PFMaBiSmAd

In Reply #14 in this thread, xyph showed you how to make an array with all the values.

Before you go any further, don't duplicate code for two mutually exclusive choices. The only thing you should be doing conditionally is to form the correct query statement in the $sql variable. All the rest of the code can be greatly simplified. If you actually have a session variable $_SESSION['rolename'], all you would do is - if($_SESSION["rolename"] == "User"){ $sql="SELECT ID, name, rolename FROM user WHERE rolename = 'Case Administrator' ORDER BY name"; } else { $sql="SELECT ID, name, rolename FROM user ORDER BY name"; } // you have the correct query in $sql at this point, just execute it and form the option list from it.

FYI - the $user.rolename is probably leftover from copying code from a language that has a data structure (struct), such as C.

Is there any chance that you have a $_SESSION["rolename"] or similar session variable that holds the rolename for the current logged in member so that it is not necessary to query the user table for it or is it possible to add this to your code that sets the current $_SESSION["userid"] variable when someone logs in?

Who said that you must use PHP_SELF to get a form to submit to the same page?

^^^ Where in your php code are you setting the $submit variable to a value that indicates that a form was submitted and that the form processing code inside that if(){} statement should be executed?

The reason a server side session is named that is because they are intended to last for the duration of ONE browser session. By default, the session id cookie has a zero lifetime setting and it does not persist once all instances of the browser have been closed. To get a session to persist when the browser is closed, you must both set the session id cookie lifetime setting to some value and you must must extend the session garbage collection setting by the same amount so that the corresponding session data files won't get deleted. On a shared web host, you must also store the session data files in your own private folder so that garbage collection running due to other accounts don't delete your older session data files.

Your php based page is not a complete web document until the php code in it has been parsed, tokenized, interpreted, and the php code outputs the dynamically produce portions of the page. If you are doing this on a localhost development system, you would browse to the page on your localhost server and copy/paste the 'view source' from your browser into the w3.org validator. If you are doing this on a publicly accessible server, you would enter the URL of the page into the w3.org validator.

^^^ You would want to remove the dots from that since you are not concatenating a variable and the current result would produce an invalid href with leading and trailing dots.

Have you checked what your code, variables, and data are doing? You are the only one here who has access to your code and database on your server and you are the only one here who can troubleshoot what your code, variables, and data are doing. What value is in $count_details? If it is not 1 like you expect, why not echo/var_dump it and see what value it actually is? What is in $details_result, a FALSE because the query failed due to an error or a result resource? Is the query in $check_details what you expect and is the username/password data in your database table the same as what is in the query?

Does your web host have php5.3, so that the goto statement is available? A) Using 'newly' added php features is generally not a good idea unless you have control of the final server it will be used on. B) Using goto is also generally not a good idea. You should write simple conditional logic to accomplish what you are tying to do. C) Using goto to exit while loops is also not a good idea because you should not be using a while loop to test if there are any results from a query when you expect only zero or one result. D) Using a goto statement is never a good idea. E) Even php.net has a cartoon in the goto documentation making fun of using a goto statement. F) You get the idea.

The easiest way would be to put the included files into a folder that is either outside your document root folder (closer to the disk root) or if that option is not available to you, put a .htaccess file in the folder that prevents all http requests to the files in the folder.

All external data that your script receives - post, get, cookie, files, and some server variables - can contain anything and cannot be trusted. The solution is to validate/filter the data so that your code only uses the data if it has an expected value. You also have a possible problem with what you are doing if your server allows URL's to be using in include statements because a hacker can supply a URL to his site on the end of your URL that will cause his php code to be included into your script and executed on your server. For what you are doing, you would validate that the supplied value is a page name that your script allows to be included and the current visitor has permission to access and only execute the include statement when the page exists and is permitted for the current visitor. The simplest way to do this is if you have (an array statement) or get (using glob, which would be easiest if the files to be include were all in a specific folder - you would also prevent all http requests to the files to be included) an array with the permitted file names - <?php $includes = array('news.php','help.php','contact.php'); // a list of the permitted include files that this index.php file may include. You could also build this array from a glob() statement executed against a specific folder holding the include files $page = isset($_GET['page']) ? strtolower($_GET['page']) . '.php' : ''; if(in_array($page,$includes)){ include_once('./' . $page); // the leading './' prevents php from searching the include path to find and include the file } else { include_once("home.php"); } ?> By testing for specific file names, you prevent directory transversal since anything other than the file name won't match an entry in the array. Also, the main index.php file cannot include any of the admin include files because only files accessible through the path you build (currently no path in the code) can be accessed.

