PFMaBiSmAd

The query error is actually occurring in the SELECT query, because there are single-quotes in the query statement and the DW GetSQLValueString() function is adding single-quotes around the value, giving two sets of single-quotes, which breaks the sql syntax.

@bashy, I'm not following you around trying to pick on you, only on what you are suggesting. This is the 1st of two threads where you have suggested conditionally doing something that should be unconditional. Since you should only be trying to define any constant once, you should know if and where you have defined it, what value it has and what it means, and you would want an error if you tried to define it again. Conditionally defining it could result in unexplained operation of the page, since its first definition, perhaps in a main configuration file, would be the value that is used and not the value you just conditionally tried, but failed to set it to.

I hope the code you have posted is just a test. Getting someone's 'admin' status from them via a $_GET parameter will allow anyone to become an admin to your site. The only place you should determine anyone's login type and privileges is by having that information stored on the server and you get it based on who the user is. Also, session_start should be unconditional. There's no good reason to start a session only when the session has not already been started.

If you are conditionally starting your session, it means you might have already started it somewhere else in your code. That would indicate code that is out of control, requiring extra code to compensate for a messy design.

The only thing that comes to mind that would 'automatically' do this, is if you use a VIEW with a where clause that only matches rows that are approved - CREATE VIEW view_name AS SELECT * FROM some_table WHERE approve = 1;. You would normally use the name of the view in queries. You would use the actual table name in queries when accessing all the rows for administrative purposes.

What relationship is there between the contents in $row and the contents of your cart? In fact, what is the code surrounding the posted code that would tell us what you are actually trying to do? If you are trying to loop over the contents of your cart and reference the corresponding product information from a database table, you would need to - 1) Retrieve all the item id's from your cart and form a single query that gets the matching product information. You would implode the id's into a comma separated list and use an IN() comparison in the queries WHERE clause. 2) You would store that product information into an array using the product/item id as the array key (so that you can reference the correct record in the array when you loop over the contents of your cart.) 3) When you are looping over the cart contents, you would use the item id to access the correct product information that was retrieved in step #2.

Databases don't know anything about what your data is, they just store it and let you retrieve the data you are interested in.

You need a exit; statement after your header() redirect to prevent the rest of the code on your 'protected' page from running while the browser is preforming the redirect. Without an exit; to stop the script, all anyone needs to do is ignore the redirect and they can access your 'protected' pages the same as if you didn't have a log in system at all.

@White_Lily, Rather than just read the title and post some off-topic code, why not actually read the problem the OP posted. He's using PDO prepared statements and the current problem is related to properly binding data to the query statement.

@thara, Since your code example doesn't check if the SELECT query worked or failed before checking how many rows it matched, it will also run the // insert data into your database.... code when the select query fails due to an error. You must always test for errors before using data that a query returns to prevent follow-on errors and unexpected operation of code.

A http request made by ajax is no different from any other http request, even one made by a search engine spider indexing your site. Your server-side php form processing code must check if a form was submitted at all and it must filter/validate all the submitted data before it uses it.

What I stated was to change the settings so that what you were doing would work. What you did was to change what you were doing so that it would work for the settings you have.

A) That's not the date format you posted where you echoed your $query statement. B) AFAIK, that's not the ms sql server date format (unless you have specifically set the dateformat to be that format.) It's possible that the database management tool you are using is converting the copy/pasted date into the correct format to match the database setting, where as the query is being executed as is through the php script.

It doesn't matter what is in the ['tmp_name'] element, as long as the file was uploaded without any errors.

This is the third recent thread based on that author's code. Perhaps if the author had done a better job of explaining in his tutorial and of writing the code itself, there wouldn't be so many basic questions about it or problems getting it to work.

You need to echo the $sql variable so that you can see exactly what is wrong with the query statement. Based on the sql error message, you likely have some single-quotes around the variables you are assigning to $deletedmessage. .

Someone already stated its likely your external data values being put into the query statement contain characters that result in a non-match with the actual data. You should be investigating what about that external data in the query is causing a non-match.

The external data values you are putting into your query likely contain some non-printing characters (tab, new-line, null) or perhaps even some html/url entities that are resulting in no match between the actual data in the table. When you copy/paste the echoed query, those non-printing characters/html/url entities are no longer present or are the actual characters. Where and how are your $_GET['start_date'] and $_GET['end_date'] being produced and why are you putting them directly into a query statement without filtering/validating/escaping them? P.S. I recommend building your query statements using overall (initial/final) double-quotes so that you can put single-quotes inside the query statement without needing to escape them. This would also allow you to put php variables directly into the query statement without needing to concatenate them. $query = "SELECT Reps.Rep, SUM(Logs.Num_Payments) AS 'Num_Payments' FROM Logs INNER JOIN Reps ON Logs.ForteID = Reps.ForteID GROUP BY Reps.Rep, Logs.Date Having Date BETWEEN '$Start_Date' AND '$End_Date' AND SUM(Logs.Num_Payments) > 0";

Your use of double-quotes was terminating the string you were building (which was started with the opening double-quote), concatenating a value with that string (the first dot), then concatenating (the second dot) another double-quoted string onto the the end of that. $sql = "SELECT id FROM users WHERE first_name =".$this->first_name." LIMIT 1"; This is equivalent to doing - $sql = "SELECT id FROM users WHERE first_name ={$this->first_name} LIMIT 1";

Don't start new threads for the same problem. Merging this thread with your previous one... In your previous thread, someone specifically stated you needed single quotes around the value in the query and they also specifically stated why you needed them -

We know what s/he wants, but s/he didn't ask a specific question about a programming problem or a programming error that s/he needs help with, which is what the purpose of this forum is. The people that come here just wanting something either need to put it on their list for Santa or post in the freelance forum section.

+1 In programming, EVERYTHING matters, because computers only do EXACTLY what your code tells them to do. $this->first_name contains a string and must be enclosed in single-quotes within the query statement so that it will be treated as a literal string instead of a mysql keyword or a column/table/database name. If you had some error checking logic in your code to get the mysql error message that is occurring, it would be complaining about an unknown column name that is the value of the entered first_name.

If you have a block of code that can fail at a number of points, you can use exceptions with a try/catch block, which is essentially an 'on error, fall-though to the catch' statement.

There's a time limit on editing posts to keep people from changing the statement of their problem or question, since doing that usually wastes time for the people trying to answer the problem or question that was asked. If you need to correct or add information to a post after the time limit, you must add a reply with the new information.

Here's someone using the same basic code that you have - http://forums.phpfreaks.com/topic/272404-help-problem-with-some-line-of-codes/ See my comments in post #10 and #12 in that thread, particularly the paragraph at the end of post #10 - you should avoid running database queries inside of loops.