PFMaBiSmAd

Should get you started - http://phpmktime.com/2011/06/calling-mssql-stored-procedure-from-php-sqlsrv/

It would probably help if you pinned down some of the unknowns. What values are in the $timearray? I cannot imagine a generic value that using LIKE '$t% would uniquely identify different days of the week. Are the `refer` column/values just the domain name or does it also contain variations of the domainname/path/file? Do you need to use LIKE '%$u%' to match the values or for any one domain are they actually identical strings? In general, you would execute one query that gets the data you want in the order that you want it. For the case of getting counts for various time periods, you would use GROUP BY to consolidate the data in the groups you want. I am thinking you would GROUP BY refer, DATE(time) to get the count(*) for each day within each refer. Also in general, you would not execute a query inside of a loop.

GROUP BY goes after the WHERE clause and before the ORDER BY. The following is the select query syntax definition/prototype (the elements, when present, must be in the order shown in the definition) -

Your function is returning a string (looks like a md5 hash). You are trying to compare that string with a zero. That comparison will be TRUE (the string is converted into a number), unless the string starts with a number (that is non-zero.) Are you sure you didn't intend your function to return a true or false value instead?

You would use decimal.

What data type is your months_remain column? I'll bet it is a character type and not a numerical type? Character strings are sorted and compared, character by character, starting with the left most character. Since the 1 in the 196.xxx is less the the 2 in the 25.yyy, 196.xxx comes before 25.yyy. You need to save numbers using a numerical data type. This will allow your numbers to be treated as numbers and it will also reduce the amount of storage required and it will speed up all the operations on those values.

You can only put php settings in a .htaccess file when php is running as an Apache server module. It's highly likely that php is running as a CGI application on your hosting and the php settings in the .htaccess file are what are causing the 500 Internal server error.

The rows are being inserted by an INSERT query at some point in your code. Are you sure they are actually duplicates? Do you have a primary key or a unique index set to enforce uniqueness in your table and are you validating the data to insure duplicate rows are not being INSERTED? What does a sample of the duplicate data look like? What's your code leading up to and including the INSERT query that is creating the rows in the first place? Edit: And the sample output you just posted doesn't closely match either of the set of columns in the two queries you posted. What code or query produced that sample output you just posted? Are you sure that isn't data from the `transactions`table?

You are probably outputting something in the get_file.php file, either before the <?php tag or after the ?> tag. Make sure there are no characters in that file outside of the <?php ?> tags and make sure that file is saved as an ANSI/ASCII encoded file and not a UTF-8 encoded file.

So, is the column in that table actually named: uid? What does mysql_error() tell you as to why the query is failing?

The only likely way that is occurring is if the get_file.php code contains that HTML. The only thing that should be in the get_file.php file is the php code you posted as the third piece of code at the start of this thread. get_file.php is not a web page, it is a link that is being imbedded in a html document that when clicked and requested dynamically outputs a file to be downloaded. The only thing it should output are the header() statements, followed by the file data.

If you open the original (the files that you uploaded) .pdf and .jpg files in your programming editor, what do they contain?

Save one of the 'corrupted' download files and open it using your programming editor and see if there is anything, like a php error message, in it. Also, if your database management tool permits it, download/save the contents of your `data` column as a file and see if the actual data saved in the database table is valid or not. What are the sizes of the .pdf and .jpg files that don't work and what does a phpinfo() statement show for the output_buffering setting?

Just about every extract statement should use one of the second parameter choices that prevents overwriting of existing program variables. The default IS to overwrite existing program variables. I personally recommend using EXTR_PREFIX_ALL with a unique prefix so that you know exactly what the variable names will be as the result of any specific extract statement. If there are other extract statements in the script, its likely that a program variable that determines if someone is logged in or controls the program execution is being manipulated as the result of the extract overwriting variables.

Not sure if this is the problem, but because it is a .php file that is outputting an xml document, add the following header statement - header("Content-type: text/xml");

So, as already suggested, is the 'protected' code on the page that is after the redirect being executed or are you stopping execution on the page when the logic detects that the visitor is not logged in?

error_reporting and display_errors are two php settings. You should set them in your master php.ini so that fatal parse errors in your main files will be reported, but you can also set them in your code (won't show fatal parse errors in your main file). To set them in your code, use the following - ini_set("display_errors", "1"); error_reporting(-1);

Also, for the log in code you attached, it would take seeing the functions/class that are called by that code to determine if it is possible to bypass any of the logic. You could be allowing sql injection to match any row in your table, using the simple existence of the result resource (a true value) from a query to indicate that the query matched a row, allowing an empty == empty TRUE comparison to satisfy some condition, ...

^^^ But it's not a user doing something expected, it's a hacker doing something unexpected that your code did not take into account. ^^^ The third/final quote is from the mysql_error() output. The other two indicate that an empty string was supplied as a data value to the query, suggesting that the variables holding the table name and the data didn't exist when the query was formed. The code you attached is the log in code. Not the code that checks if the current visitor is logged in and can access any particular page.

Ummm. LOL, you are not even executing the UPDATE query that I noticed was invalid. There's actually no query in the posted code that contains where asset=, so it would be kind of hard to actually help with what is causing the syntax error in that query.

$_FILES['userfile'] should be $_FILES["file"] You should be developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON so that all the php detected errors will be reported and displayed. You will save a TON of time. The above variable name mismatch would have resulted in an undefined variable error/message, assuming that branch of the code is being executed, you didn't actually state if you are getting the 'Problema: ' output.

Are you sure that your upload form processing code is (successfully) checking if the current visitor is logged in and (actually) prevents the form processing code from running if he is not? You won't believe how many times we see 'protected' pages that continue to run the protected code following header() redirects. About the only thing I can tell from the first log printout is that you are apparently dynamically producing the query (the table_name is missing after the FROM keyword, or you removed that when you posted that information) or that code is in an included/required file with the table_name defined in a different file that includes/requires that file and someone directly included the file containing the query and perhaps was able to bypass some of the logic. The second log printout kind of suggests the same thing, that someone directly requested an included/required file that makes a database connection but the database username/password is defined in a file that normally includes/requires that file. You would need to post relevant code if you want help determining what it is or is not doing that someone could bypass.

UPDATE queries only use the SET keyword once, followed by a comma separated list of column=value terms.

Your code (which is probably based on the w3schools example) does not check for uploaded errors first. You cannot reference the ["type"] or ["size"] information until after you have tested that the upload worked. You should also not group the ["type"] and ["size"] test together in one statement, because you won't know which one of those values caused the test to fail. You should have separate tests with unique error messages that tell the visitor what was wrong with the uploaded file (the type was not correct..., the size was too large...)

What's the definition of your `data` column? What does a phpinfo() statement show for the magic_quotes_runtime setting?