PFMaBiSmAd

No one here stated anything like that, either directly or implied.

Let me rephrase what I posted above - you would have a separate row for each piece of data (you could have more than one for any particulate date or none for any particular date) and then simply execute a query that sums the values for any range of dates that you specify

You wouldn't have a separate column for each day of a week (that's referred to as spreadsheet design and makes using a database extremely difficult.) You would use a separate row for each date and then simply execute a query that sums the values for any range of dates that you specify.

Each string data value that is put into a query must be enclosed by single-quotes in the query so that it is treated as a string instead of a sql keyword.

Surprisingly, the following link/answer is from a previous thread by the OP - http://www.phpfreaks.com/forums/index.php?topic=334223.msg1573995#msg1573995 Programming involves a huge amount of consistency and continuity. Something that worked before for a particular reason, will work the same way the next time you do it in the same situation.

Unsetting php variables has nothing to do with the question "How to delete session cookies?"

SELECT column_name FROM your_table GROUP BY column_name ORDER BY COUNT(*) DESC LIMIT 2

Here is some typical code that you can use as a guide - <?php $usr = "xxxxxxxxxxx"; $pwd = "xxxxxxxxxx"; $db = "samdb"; $host = "xx.xxx.xxx.xxx"; $main_content = ''; // main content to be output on the page $errors = array(); // array to flag errors on the page and hold user error messages if(!mysql_connect($host, $usr, $pwd)){ // connect failed, handle the error here... $errors[] = "A fatal error occurred and this page is non-functional at this time!"; // user error trigger_error("Db connection failed: " . mysql_error()); // application error } else { // connect worked if(!mysql_select_db($db)){ // select db failed, handle the error here ... $errors[] = "A fatal error occurred and this page is non-functional at this time!"; // user error trigger_error("Select db failed: " . mysql_error()); // application error } } // if no errors at this point, proceed with the code that produces the database related content on the page... if(empty($errors)){ // GET THE CURRENTLY (last) PLAYING SONG INFO $query = "SELECT * FROM historylist ORDER BY date_played DESC LIMIT 1"; if(!$result = mysql_query($query)){ // query failed, handle the error here... $errors[] = "A fatal error occurred and this page is non-functional at this time!"; // user error trigger_error("Query failed: $query<br /> Due to: " . mysql_error()); // application error } else { // query worked if(!mysql_num_rows($result)){ // no matching rows $main_content .= "No currently playing song info was found!\n"; } else { // query matched at least one row, use the results from the query here... $row = mysql_fetch_assoc($result); $main_content .= "Currently playing title: {$row['title']}\n"; // build the content for the page... } } } // produce, format, and style error content from any user error messages if(!empty($errors)){ $error_content = ''; foreach($errors as $error){ $error_content .= "$error<br />\n"; } } // code on your page having nothing to do with the content from the database... ?> <!DOCTYPE HTML> <html> <head> <meta charset="UTF-8"> <title>Typical php produced page</title> </head> <body> <?php echo (!empty($error_content)) ? $error_content : ''; ?> <?php echo $main_content; ?> </body> </html> The trigger_error function used in the above code lets you generate an application error/warning/notice/deprecated message (default is E_USER_NOTICE) through php's built in error handling. You should always have the error_reporting setting set to E_ALL or even better a -1. For development, the display_errors setting should be set to ON. This combination of error_reporting/display_errors settings will cause all php detected errors to be reported and displayed in the browser. On a live server, display_errors should be set to OFF and the log_errors setting should be set to ON. This combination of error_reporting/display_errors/log_errors settings will cause all php detected errors to be logged.

$_FILES['groupImage']['error'] will have a value of 4 if no file was selected. It will have a value of 0 if a file was selected and uploaded without any errors. Any other value indicates an upload error occurred. Ref: http://us.php.net/manual/en/features.file-upload.errors.php

If you use an empty string for the action = "" attribute, the form will submit to the same page.

Also, in the code you posted, then deleted, you are using mysql_real_escape_string for a numerical value being put into the LIMIT clause of a query. Attempting to escape the number won't stop any sql injection and your script is open to attack.

You might want to proof read the variable names involved. And while I am sure I have already suggested this, here it is again, because you have the same problem with your variable names in this thread that you had the last time I suggested this - Are you developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON so that php will help you by reporting and displaying all the errors it detects. You will save a TON of time. You would have gotten a undefined variable error that would have called your attention to the problem.

What if the php errors are due to a problem with your database? You wouldn't be able to log the errors. Php's built in error handling can log errors to a file (see the log_errors and error_log settings) and if your web site is functional at all, the file system is most likely functional to the point that php can write to the error log file.

When anyone logs in, either retrieve and save the account type in a $_SESSION['type'] variable and then check that variable on any particular page to make sure the visitor has the necessary privileges to access that page or to display a link or button and redirect the visitor if they don't have the necessary privileges or don't display the link or button OR even better, execute a query on any particular page that checks if the account type of the current visitor is sufficient to access that page or display a link or button and redirect the visitor if they don't have the necessary privileges or don't display the link or button. This second method allows you (the admin/owner) to change the privileges of a visitor on the fly by simply editing their account type information in your database, in case a visitor is abusing your site. If you search the Internet for php acl (access control list) you can find existing scripts that you can use.

Where in YOUR CODE are you setting the php program variables - $firstname, $lastname, $email, ... from the corresponding $_POST source variables? Your code is dependent on a php setting that was depreciated and turned off by default 9 years ago. I won't mention the name of the setting so that you won't be tempted to turn it on because is opens a huge security hole (a lot of web sites have been taken over due to it) and it is going to be removed in an upcoming php version. You must either set the php program variables ($firstname, $lastname, $email, ...) from the correct source $_POST variable or directly use the correct source $_POST variables (like you have in your query statement.)

