PFMaBiSmAd

If you echo the $fileType as part of your error message, you will find that different browsers/browser-versions submit different mime types for the same file and you would need to allow for the different mime types in your code.

Links (download or any other kind) are URL's. You cannot put the C:/wamp (which is a file system path) into a URL.

The 48032da.... value is a string and must be enclosed by single-quotes in the query statement.

Mysql has a DATE_FORMAT() function that you can use directly in a query to format a DATE/DATETIME data type when you retrieve it and it's at least 8 times faster than using php code to format the value.

mysql_numrows is an old depreciated alias for mysql_num_rows

If you can var_dump() the value, you can also echo the value. Are you sure you have all the variable names correct in the actual code? What does a 'view source' of the page in your browser show?

One of the points of putting the included/required files into a folder is that all of them (for any specific index.php page) would be put into the folder and you would have or build the path to the folder in your php code. The $_GET value would still be just the name portion of the file you you want to include. Your php code would take the name and build the complete - ./some_path/name.php to specify the file to be included. To do this with a folder of files - <?php $path = './controller/'; // path to permitted include files (leading ./ prevents php from searching the include path to find and include the file) $includes = glob($path . '*.*'); // get a list of permitted include files $page = isset($_GET['page']) ? strtolower($_GET['page']) . '.php' : ''; $file = $path . $page; if(in_array($file,$includes)){ include_once($file); } else { include_once($path . "home.php"); // assuming that your home.php file is in the folder as well } ?>

If you look at the color highlighting that the forum software did to the posted code, you will notice that the ending EOT; heredoc tag did not end the string. The EOT; does not start in column 1 and is not being treated as an ending heredoc tag.

You would NEVER do, what you are trying to do, to a DATABASE table.

The way of getting around an error like that is to write proper code that tests if the query executed without an error before attempting to access the result from the query. You should never nest function calls where an inner function call can fail with an error because you cannot use any error checking, error reporting/logging, and error recovery logic to get your application to behave in an expected manor when an error occurs.

The problem is on lines 42, 43 and possibly 44 Also, AJAX would have limited affect on the problem because AJAX still makes a http request to the web server and if your server side code is not doing things efficiently, the AJAX must still wait to get the response from the server side code. What have you done to troubleshoot and isolate where the problem is actually occurring at in your application (keeping in mind that we don't have access to your code and your data on your server and so cannot duplicate the problem)?

Checkboxes that are not checked won't be submitted by the browser and won't exist in the $_POST array. What you need to do is get/have an array of the checkbox field names (the same way that you produced the form fields) and use a foreach loop on this array. You would then check if each expected field name isset or not and use that to give your your 0 or 1 value to be use in the query(ies.)

I'm not exactly sure where you are stuck at with this fundamental task - 1) Forming a query to get the data you want using a related value you already have, 2) executing the query, 3) testing if the query worked or not, 4) testing if the query matched a row or not, or 5) fetching the data that the query returned. Sample logic that demonstrates one possible way to do this - <?php require("./init.php"); if (!isset($_SESSION["userid"])) { $template->assign("loginerror", 0); $template->display("login.tpl"); die(); } $user = (int) $_SESSION["userid"]; $query = "SELECT rolename FROM user WHERE ID = $user"; // (#1) if(!$result = mysql_query($query)){ // (#2)(#3) always check if a query worked or not before attempting to access the result of that query // the query produced an error of some kind // your error handling logic would go here... // log the mysql_error() and other information about the query, page, line number, and the visitor so that you can find and fix the problem... echo "Fatal error - Could not retrieve your rolename and this page cannot be produced!"; // output some user message } else { // the query executed without error if(!mysql_num_rows($result)){ // (#4) make sure the userid exists or not // the userid did not match anything // your code to handle this 'unexpected', but possible condition would go here... // log the exact $user value and other relevant information so that you can find and fix the problem... echo "Fatal error - Your user id ($user) does not exist and this page cannot be produced!"; // output some user message } else { // the query matched a row, fetch the data list($rolename) = mysql_fetch_row($result); // (#5) // the remainder of your code that is dependent on having the rolename value for the current visitor if($rolename == 'User'){ $sql="SELECT ID, name, rolename FROM user WHERE rolename = 'Case Administrator' ORDER BY name"; } else { $sql="SELECT ID, name, rolename FROM user ORDER BY name"; } $result=mysql_query($sql); $options=""; while ($row=mysql_fetch_array($result)) { $ID=$row["ID"]; $rolename=$row["rolename"]; $name=$row["name"]; $options.="<OPTION VALUE=\"$ID\">".$name."</OPTION>\n "; } ?> <form name="message" action="messageck.php" method="post"> Subject: <input type="text" name="message_subject"><br> To: <SELECT NAME=message_to> <?php echo" <OPTION VALUE=0>Choose</option> $options </SELECT>"; ?> the rest of your form... <?php // end the logic on this page that is dependent on having the rolename for the current visitor } } ?>

