KevinM1

You do realize it's all but impossible to suggest a course of action without seeing any of your site code, right? There are many possibilities as to why your site has been exploited, and seeing the results of the exploitation isn't very illuminating. That this topic has gone three pages, with multiple posts asking you to show some code, suggests that the failure to move forward on this issue lies with you. Expecting anyone to simply say "Do x, y, and z and you'll be fine" without relevant information is, to put mildly, unrealistic. You have a choice - show us the code you wrote, which may allow us to suggest a course of action, or don't. Getting huffy over our repeated reasonable requests for information is completely irrational, and only hurting you.

The issue is, what I'm coding will eventually be out for other people to use; It's cart software. They might think they have to escape stuff when they type it in the admin panel. Why would your users think that? There are really only two scenarios: 1. Your users don't know what escaping is. 2. Your users expect the software will do the escaping for them, which is what professional software should do. The thought of an end user deciding to manually escape their own data is ridiculous.

The escape only lasts until the data is inserted into the db. It's removed after insertion, so, like xyph said, you won't see an extra slash when retrieving the data back from the db.

Don't forget to return your result from your function. http://us2.php.net/manual/en/functions.returning-values.php

Most Python web developers I know use the Django framework.

That's where dependency injection comes in. Instead of hard coding a particular dependency in a class, you use an object called a dependency injection or inversion of control container to automatically pass (inject) the dependency into the target object. It works best when all of the potential dependencies share an interface. @OP - you should make your fields $db, $hash, and any others you may add either private or protected.

Try making a simple script that has the StaticExample code I wrote and see what happens. Also, just to beat it into the ground, 'global' is bad regardless of whether or not you're writing OO code or 'normal' code. If a function/method has an external dependency, pass it in through the argument list. In other words, never do this: $someVar; function someFunction() { global $someVar; // do something with $someVar } Instead, do this: $someVar; function someFunction($someVar) { // do something with $someVar }

No. Like I said, do not use 'global'. You never need to use 'global'. Take a look at something like: class User { private $username; private $email; private $db = new PDO(/*args*/); public function __construct($username) { $this->username = $username; } public function setupUser($username) { $user_query = $this->db->query("SELECT * FROM " . TBL_PREFIX . "usersWHERE u_username = '$username'") or die($link->print_error()); $row = $user_query->fetch(PDO::FETCH_ASSOC); if(!$row) { die('Could not find info for user ' . $username); } else { $this->email = $row['u_email']; } } } No, you're way off. Static means, essentially, class-wide scope as opposed to instance/object scope. So, something like this: class StaticExample { private static $count = 0; public function __construct() { ++self::$count; } public function getCount() { return self::$count; } } $example1 = new StaticExample(); echo $example1->getCount(); $example2 = new StaticExample(); echo $example2->getCount();

What charset are you using?

As far as I know, you can't create an anonymous object in an inline manner like that in PHP.

So... the OP is Sony?

The key is just a number in the range 0 to $totalRows - 1. They'd get the same results with: $count = 0; while($count < $totalRows) { $a[] = mysql_fetch_row($result); ++$count; }

This topic has been moved to JavaScript Help. http://www.phpfreaks.com/forums/index.php?topic=335031.0

I don't understand why you'd need multiple forms. An individual form can have an infinite number of inputs.

fugix, stop being defensive. MrAdam was right: the answer you provided 'worked' but did so only because you exploited a fluke in JavaScript. It's certainly not something that should be considered a passable solution, let alone a quality solution. Part of what we do here is teach through example, specifically code example. Your code shows exactly the wrong way to address the problem. That the OP left happy isn't an indication of the quality of your code. All it highlights is their ignorance on the matter. We get that you enjoy being an active member of the community, and we do appreciate it. Being a member of a community, any community, means being able to accept criticism and being able to accept, and learn from, errors. Instead of saying "Well, it worked" you should really be telling yourself "Hmm...it worked, but it certainly wasn't a very well thought out solution. Maybe I should hone my skills." Passing along bad or poorly thought out solutions will bring criticism every time. We wouldn't be doing our jobs if we didn't bring it up. And while tact may not be our #1 concern, better to have feelings hurt here, in a safe environment, than with clients, co-workers, or bosses, where more than results matter, and bad code costs money. All that being said, I'm locking this thread before it devolves further.

In addition, using 'global' completely kills encapsulation. The 'global' keyword should be avoided in general, but using it in OOP is contradictory to one of the basic ideas behind OOP. If a fuction/method requires a parameter in order to work then pass it through its argument list. That's why it's there. Also note that objects can contain other objects. Simply make your PDO object a member of your User class, like $username.

Try one of: link.onclick = function(){ input.value = ''; } or link.onclick = function(){ input.innerHTML = ''; }

For that to work, you'd need to make your methods static. But, really, it sounds like you don't really understand why people use OOP, so you're trying it just because you heard it's the way to go. You need to understand the fundamentals - what an object is, what constructors actually do, and how it all fits togehter - because right now you're writing a bunch of gibberish code.

Can you show the error? Can you show the new code you use to invoke these functions with the array being passed into the function? Also, you don't need a while-loop in your collect() function. You're only grabbing one row of db data, so there's no reason to have a loop there. You also don't need to put the values ($fname, $lname, etc.) in quotes as they're already strings.

http://www.json.org/js.html And, to encode your PHP response as JSON: json_encode

Well, what does resp contain? You should really be using JSON as your response format. Its native JavaScript, and it allows you to treat your response as an object (which it is - that's what the O stands for). Also, take a look at your loop: for(var i = 0; i < goals[i].length; i++) Are you sure you want to check each goal element's length? Or do you really want: for(var i = 0; i < goals.length; i++) ? 99.9999....% of the time, the second version is correct.

I just use differentiating variables to keep things separate. Notepad++ pretty keeps every thing easy to read for me. sql1, sql2, sql3, sql4, sql5, ect. at a quick glance look the same to me. So at a minimum I do sql1, sql20, sql300, ect. to make each subsequent variable longer, or make it different some other way. That's why I said you should use meaningful variable names. $sqlnumber has no meaning, regardless if its $sql1 or $sql101010. The same goes for your table name - $tblname_4 means nothing. What does is your query trying to access? What does that particular table represent? Good code is readable and semantic. Long term, you're shooting yourself in the foot writing code like this, especially if you expect other people to read it. Good luck reading this code a month from now and understanding what it's doing. If I'm reading your code correctly, you need to either extract $row211010, or access the column data directly from that row (e.g., $row211010['rma_id']). You'll need to do the same for $row111010.

Aside: you should really use clear, meaningful variable names. Things like $sql101010 may seem clever or cool, but it hurts readability overall, which, in turn, reduces the chance that people will want to help you. Variable names should give some context to what you're doing. If that's actually supposed to be the 101,010'th sql query you have in that script, you're doing it wrong.

Are you sure goals exists? Why are you using eval to obtain it?

This topic has been moved to JavaScript Help. http://www.phpfreaks.com/forums/index.php?topic=334604.0