. Coders should always assume that user input is corrupt and code defensively. Form validation, in a nutshell, is the process of checking each input's value against what it [/i]should[/i] be. For example, if a text field is used only for numbers, you shouldn't allow any letters/words to be processed within it. So, yes, in order to validate a form, you'll need to go through each form input and test it. Tedious, but vital. This subject is a bit too broad to say "This is exactly how to do it" as validation is dependent on the context of the form. Typically, one tests that all vital inputs aren't empty, then tests that the values entered matches the expected format. This last step is usually done via regular expressions (regex). There's a subforum here that deals with regex in PHP. I suggest that you read the stickied threads there.

I'm getting a parse error using a regular expression I got from regexlib.net. The specifics are: Parse error: The line in question: <?php if(preg_match("/^(((file|gopher|news|nntp|telnet|http|ftp|https|ftps|sftp):\/\/)|(www\.))*(([a-zA-Z0-9\._-]+\.[a-zA-Z]{2,6})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(\/[a-zA-Z0-9\&%_\./\-~\-]*)?$/", $_POST['siteAddr'])){ ?> As you can see, the regex is pretty involved, more complicated than a newbie like myself can debug, especially with all of the '\' characters within it. I'm hoping that someone else's trained eye can catch my error before I'm forced to eliminate each '\' one-by-one.

Why not just append the arrays? <?php $check = new Check; $user_errors[] = $check->check_user($_POST['username']); $pass_errors[] = $check->check_pass($_POST['password1'], $_POST['password2']); $email_errors[] = $check->check_email($_POST['email']); $errors = $user_errors[] + $pass_errors[] + $email_errors[]; if ($errors) { echo "<h3>The following errors occured</h3><br>"; foreach ($errors as $e) { echo $e; } } else { echo "You've successfully been added to the db"; } ?>

Mind describing the actual problem you're having when you try displaying the errors? Are they being output to the screen? Are they in the correct order?

Awesome, worked like a charm! I keep forgetting that you have to attach events to elements one at a time. For some reason I always think that attaching them to an array of elements will suffice. D'oh! Thanks!

The '@' tells PHP to not display any errors the function may generate. The '&' signifies that the variable is being passed-by-reference to the function. More generically, the '&' always means treat whatever it's attached to like a reference. So, you can return values by reference, too. This link explains what references are and how PHP uses them: http://us2.php.net/references EDIT: In PHP 5, everything is pass-by-reference by default, so you don't have to use the '&' to signify it.

Might help if I read through the link. Unfortunately, my attempt isn't working. Specifically, no confirmation box is popping up when I click on the links. I'm not getting any JavaScript errors, so my problem appears to be logical in nature. Here's what I have so far (please ignore the form validation bits -- that part actually works! -- and apologies for the weird spacing gedit put into my code): var W3CDOM = (document.createElement && document.getElementsByTagName); function init(){ if (!W3CDOM) return; document.getElementsByClassName = function(clsName){ var retVal = new Array(); var elements = document.getElementsByTagName("*"); for(var i = 0; i < elements.length; i++){ if(elements[i].className.indexOf(" ") >= 0){ var classes = elements[i].className.split(" "); for(var j = 0; j < classes.length; j++){ if(classes[j] == clsName){ retVal.push(elements[i]); } } } else if(elements[i].className == clsName){ retVal.push(elements[i]); } } return retVal; } var inputform = document.getElementById('advertiserSearch'); var deleteLink = document.getElementsByClassName('deleteAdv'); deleteLink.onclick = handleClick; inputform.onsubmit = validate; } function handleClick(evt){ evt = (evt) ? evt : ((event) ? event : null); if(evt){ var elem = (evt.target) ? evt.target : ((evt.srcElement) ? evt.srcElement : null); if(elem){ return confirm('This advertiser and all of their information will be deleted. Continue?'); } } } function validate(evt){ evt = (evt) ? evt : ((event) ? event : null); if(evt){ var elem = (evt.target) ? evt.target : ((evt.srcElement) ? evt.srcElement : null); if(elem){ var notNum, keywordNotEmpty; var radios = document.getElementById('radios'); keywordNotEmpty = isNotEmpty(elem.elements['keyword']); notNum = isNotNumber(elem.elements['keyword'], radios); if(keywordNotEmpty && !notNum){ return true; } else{ return false; } } } } function isNotEmpty(argKeyword){ var str = argKeyword.value; var re = /.+/; if(!str.match(re)){ alert('Please enter a value for the Keyword field!'); return false; } else{ return true; } } function isNotNumber(argKeyword, argRadio){ var inputs = argRadio.getElementsByTagName('input'); for(var i = 0; i < inputs.length; i++){ if(inputs[i].checked){ var value = inputs[i].value; } } if(isNaN(argKeyword.value) && (value == 2)){ alert('Please enter a valid numeric value for the product #'); argKeyword.select(); argKeyword.focus(); return true; } else{ return false; } } window.onload = init; I'm thinking that it wants me to loop through the array of links, but I don't see why it's necessary, since I just need to know that one of the links has been clicked. I don't actually need to do anything with the links when the event fires.

