PFMaBiSmAd

DISTINCT is not a function. DISTINCT() just means that you have put a couple of extra () in your query.

I don't see a session_start() anywhere in the posted code, so it will be a little hard for $_SESSION variables to actually be session variables. Without a functioning session_start(), you can set variables named $_SESSION and echo them on the page because they are just regular array variables.

BETWEEN is inclusive. Is there some reason you have the time included as part of the start/end values? Assuming the $date value is just a date - SELECT * FROM Events WHERE '$date' BETWEEN date(start) AND date(end) ^^^ If that doesn't work, I recommend that you post a sample of your data, a $date value, and what the expected results should be.

$query= "UPDATE music SET picked= 0"; $selectresult = mysql_query($query) or die ("Problem with the query: $query<br>" . mysql_error()); If this is a one time thing, simply execute that query in your favorite database management program - UPDATE music SET picked= 0;

SELECT SUM(IF(score > `score opp`, 1,0)) as win, SUM(IF(score < `score opp`, 1,0)) as loss, SUM(IF(score = `score opp`, 1,0)) as tie FROM scores WHERE your_where_condition_here_to_match_the_correct_team...

What error? That appears to be a print_r() of the $_FILES array of a successfully uploaded file.

You are already executing that query once in the code. There's no point in executing it a second time on the same page.

You should not be developing, debugging, and experimenting on a live host and also not on a site that you have asked others to review.

Line three of the code you posted is closing the mysql connection, so what do you expect when you try to use that connection to execute a query?

All external data, $_GET, $_POST, $_COOKIE, $_FILES, and some $_SERVER variables, can contain ANYTHING and must be validated. By using a SWITCH/CASE statement, you are validating that the value is only one of the choices you have listed in the CASE statements. IF you were putting the value into a string to form a file name/file path to use in the include statement and the value has not been validated, someone can cause your code to include any file on your server and if the php.ini settings that permit URL's to be used in the include statement are ON, remote code can be included and executed on your server. Since the code you posted is NOT doing this, that code is safe and will only include the file that you have listed in the code.

The 'at line 1' part of the sql error message refers to line 1 of the query (queries can be formed with multiple lines of sql.) The part of the query that is called out in - the right syntax to use near 'select is where the error is occurring at. Select is a reserved mysql keyword, as in SELECT * FROM your_table.... Either rename your column to something else or you must enclose it in back-ticks `` every time you use it in a query.

You are creating a mysqli connection but using mysql_ functions. You cannot mix mysqli_ and mysql_ functions on the same connection.

Some of the possibilities - 1) Your 'log out' code is being executed somehow (a header() redirect that does not have an exit; statement after it...) 2) A logic error in your code that is clearing the session variables (such as if($var = '') instead of if($var == '').) 3) You have multiple different sessions for any one visitor due to the subdomain and/or path changing in the URLs being browsed to and the session cookie settings are not setup to match all variations of your domain/path. 4) Register_globals are on and is causing some of your session variables to be overwritten, either from $_GET parameters on the end of the URL or $_COOKIEs that match certain pages on your site. 5) 3-4 more things that did not occur to me while writing this... Your post does not really contain enough information to narrow down the list. #1 and #2 would require seeing your code (including the log out code and how it relates to other code on your page.) #3 would require knowing the exact URL's being browsed to, the session.cookie settings, and if your code would allow more than one session to be created. #4 would require knowing the register_globals setting and what you are putting onto the end of the url and if any cookies are being used as well.

Functions, by definition, have their own isolated variable scope so that you can write whatever code you need in them to perform the desired function without any interference with the programs you use those functions in. The variables $hostname, $username, and $password don't exist inside your function unless you pass them in as parameters when you call the function or you define them inside the function.

http://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_find-in-set However, if you really want your queries to work well, don't store the data as a comma separated list in the first place. Store each value as a separate row associated with who the data belongs to.

AJAX has nothing directly to do with HOW you implement any security. AJAX only ADDS the ability to a page that has been rendered in a browser to make asynchronous HTTP requests to the web server to retrieve and update information on the page without requesting the whole page again. From a security standpoint, the only thing you do client-side is to identify the visitor (who he is.) All determination of his logged in state, what his group membership is, and what permissions he has is totally done server-side. You must identify the visitor using a unique and hard to guess and hard to reproduce identifier, such as a session id or a similar value stored in a regular cookie. Item #1) Yes if you have some group id anywhere in the browser, it can be altered (no one even needs the code on your pages to send a HTTP request to your web server with any post/get values in it that they want.) Item #2) Web servers are stateless. All data used on any page request is destroyed when the processing on that page ends. To cause any data to persist between requests for any one visitor would require that you store the data in a session variable.

And since you would want(need) to check in an actual application what the result of one query is before executing a follow-on query, you would not want to string multiple queries together in an application, like you can in a direct interactive session to a database.

Simple, mysql_query() does not support multiple queries - Because too many php programmers don't properly validate external data that their scripts receive and put into query strings.

^^^ Why do you have that line of code in your code, between where you execute your query and where you actually loop over the results set?

^^^ The $x = $size element does not exist. Only the index values $x<$size exist.

function escape_deep($value){ if(is_array($value)){ $value = array_map('escape_deep', $value); } else { if(get_magic_quotes_gpc()){ $value = stripslashes($value); } else { $value = mysql_real_escape_string($value); } } return $value; } $_GET = array_map('escape_deep', $_GET); $_POST = array_map('escape_deep', $_POST); $_COOKIE = array_map('escape_deep', $_COOKIE);

A better solution would be to write your own recursive function to use in array_map(). Your function would test if what it was passed is an array. If so, it calls array_map() again, else it returns the result of using mysql_real_escape_string on the value.

This has nothing to do with your problem, but I recommend using an array to map values to be converted so that you can simply modify the data instead of editing conditional logic every time you change any of the mapping - function blLevelName($value){ $lookup = array(); $lookup[0] = BL_LEVEL_NAME_0; $lookup[1] = BL_LEVEL_NAME_1; $lookup[2] = BL_LEVEL_NAME_2; $lookup[3] = BL_LEVEL_NAME_3; $lookup[4] = BL_LEVEL_NAME_4; if(isset($lookup[$value])){ return $lookup[$value]; } else { return "Unknown: ".$value; } }

I recommend that you form your query in a variable, echo the query after it has been formed, put in the actual values for the parameters, and copy/paste the query into your favorite database management tool, such as phpmyadmin, and execute the query directly against your data base to see if it returns the excepted results. I assume for the date range you are using, that you actually have data with that value that should be returned? What does show up in the 'view source' of the mail where your missing values should be?

^^^ You have a function that changes the $level value into a name. You probably have logic error in that function that is causing the symptom.