The Premature end of script error generally means that your script did not output anything. You either have a fatal parse error (since removing the session_start() statement change the symptom, a parse error is unlikely) a fatal runtime error (putting the error_reporting/display_errors settings after the first <?php tag should have shown any fatal runtime errors unless your server has output buffering turned on), or code that is not outputting anything at all. For the 3rd possibility, I would start putting in echo statements to see if you can get any output and at what point in the file you can get output to occur and at what point you cannot.

^^^ If you search for that error message, you will find that it generally means that your query failed due to an error of some kind (no connection, wrong table/column names, sql syntax error,...) and returned a FALSE value instead of a result resource or that you have some code that is overwriting the result resource or you are using the wrong variable. Assuming that your query is failing, use mysql_error in some error checking and error reporting logic to get php/mysql to tell you why - $city_result = mysql_query($city_query) or die("Query failed: $city_query<br />Due to: " . mysql_error());

This topic has been moved to PHP Coding Help. http://www.phpfreaks.com/forums/index.php?topic=337057.0

The getimagesize returned index [2] is an integer (the IMAGETYPE_JPEG defined constant has the value 2.) Index [4] is the mime type. I would troubleshoot what value you are getting by using var_dump() on the returned value and given that you have an @ on the getimagesize statement to suppress errors, it is likely some other problem is occurring before that point. What php error, if any, do you get when you remove the @?

mysql_list_tables -

^^^ No it's not. If it where working fine, it would be easy for you to query for the data that you want, and you would have been done two days ago when you first started this thread.

You are not using $connSQL in your mysql_error(.......) statement and are probably not getting the actual mysql_error information from the query that was just executed using the $connSQL connection. Use mysql_error($connSQL) to insure you are getting the last error from the correct connection that the query was executed on.

When you have a list of possible values, it is usually easier (and less error prone) to use an array (or a database) to hold the list - <?php $types = array(); $types["image/pjpeg"] = "jpg"; $types["image/jpeg"] = "jpg"; $types["image/gif"] = "gif"; $types["image/png"] = "png"; // add other types here... $imgtype = false; if(isset($types[$_FILES['userfile']['type']])){ $imgtype = $types[$_FILES['userfile']['type']]; // the rest of your code to process the image goes here... } else { // when validating user supplied data, supply as much information as possible about why the data is not valid echo "The image type: {$_FILES['userfile']['type']}, is not supported!<br />"; echo "Only the following types are allowed: " . implode(', ',array_keys($types)) . "!"; } ?>

Your first if(){} statement in the code you posted doesn't permit a png type, so all the code is skipped over.

Images (all media files) on a web page are fetched by the browser using a URL to that image/media. You cannot include an actual image into a web page. You must use a HTML <img> tag in the markup of the page that lists the URL where the actual image can be fetched at - http://w3schools.com/html/html_images.asp

If mysql_query() returned a false, mysql_error() would tell you why. It is likely that your php code is not doing what you think it is or you are reusing variables and overwriting results. Posting the relevant php code would be the only way that someone could help you with what it is doing. If you are doing this query inside of a loop, posting all the code involved, starting with the outermost loop, would be needed.

Yes, do everything in your query statement. You can perform date comparisons with mysql DATE/DATETIME data types. There are also a couple of dozen date/time functions that would let you do things like extract the year/month from a DATE value so that you could match a range of dates in a query. You can add a value to a column directly in the UPDATE query, you don't need to select the value first - UPDATE your_table SET counter = counter + 1 WHERE some_column = some_value