Oooh, thanks. I didn't know there was a built-in function like that.

Wrong. Double-quotes can be put into double-quoted echoes, so long as they're escaped: <?php echo "I said \"hello, Mr. Smith\""; //This is okay ?>

You have several typos in your last line. If you're echoing an array, you have to use curly brackets. You're also missing the variable name of the value you're trying to pass via GET (the something I added below). Try this for your last line, replacing something with what you're actually trying to pass along: <?php echo "<a href=\"paused.php?something={$acc3['groupe_name']}\">{$acc3['groupe_name']}</a>"; ?>

To transform a string to/from a url-friendly form, the urlencode()/urldecode() functions are typically used: <?php //transforming a string into a url-friendly form: $string = "cat=odds&ends"; if($something){ header("Location: anotherscript.php?" . urlencode($string)); } . . . . //transforming the url into something we can use: if(isset($_GET['cat']) && !empty($_GET['cat'])){ $cat = urldecode($_GET['cat']); } ?>

I have a PHP script that displays advertiser info to the site administrator. This info is displayed within a table. One of the table's cells has two links - one to bring the site administrator to the script that displays that advertiser's transactions, another to delete that advertiser and all of their info. The second link is where my problem lies. I'd like a confirmation box to appear, asking the site administrator if they really, really want to delete all that info. The crux of the problem is that multiple advertisers (and multiple tables) can appear on each page. My basic setup is this: PHP: <?php $count = 0; $linkCount = 1; while($rs_query && ($count < $dispOptions)){ $numBannersQuery = "SELECT COUNT(*) FROM sbclassified_ads WHERE adv_id = '{$rs_query['id']}'"; $numBannersResult = mysql_fetch_array(mysql_query($numBannersQuery)); $numBanners = $numBannersResult[0]; $numPaidQuery = "SELECT COUNT(*) FROM sbclassified_ads WHERE paid = 'yes' AND adv_id = '{$rs_query['id']}'"; $numPaidResult = mysql_fetch_array(mysql_query($numPaidQuery)); $numPaid = $numPaidResult[0]; $numNotPaidQuery = "SELECT COUNT(*) FROM sbclassified_ads WHERE paid = 'no' AND adv_id = '{$rs_query['id']}'"; $numNotPaidResult = mysql_fetch_array(mysql_query($numNotPaidQuery)); $numNotPaid = $numNotPaidResult[0]; $numApprovedQuery = "SELECT COUNT(*) FROM sbclassified_ads WHERE approved = 'yes' AND adv_id = '{$rs_query['id']}'"; $numApprovedResult = mysql_fetch_array(mysql_query($numApprovedQuery)); $numApproved = $numApprovedResult[0]; $numNotApprovedQuery = "SELECT COUNT(*) FROM sbclassified_ads WHERE approved = 'no' AND adv_id = '{$rs_query['id']}'"; $numNotApprovedResult = mysql_fetch_array(mysql_query($numNotApprovedQuery)); $numNotApproved = $numNotApprovedResult[0]; $balanceQuery = "SELECT SUM(amount) FROM sbclassified_adv_transactions WHERE adv_id = '{$rs_query['id']}' GROUP BY adv_id"; $balanceResult = mysql_fetch_array(mysql_query($balanceQuery)); if($balanceResult){ $balance = $cur['cur_name'].$balanceResult[0]; } else{ $balance = $cur['cur_name'] . "0.00"; } echo <<<EOT <table cellspacing ="0" cellpadding="5"> <tr> <th>ID:</th><td>{$rs_query['id']}</td> </tr> <tr> <th>User Name:</th><td>{$rs_query['uname']}</td> </tr> <tr> <th>E-mail:</th><td><a href="email.php?id={$rs_query['email']}">{$rs_query['email']}</a></td> </tr> <tr> <th>Total Number of Banners:</th><td>$numBanners</td> </tr> <tr> <th>Number of Paid Banners:</th><td>$numPaid</td> </tr> <tr> <th>Number of Unpaid Banners:</th><td>$numNotPaid</td> </tr> <tr> <th>Number of Approved Banners:</th><td>$numApproved</td> </tr> <tr> <th>Number of Unapproved Banners:</th><td>$numNotApproved</td> </tr> <tr> <th>Total Balance:</th><td>$balance</td> </tr> <tr> <th>Options:</th><td><a href="view_adv_transactions.php?advId={$rs_query['id']}&pg=$pg">View Transactions</a> | <a id="deleteAdv$linkCount" href="deleteadvertiser.php?advId={$rs_query['id']}&pg=$pg">Delete Advertiser</a></td> </tr> </table> EOT; $count++; $linkCount++; $jmpcnt++; $rs_query = mysql_fetch_array($query); } ?> JavaScript: var W3CDOM = (document.createElement && document.getElementsByTagName); function init(){ if (!W3CDOM) return; var deleteLink = document.getElementById('deleteAdv'); deleteLink.onclick = handleClick; } function handleClick(evt){ evt = (evt) ? evt : ((event) ? event : null); if(evt){ return confirm('This advertiser and all of their information will be deleted. Continue?'); } } window.onload = init; Obviously, the current code won't work as I'm attempting to get an element with an id of 'deleteAdv' when all of the elements I want to handle have id's like 'deleteAdv1.' Is there a relatively easy way to grab a hold of all of the 'deleteAdvx' elements that my PHP script generates? Thanks.

