PFMaBiSmAd

strpos should be faster than preg_match. Directly testing the first two elements of the string holding the data using - $string[0] and $string[1], might even be faster.

Unless you are specifically using a mysqli_multi_query statement in your code (a mysql_query statement does not support multiple queries) or you have code that allows external sql statements to be executed, your tables are not being dropped through SQL injection. SQL injection in a select query, for example, would allow things like outputting all the records in the table or satisfying a login test so that someone could become logged in as an administrator. But you could not directly drop table(s) using sql injection. If it is not on, turn on your mysql query log. It will show you which queries are being executed under which database username. If the query is actually a drop table query or a delete query, you should limit the privileges that the database username has so that your scripts can only perform any expected select/update/insert query statements. Edit: Hopefully, you don't actually have a drop table query in your code that accepts an external table name? Which is why posting the code is quicker, someone doesn't need to guess what is it doing that could allow the problem.

Have you checked if there are any 'new' files (ones you didn't put on the server) or changed files (your files but the size/date don't match your source files) or if your database contains any php code (if you are processing templates using an eval() statement), in case someone has uploaded/stored a rootkit php script onto your site? Posting your code would actually be a quicker way to find security problems in it.

The error is in your list of column names, they have quotes around each of them, making them string data values instead of column names.

If you want help with your current code and the error, you would need to post enough of the form and the processing code that duplicates the error. I'm guessing the 500 error is actually a HTTP 500 response code, which doesn't mean that the upload failed, it means that the server returned an incomplete HTTP response.

conan318, you wouldn't write out all that code, repeated for each form field. You would use an array name for the form field and use a simple loop to iterated over the uploaded file information.

It's impossible for you to use a browser to upload preselected files from a client as that would allow any web site to grab any file from a client's system. The safeguards built in require user action to select the actual file(s). You can 'filter' which files are listed in the file selection dialog box and allow multiple files to be selected at one time, by using a flash form. See this link - http://swfupload.org/ Also, in your existing code, $_FILES['docfile1']['name']!='' doesn't insure that the file was successfully uploaded. Some of the upload errors will set the ['name'] element, but the file upload failed. You need to test the value in the ['error'] element and only use the uploaded file information if the error was zero. See this link - http://us2.php.net/manual/en/features.file-upload.errors.php

If your $customers_de variable exists in the same scope where you printed/echoed it, you will get a zero if there where no matching rows or a number if there are matching rows. What's your complete actual code with the print/echo in it that reproduces the problem, because I just tested the second code that you posted and it prints a zero if the query returned a zero value. Do you have php's error_reporting set to E_ALL and display_errors set to ON so that php would report and display all the errors it detects in your code?

If you have 100 ranks, you will find that the code I posted will execute significantly faster than using 100 if(){} statements.

I would use a 'lookup' array so that you don't need to keep writing or changing the php code every time you add or change a rank (just change the definition of the array) - <?php $rank_text = array(); $rank_text[0] = 'test1'; $rank_text[1] = 'test2'; $rank_text[2] = 'test3'; $rank_text[3] = 'test4'; $rank_text[4] = 'test5'; $RankNum = 3; // testing testing... if(isset($rank_text[$RankNum])){ echo $rank_text[$RankNum]; } else { echo "RankNum: $RankNum is not valid"; }

You should be learning php and developing/debugging php code on a local development system. There's no need to have a live server and you waste a huge amount of time constantly uploading code just the see the result of each change to the code.

You also should NOT use extract on external data, without preventing it from blindly overwriting existing variables, as it will allow a hacker to set any of your program variables to anything he wants.

Data arranged as a nested set and nested function calls have absolutely nothing to do with each other.

All your code needs to do is TEST for a true, false, or result resource from the mysql_query() statement. It doesn't care or need to know what type of query was executed. Edit: see is_resource to test if a resource was returned. If a resource was not returned, then you got a true or a false value and you can just return that value.

A function/method that executes a query should only return the true (insert/update queries), false (any query that failed due to an error), or instance of a result class (select/show queries) from the query that was executed, nothing more. It is your main code that calls the query function/method that is aware of what type of query was being executed and knows what to test and to do with the returned true, false, instance of a result class. A result class would have functions/methods that allow you to actually fetch the data that a successful select/show query returns.

The WHERE clause in the query you posted is invalid (you probably want to use a logical AND between the two terms) and produces an mysql syntax error. It's impossible that the query/php code you posted is returning 10 for $adminUser. Also, since $adminUser is not an array, using count() on it makes no sense.

Your first require "scripts/connect.php"; statement is INSIDE a conditional if(){} statement, so no connection is made until the form is submitted. The logic for the first query is outside of and after that if(){} conditional statement and it executes every time the page is requested and the first time the page is requested there is no connection to the database. ALL your logic to process the form data should be INSIDE that if(){} conditional statement and if everything you are doing on the page requires a database connection, put ONE require "scripts/connect.php"; statement at the start of the code (you currently have it in two places.)

Functions RETURN the results that they produce. The point of functions are they (optionally) accept call time parameters, produce some useful result, and then return that result at the point that they were called. You can either assign the returned result to a variable or use it as a parameter in another function call or use it as a value in a language construct. <?php a(); function a() { // use the returned value as a parameter/value in another function/language construct echo b(); // or assign the returned value to a variable $c = b(); echo $c; } function b() { return "test"; // ... code that produces some useful result and returns it to the calling code } ?>

So, where does login.php, the place where the error message states the output is occurring at, get used in that?

And in your existing thread for this task, someone already told you to use generic names for your variables and to process/display the information inside of a loop. Somehow you are stuck on making 11 times too much code, taking probably 44 times more time to write, test, and troubleshoot. I would hate to see your interface/form code that is calling the code you have been posting. If you remember back to the Algebra you took in school, variables are used so that you can write one equation (or code) that operates on different values simply by setting the variable to each new value and getting the corresponding result from the equation (or code.) Edit: frankly, if you would continue this problem in your existing thread, someone trying to help you with the current issue could directly see the things that have already been suggested.

You would use a foreach loop to iterate over an array.

$getEvent_res is (likely) an array. You cannot use mysql_ functions on it because it is not a mysql result resource. What exactly does echo "<pre>"; print_r($getEvent_res); echo "</pre>"; show? And you should have error_reporting set to E_ALL and display_errors set to ON so that php will report and display all the errors it detects. You would be getting an error at the mysql_fetch_array() statement alerting you to the fact that $getEvent_res isn't a mysql result resource.

Also, in case there are any php detected errors leading up to the problem, make sure that error_reporting is set to E_ALL (or even better a -1) and log_errors is set to ON and confirm that errors actually get logged by referencing a nonexistent variable in a test script to see if you get an undefined variable message in the log file.

A mismatch in file versions/types will only cause a crash when a specific portion of the the code is accessed (the crash should be repeatable.) You could also be up against a memory leak, where it takes a number of iterations/amount of data before the crash occurs. I'm not sure why you would need to change any code in order to use php5.3. There are very few incompatible changes moving up in php versions and most code will work as is. You don't need to use any 'new' syntax or features and you could ignore depreciated things until you have a chance to actually update any out of date code -

You are calling the sanitiseMySQL function three times, on lines 22,23,and 24, in your posted code. You are making the mysqli connection in $conn on line 36 in your posted code. The line where you are making the database connection in $conn is after where you are calling the function that uses the connection in $conn, therefor the error you are getting - Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, null given