You must use the same parameters that were used when the cookie was created. When the parameters don't match, you are trying to clear a different cookie that probably doesn't exist. The set function is setting the path to /. In order to match that cookie, you need to set the 4th parameter in the setcookie() function call to '/'

echo $data->user->name; echo $data->text; The print_r output, if you did it using the following line of code, so that you can easily see the data, would have helped - echo '<pre>',print_r($data,true),'</pre>';

See the second syntax mentioned in the documentation - http://us2.php.net/manual/en/control-structures.foreach.php

Use a foreach(){} loop to iterate over the dname array, getting the key and the value. Then inside the loop, use that key to access the corresponding value from the dquantity array.

There are two ways of doing what you ask - 1) Use the readonly="readonly" attribute in the name <input> field for the existing students. 2) Just display the name without it being an <input> field and use the name or corresponding id as the index in the name="quantity[name or index goes here...]". In this case you would probably want the dynamically added fields to use a different name="" attributes (dname[] and dquantity[] in the following) to distinguish them from the existing 'static' field, something like - <form method="post" action="formaction.php" > <div id="addhere"> <div class="names"> some existing name </div> <div class="quantity"> Quantity </div> <div class="quantity_field"> <input type="text" name="quantity[123]" value="45" /> </div> </div> <a href="javascript:void(0);" onClick="add_field();">Click to add another name</a><br /> <input type="submit"> </form> <!-- Template. This whole section will be added directly to working div above --> <div id="fieldtpl" style="display:none"> <div class="names"> <input type="text" name="dname[]" value="" /> </div> <div class="quantity"> Quantity </div> <div class="quantity_field"> <input type="text" name="dquantity[]" /> </div> </div> This would submit a post array like - Array ( [quantity] => Array ( [123] => 23 // the index is the id, the value is the quantity ) [dname] => Array ( [0] => A new name ) [dquantity] => Array ( [0] => 82 ) )

You would use array field names for all the fields (the ones your page generates with existing data and the dynamically added ones.) i.e. name="name[]" and name="quantity[]". I don't see why you are using a hidden field. Actual code to do this would be something like - <script type="text/javascript"> function add_field(){ var max = 24; // total number of fields, adjust value as needed or for an unlimited number, just remove the test from the logic var cont = document.getElementById('addhere'); // refer to the div var numfields = cont.getElementsByTagName("input").length; // get number of input fields in the div if(numfields < max){ // create a div element var div1 = document.createElement('div'); // Get template data div1.innerHTML = document.getElementById('fieldtpl').innerHTML; // append to div, so that template data becomes part of document document.getElementById('addhere').appendChild(div1); } else { alert("You have reached the maximum number of fields\n that can be added at one time!"); } } </script> <form method="post" action="formaction.php" > <div id="addhere"> <div class="names"> <input type="text" name="name[]" value="some existing name" /> </div> <div class="quantity"> Quantity </div> <div class="quantity_field"> <input type="text" name="quantity[]" value="some existing qty"/> </div> </div> <a href="javascript:void(0);" onClick="add_field();">Click to add another name</a><br /> <input type="submit"> </form> <!-- Template. This whole section will be added directly to working div above --> <div id="fieldtpl" style="display:none"> <div class="names"> <input type="text" name="name[]" value="" /> </div> <div class="quantity"> Quantity </div> <div class="quantity_field"> <input type="text" name="quantity[]" value="" /> </div> </div> By using the template method shown, you can easily use and style any html without writing out the javascript code needed to dynamically create each element making up that html.

mysql_real_escape_string, as it name indicates, is only effective at escaping string data being put into a query. For numerical data, you must validate the data as being a number or more simply cast it as a number. You also need to store your passwords using a 'salt' (nonsense string pre/appended to the actual password) and hashing them (md5 or sha). Storing passwords and other data as plain text is the same thing that just allowed Sony to loose all of their customer's information.

Sorry to be (more) blunt (than normal), but hackers find sites to exploit using bot scripts. Once their automated bot script sends them back confirmation that a site is open to sql injection or allowing .php scripts to be uploaded and browsed to, then they spend time concentrating on ways to exploit those sites because a site open to some basic sql injection/php script uploading probably has a bunch of other security holes as well. Just from this thread, your site is open to sql injection, is storing passwords in plain text, and probably isn't (effectively) validating or securing uploaded files. As xylex suggested, attack and fix one problem at a time. P.S. mysql_real_escape_string won't prevent sql injection if the value being escaped isn't being used as a string in a query and even some older versions of php don't properly use the mysql character set setting with mysql_real_escape_string and can be bypassed under some specific conditions.

He probably (automatically) uploaded a file manager script that is letting him alter any of the files he wants. The sql injection to dump your database was probably done automatically by a bot script along with uploading file(s.) The time lag was because he didn't immediately get around to checking any sites that his bot script found that he could exploit.

For your first piece of code, the error "No database selected" indicates that your mysql_select_db() statement failed for some reason and your query both failed because there was no database selected and it also has a sql syntax error in it (there is a single quote on the end of the table name.) For your second piece of code, you are not calling your db_connect() function and don't have a valid connection at the time you are trying to execute a query and the mysql_query() statement is attempting to make a connection using default values (from the php.ini) for the user/password, which of course fails. Your second piece of code is also attempting to make a mysqli connection, but is using mysql statements. You cannot mix mysqli with mysql for one connection. You need to pick one set of code that you know the best and stick with it. If you are just randomly trying code that you have seen or found without understanding what it does or even if it goes with other code in the same program, it will take you a very long time to produce any code that works.