The best advice I can give you is to try to design the individual steps separately, so you don't lose the forest for the trees, so to speak. 1. Process an e-mail address: You have a form on your site that accepts an e-mail address, correct? If so, then this is basically done for you. 2. Validate the e-mail address: This can be tricky as form validation is typically done through the use of regular expressions, which is a fancy term for creating a pattern and accepting (or denying) inputed data based on that pattern. One pattern I like to use is: <?php function myEscape($string){ return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string); } if(isset($_POST['email'])){ if(preg_match('/^[\w-]+(\.[\w-]+)*@([\w-]+\.)+[a-zA-Z]{2,7}$/i', $_POST['email'])){ $email = myEscape($_POST['email']); } } . . . ?> First, a word of warning: the code snippet above won't work 'out of the box.' So, you can't just copy and paste it into your code and expect results. The important parts of the code snippet are the if-conditionals. The first says "If the email input is set with a value...." The second says "...and if it matches this confusing pattern, then set a local variable named $email with an escaped (i.e. safe for database storage) version of that value." Feel free to use that pattern. 3. Check to see if the e-mail address has already been inputed: This requires accessing a database or file. I'm assuming it's a database, since that's how these things tend to work. I'm also assuming that it's a MySQL database. You could do something like: <?php $query = "SELECT * FROM table_name WHERE email = '$email'"; $result = mysql_query($query); if($result){ //e-mail address is in the database //do something with it } else{ //e-mail is NOT in the database -- insert it $insertQuery = "INSERT INTO table_name (email) VALUES ($email)"; $insertResult = mysql_query($insertQuery); if(mysql_num_rows() == 1){ //success! } else{ //couldn't enter the e-mail address into the database } } ?> Again, this won't work out of the box, but it should get you started. The value for table_name is whatever the name of your particular database table is. The lines beginning with // are where you may need to flesh things out, especially the last two. 4. If not, then continue: This was covered with step 3. 5. I then need to send a code from my "code table" to their email address automatically: Again, this isn't too difficult. The biggest hurdle is probably selecting the right code to send from your code table, assuming they're not all the same. <?php $codeQuery = "SELECT code FROM code_table_name WHERE some_value = '$someValue'"; $codeResult = mysql_query($codeQuery); $row = mysql_fetch_assoc($codeResult); $code = $row['code']; mail($email, 'Subject goes here', $code); //$email is the e-mail address we obtained earlier ?> Again, this is just supposed to give you an idea on how to proceed. Things like $someValue and whatnot are placeholders for values in your actual system. Hope this gives you some idea on how to move forward!

That's actually where I'm stuck. Basically, anything that won't attempt to inject into/hijack my database, or profanity (it's an e-commerce site, after all), could be considered valid. That's a rather large range, hence my trepidation. The 80 character limit helps, but not by much.

