PFMaBiSmAd

^^^ That would produce a fixed/static value for each visitor. Once someone gets a hold of that value they can continue to use it to impersonate the visitor forever. You need to use something like - uniqid, which is essentially what a session id is, so that you can regularly regenerate the value so that if someone does get a hold of the value, they can only use it for a limited amount of time to impersonate the visitor and if you detect that someone other than the actual visitor is using it, you can easily disable the current value and assign a new value when the actual visitor logs in again.

You are overwriting $connection by assigning it the true/false that mysql_select_db() returns. Only mysql_connect() returns a connection link.

A) You need to put the SID constant into those links as well (did you do a 'view source' of the page to see what you were getting?) B) You need to turn off session.use_only_cookies as well. C) Your session_name is apparently too long (at least on my system.) D) Why aren't you using a cookie for the session id?

You need an exit; statement after the header() redirect to prevent the remainder of the code on the page from being processed. All any one would need to do is ignore the redirect and he has access to the 'protected' page.

You're using the same variable on both sides of the assignment operator, thereby overwritting the array with the first element of the array on the first iteration through the loop. On the second iteration through the loop, $landSellCheck contains the string 'landSellConfirm7' and $landSellCheck[$i] references the second letter of that, which is the 'a', and assigns that to $landSellCheck. On the third iteration through the loop, $landSellCheck contains the string 'a' and $landSellCheck[$i] references a the third letter of that, which does not exist, and you get nothing (if you were doing this on a system with error_reporting set to E_ALL and display_errors set to ON you would be getting an invalid index error.)

You are overwriting your array with the first element in the array - $landSellCheck = $landSellCheck[$i]

Or if you sometimes use arrays and don't want to remove \ that are intentionally part of the data - function escape_deep($value){ if(is_array($value)){ $value = array_map('escape_deep', $value); } else { if(get_magic_quotes_gpc()){ $value = stripslashes($value); } else { $value = mysql_real_escape_string($value); } } return $value; } $_POST = array_map('escape_deep', $_POST); // escape all the post data at once

You are not using the 4th and 5th parameter of setcookie(), so the $_COOKIE will only match the exact path and subdomain (www. vs no www. on the URL) where it was set. Also, referencing the $_COOKIE variable immediately after a setcookie() statement won't return the value until after the page has been reloaded because it is the http request from the browser that causes the $_COOKIE variables to be set. And, I hope that $dbid is not just the auto-increment id from your table, because anyone can just set the cookie with any value they want and they could go through a series of numbers and eventually find YOUR id and log in to your site as YOU.

Your database connection code is not working and since you don't have a valid database connection when the mysql_query() is being executed, it is attempting to create a connection using default values. You would need to troubleshoot why your connection code is either not being executed or is failing to create a connection. You would need to post your code if you want help with what it is or is not doing.

Any identifier (database, table, column name) that contains special characters must be enclosed in back-ticks `` in a query.

In your form processing code you would read, modify, write the actual page that is being edited. I recommend that you make a .bak backup copy of the original page before your perform the modify/write step (or even save x back up copies .bk1, .bk2, ...) so that if anything goes wrong you can recover a previous version.)

Your query needs to have () around the OR'ed terms to make an expression that is then AND'ed with the rest of the logical conditions (and AND and && are equivalent in mysql) - "select * from property_names where (TownHouse = '$_GET[TownHouse]' OR Apartment = '$_GET[Apartment]' OR Detached = '$_GET[Detached]' OR SemiDetached = '$_GET[semiDetached]') && visible= 'Yes' && bedrooms = '$_GET[bedrooms]' && bedrooms = '$_GET[bedrooms]'"

The DATE data type (uses a YYYY-MM-DD format) exists so that you can store dates and compare dates efficiently (it uses the least amount of storage and that format allows dates to be compared/sorted.) Your first step will be to use a DATE data type to store your dates. You can easily format your existing date into a YYYY-MM-DD format either in php or directly in your query using the mysql STR_TO_DATE() function and your can format a YYYY-MM-DD value back to your existing date format directly in a query using the mysql DATE_FORMAT() function. Once you have your date stored using a DATE data type, you can use the couple dozen date/time functions directly in your query to accomplish what you are trying to do.

Your path clearly is not correct. Your full path is (gotten from the part of the error message where your page is at) - /var/www/vhosts/numyspace.co.uk/web_users/home/~unn_s003539/public_html/Sold/vidupload.php You are tying to use the following destination - /home/~unn_s003539/public_html/Sold/uploadsPC45 close up .jpg You are missing /var/www/vhosts/numyspace.co.uk/web_users from the front of the absolute file system path you are trying to make OR you would need to remove all of that and make it a relative path from where your vidupload.php is located.

Your form method='post'. Why are you using $_GET variables?

If you read the documentation for mysql_fetch_array, you will learn that the second parameter is the result_type -

It sounds like you guests column is defined as key in the table? You can use mysql_error() to tell you why the query is failing.

&#39 is the html entity of a html entity, so of course you were not getting the results you expected. You should store the actual data in the database (escaping it only.) You should use htmlentities (with ENT_QUOTES as the 2nd parameter) only when you output data on a web page.

I recommend that you echo $query so that you can see what is wrong with it.

If some of your data in the file does not contain the expected number of fields, your code needs to deal with that, by either ignoring the whole line or filling the missing values with a known value when it builds the query. If you have data that contains new-lines, as long as that piece of data is enclosed in double-quotes, the new-line will be treated as data and not the end of the line. Computers only do what their code tells them to do. No matter what code you use, it must handle the data or you must fix the data so that it always matches what the code expects.

if count($data) is not equal to the expected value, you should display the file name/line number and data you did get from the file for that line. You either have a row in a file that doesn't have the expected number of csv data OR you have a new-line as part of the data and the fgetcsv function has stopped reading the line at that point. You might also have data that contains comma's that is not enclosed inside of double-quotes in the data.

It would probably help if you posted enough of your code that shows the form and the form processing code through to where the INSERT query is being executed, everything that someone would need to reproduce the symptom. What you state you are getting for results don't match the few lines of code you have posted.

Before you attempt to process the data, make sure that you are even reading the data. The following is the fgetcsv example from the php.net documentation, wrapped in a foreach() loop that gets all the matching file names out of the folder of your choice - <?php $files = glob("myfilepath/US_*.csv"); foreach($files as $file){ echo "File: $file<br />\n"; $row = 1; if (($handle = fopen($file, "r")) !== FALSE) { while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) { $num = count($data); echo "<p> $num fields in line $row: <br /></p>\n"; $row++; for ($c=0; $c < $num; $c++) { echo $data[$c] . "<br />\n"; } // form and execute the query here... //$sql="INSERT INTO tableName (name1, name2, name3, name4... this goes all the way to name46) VALUES ('".$data[0]."', '".$data[1]."', '".$data[2]."', '".$data[3]."' ...this goes all the way to name46)"; //$sqlData = mysql_query($sql); } fclose($handle); } // end fopen() } // end foreach() ?>

range is a reserved mysql keyword. You either need to rename your column to something else or enclose it in back-ticks `` every time you use it in a query.

You are likely reading past the end of the file with your while ($i<10000) logic or you have lines that don't contain the expected number of csv data. The php.net page for fgetcsv contains an example of how you would read until the end of the file is reached and someone already suggested using count($data) to find out how many pieces of data was actually read from each line.