You don't have any white-space in your query statement, after the table name and before the WHERE keyword, which you could have seen if you had done what mikosiko suggested.

And the source code in the browser for when it doesn't work is???... Posting the source for something that works, doesn't really help with finding out why something doesn't work.

Have you examined the 'view source' of the page in your browser?

If you want your result to be usable by a computer as a number (stored, searched, compared, sorted, math operations), you don't want the thousands comma separator in it. You would only want - 12345.67 You would only put in the thousands separator when displaying the number.

There's at least a dozen different ways someone could break into a web based site/server. Without specific information about how someone accomplish it in your case or without specific code that you want someone to look at, it is kind of hard to answer in a few hundred words in a forum reply. Short-answer, if the hacking was accomplished through external data: All external data that your script receives - post, get, cookie, files, and some server variables - can contain anything and cannot be trusted. The solution is to validate/filter the data so that your code only uses the data if it has an expected value.

<?= is the lazy-way short open tag and is not enabled on all servers, resulting in code that is not portable between servers. It is really a time-wasting shame that anyone posting code, tutorials,..., that they expect others to use, would waste peoples time by using a feature of a language that can be turned off, when there is a way of writting code that would work on all server configurations. <?= needs to be replaced by <?php echo (you need a space after the echo.) <? (by itself, no = ) needs to be replaced by <?php

@dolrichfortich, sorry to pick, but posting 'fixed' code without a statement of what was wrong with the original code doesn't teach anyone anything. The code may work, but nothing was learned and the OP will have exactly the same problem the next time he tries to do the same thing.

Your code might appear to work, but it is not. See my post above concerning the missing mysql_query() statement for the SELECT query.

Your current problem is most likely because you have a SELECT query that is not even being executed with a mysql_query() statement. There is no result available from that SELECT query until you actually execute it. Related to the above problem, when checking values, queries, validating information... in a program that a user is interacting with, almost every if(){} conditional statement needs an else{} clause so that you output some kind of message when the expected condition is not met. Your code is (trying) to test the $count from the SELECT query. When the count has an expected value, you should do something and when count doesn't have an expected value, you should inform the user they attempted to do something that was not permitted. If you already had an else{} clause in your code for the $count conditional statement, your program would have called your attention to the problem of not executing the SELECT query because you would have been getting a message indicating that the $count value was not what you expected. You should also be developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON so that php will report and display all the errors it detects. You would have been getting php error messages concerning the mysql_num_rows() statement after the SELECT query that would have called your attention to the problem with it.

LOL, in case anyone actually reads what I posted above - commas around the column names should have been quotes around the column names.

That section of code is being skipped over due to your conditional statements (the previous error checking logic you had on the mysql_query() statement would have been giving errors due to the commas around the column names if the code was being executed.) Since there is no session_start() statement, none of your $_SESSION variables exist and any conditional logic testing those variables will be FALSE and will be skipped over.

(int) converts the string in $_SESSION["rolename"] to an integer 0 (assuming that the string is not a number) and causes the == comparison to be performed using numbers, which also converts the string 'User' to an integer 0. Since 0 == 0, the comparison is always TRUE. Why do you have (int) in there? You are also still duplicating code. You have two $result=mysql_query($sql); statements. Why not just save the typing and put one of them after the end of the conditional statement?