I have a form that I use regex to validate an entered e-mail address and monetary amount. I'm wondering, though, if I should try using regex to validate an 80 character description field that's in the form in order to tighten security. Right now, I just pass the value, if there is one, through an escape function: <?php $title = 'Advertiser Transaction Form'; require_once('logincheck.php'); require_once('myconnect.php'); include_once('../includes/adminheader.inc'); include_once('../includes/leftpanel.inc'); function myEscape($string){ return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string); } if(isset($_POST['back'])){ header('Location: adminhome_new.php'); } if(isset($_POST['submit'])){ //process the form $errMsg = ''; if(isset($_POST['email'])){ if(preg_match('/^[\w-]+(\.[\w-]+)*@([\w-]+\.)+[a-zA-Z]{2,7}$/i', $_POST['email'])){ $email = myEscape($_POST['email']); } else{ $errMsg .= "Please enter a correctly formed e-mail address!<br />"; $email = false; } } else{ $errMsg .= "Please enter an advertiser's e-mail address!<br />"; $email = false; } if(isset($_POST['amount'])){ if(preg_match('/^\-?[0-9]+(\.[0-9]+)?$/', $_POST['amount'])){ $amount = myEscape($_POST['amount']); } else{ $errMsg .= "Please enter a numeric amount!<br />"; $amount = false; } } else{ $errMsg .= "Please enter a transaction amount!<br />"; $amount = false; } if(isset($_POST['description'])){ $desc = myEscape($_POST['description']); } else{ $desc = false; } if($email && $amount){ $query = "SELECT * FROM sbclassified_advertisers WHERE email='$email'"; $result = mysql_fetch_assoc(mysql_query($query)); if($result){ $id = $result["id"]; $insertQuery = "INSERT INTO sbclassified_adv_transactions (adv_id, amount, description, date_submitted) VALUES ($id, $amount, '$description', '".date("Ymdhis", time())."')"; $insertResult = mysql_query($insertQuery); if(mysql_affected_rows() == 1){ header("Location: view_adv_transactions.php?id=$id"); } else{ echo "<span style='color: red;'>There was a problem with the transaction. Please try again</span><br /><br />"; } } else{ echo "<span style='color: red;'>The e-mail address entered does not match any within the system. Please try again</span><br /><br />"; } } else{ echo "<p style='color: red;'>$errMsg</p>"; } } ?> <!-- <script type="text/javascript" src="add_adv_transaction.js"></script> --> <div id="admincontent"> <div class="admintitlebar"> Advertiser Transaction Form </div> <div id="adminsearch"> <form id="advTransaction" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"> <fieldset> <legend>Enter transaction info below</legend> <p> <label for="email">Advertiser E-mail: </label> <input type="text" name="email" /> </p> <p> <label for="amount">Amount:¹ </label> <input type="text" name="amount" /> </p> <p> <label for="description">Description:² </label> <input type="text" name="description" maxlength="80" /> </p> <p class="smalltext"> <br /> 1: Do not input your currency's symbol. If you want to deduct money, enter the amount as a negative entry.<br /> 2: Description must not be more than 80 characters long. </p> </fieldset> <input type="submit" name="submit" value="Submit" /><input type="submit" name="back" value="Go Back" /> </form> </div> </div> <?php include_once('../includes/footer.inc'); ?> Should I even bother with trying regex in this case? I'm thinking it would be a pain trying to come up with a truly useful pattern.

Step by step: var linkEl = createElement('a'); The variable linkEl now contains an HTML anchor/link element. linkEl.href = '#'; The href attribute of the link is set to '#.' linkEl.onclick = this.headingClicked; This assigns linkEl's onclick event handler the function headingClicked(); Whenever the link that linkEl holds is clicked, that function will execute (providing it was coded correctly). linkEl.setAttribute('columnId', i); This creates the attribute 'columnId' for the link, and sets the value to whatever is currently in the 'i' variable. I can only assume that this code is executed within a for-loop whose job is to create a table with these links. linkEl.title = 'Click to sort'; The last line assigns the text 'Click to sort' to the link's title attribute. If the link is moused over, this text will appear near the mouse pointer. Hope this helps!

I figured it out. My problems were mostly me being out of practice using JavaScript.

I find it odd that Azu was responding to a post written on July 7. I mean, having a thread degrade into flaming two months after it was, for all intents and purposes, dead? Definitely strange. I'm also amused by the charge that removing profanity is a symptom of immaturity. I dunno...I think getting one's panties in a bunch because, oh noes, someone doesn't agree with me about W3C validation, is pretty immature in and of itself. Remember: this is a place for all. As such, you never know if some 10 year old who wants to become a web app programmer is reading these boards. If you are an adult, I believe it would be best to act like it. Profanity, overreactionary posts, and just acting like a tool in general doesn't add to any rational discussion.