PFMaBiSmAd

My post about multiple queries referred to jskywalker's post.

The code you posted does protect against sql injection in STRING data (i.e. data you put between single-quotes in a query.) Because it uses mysql_real_escape_string() on the data. It however does not protect against sql injection in numerical data (i.e. data that is not put between single-quotes in a query.) For numerical data, you must validate that it is numerical or simply cast it as a number before you put it into a query. The reason for this is that it is possible to craft a query that does not use any quotes in it that injects a UNION query to dump all the data in your table. When this type of injection is used in STRING data, it is just treated as data. When this type of injection is used in numerical data it becomes part of the query.

mysql_query() does NOT support multiple queries.

// detect direct access to included/required fileif(strtolower(basename($_SERVER["SCRIPT_NAME"])) == strtolower(basename(__FILE__))){ exit('No Direct Access');}

The only way you can send to or through a mail server that has not been configured to trust the IP address of the server where your script is running at is to use SMTP Authentication. Since the php mail() function does not support SMTP Authentication, you must either use one of the classes that does or write your own code to communicate directly with the mail server and exchange the necessary smtp commands with it.

$action is not being set by your code, therefore it is not defined. Unfortunately, your code does appear to be dependent on register_globals being on to magically set program variables from $_POST, $_GET, $_COOKIE, $_FILES, $_SESSION, $_ENV, and $_SERVER variables. Unfortunately again, register_globals also magically allow hackers to set your $_SESSION variables and a lot of web sites have been taken over. Your code should be setting $action from wherever it is actually coming from, probably a $_POST or $_GET variable with an index name of 'action'.

The code you did post has an @ in it. That would prevent ANY error_reporting/logging. You should have error_reporting set to E_ALL, log_errors set to ON, error_log set to a known (and tested) location, and NO/NONE/ZERO @'s in your code. Any chance that the test file is corrupted and cannot be read past a point? Did you upload it to the server using FTP in binary mode? Try downloading the test file using FTP and see if it is intact.

You would need to write the code to open a socket connection to the mail server and exchange smtp commends with it, including those necessary to use SMTP Authentication, the same as what one of those classes are doing in their code. So, instead of writing and testing a couple of dozen lines of code, why don't you just use one of the existing classes?

You can put literal characters into the format string. Any literal characters that happen to be valid format specifiers must be escaped.

Php serializes/un-serializes all session data when it is written/read to/from the session data file. You don't need to do it a second time in your class.

ORDER BY FIELD(status, 'online', 'busy', 'away')

Your line 7 error is a good indication that your code was written using a feature that was turned off by default over 8 years ago, is currently depreciated, and scheduled to be removed in the next major release of php - register_globals. What are lines 1 - 7 of that file?

mysqli_query() requires two parameters. There are php errors that would be notifying you of that problem. You should be developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON so that all the php errors would be reported and displayed. You will save a ton of time with these simple coding errors.

$_SESSION['objTicket'] = new Ticket('$350', 'Miami'); Don't forget that your class definition needs to exist before the session_start() statement so that the object can be recreated from the session data file.

I've tested using your original code, short of actually making the columns in the table, and the information I have been posting is based on the errors I have gotten. Based on your latest code and symptom, it is likely that the $insertStatus->bind_param() is failing (it returns a bool true/false, in which case $insertStatus->error will tell you why it failed if it returned a false value) or everything you have shown is working, but you are no longer executing the query in your code.

I'm going to guess that your connection code is failing ( new mysqli() returns an object even if the connection fails so that you can reference $mysqli->connect_errno and $mysqli->connect_error.) This would mean that $mysqli->prepare() itself throws a Warning: mysqli::prepare() Couldn't fetch mysqli in ... error in this case. Are you doing this on a system with error_reporting set to E_ALL and display_errors set to ON so that all the php errors will be reported and displayed? You also need to test if your connection works before blindly attempting to use it. Also, why are using using the constant() function to get the constant values, you just use the constant name directly.

Passing every piece of data through the DATE_FORMAT() function in the WHERE clause is a query killer, especially since one of the main points of a DATE data type is you can compare DATE values directly. Your comparison logic is backwards. Take your first query and put in some actual/likely values for the start/end dates that you would expect the query to match (this is how you debug/design logic, you play computer, use some pencil and paper, put in some values and work out if the logic is correct.) Given that the start_date is less than the end_date, the query would look like - WHERE `2010-09-01` >= '2010-09-13' AND `2010-09-14` <= '2010-09-13' How is that ever going to be true (except for the case where all the values were 2010-09-13 and both = comparisons match.) You would want - WHERE `2010-09-01` <= '2010-09-13' AND `2010-09-14` >= '2010-09-13' or more simply using the BETWEEN comparison (with the php variable and actual column names back in) - WHERE '$date' BETWEEN start_date AND end_date

I don't see a print or an echo statement any where in your code (php only does what your code tells it to do.) You are also not using the value that is returned when you call $frobj->form_label('Username');, so that is simply being discarded.

Your prepare statement failed. A) You must ALWAYS check if a statement worked or not before you blindly use the result of that statement, B) If you echo $mysqli->error; it will tell you why the prepare failed.

What are you doing with the value that $frobj->form_label('Username'); returns?

Then you will need to write proper code. For your first example, $list = '';. You are correct in that you don't need to define a variable before you use it, but that is not the problem. You are referencing the variable (in the dot . part of the .= assignment operator) before it has been assigned a value the first time. It does not exist yet, but the dot is referencing its current value. The solution is to set it to an empty string like you did.

I tried the check_image.php code with the suggested change and it worked as expected. There is however another error in the UPDATE query. There are two extra dots, one before and one after the $imagename that is being stored in the table.

The other query in the public function save(){} is missing quotes around the EMAIL_ADDR = "%s" value. Again, you can troubleshoot what you code is doing by echoing the $query variable and echoing mysql_query() to find out what the query looks like and what errors it produces.

You should be debugging your code with error_reporting set to E_ALL and display_errors set to ON to get php to help you. If the php code on a page acts like it is actually being executed (not just a blank page), you can add the following two lines of code immediately after the first opening <?php tag - ini_set("display_errors", "1"); error_reporting(E_ALL);

^^^ The URL in the src="..." attribute must be to where the image files are located. If that script is in your WroxPhp6.0 folder, then the above code should be - <img src="img/<?php echo $imagename; ?>" style="float:left;">