PFMaBiSmAd

A header() redirect tells a browser (or a script that has been told to follow redirects) to request the URL that is in the header statement. Without an exit; statement to stop the php script, the rest of the html/php code on the 'protected' page is still processed and output by the web server. Most hackers use scripts to access your web pages. They have to specifically configure such a script to follow any header() redirect. If you don't and ignore the redirect and there is no exit; statement, the result is the same as if a logged in user accessed the 'protected' page.

You need an exit; statement after your header() redirect. All anyone needs to do is ignore the redirect and they can still access the remainder of the content on the 'protected' page.

Does the host where you are running your php script at provide a mail server and does not require SMTP Authentication? That would be the only way you could use the mail() function.

The mail server settings - http://mail.google.com/support/bin/answer.py?hl=en&answer=13287 Since SMTP Authentication is need (which the php mail() function does not support), you will need to use one of the php mailer classes - http://phpmailer.worxware.com/ or http://swiftmailer.org/

But, you could always browse to the file yourself for testing purposes to get it to the point where your email (or it would probably be better to use error_log() to write information to a file) actually works. Temporarily set values in the code for $merchantEmailAddress, $mySecurityCode, $transactionStatus, and $testModeStatus to get the code to take the execution path you want. Have you successfully even sent an email to yourself from the server using the values you are putting into the mail() function?

Read the sticky post (especially reply #2) at this link - http://www.phpfreaks.com/forums/index.php/topic,37442.0.html

Provided you have a column named id and you are actually being logged in (the 'You're now Logged In' is being echoed) so you know that the code setting the session variables is being executed, your existing code - .... $id = $row['id']; .... $_SESSION['id']=$id; .... should be setting $_SESSION['id'] with the id from the user's row in your table when the user logs in. How do you know it is not? What is your code that is trying to use that information and what exact symptoms are you getting that tells you there is no value?

I've got a more basic question for you. Why did you add && id='".$id."' to the query in your login code that is checking if the entered username is in your database table? Computers only do exactly what their code and data tells them to do. If you cannot state why and where you are going to do something, you cannot write any code to accomplish it.

If the posted code is your 'login' code, where are you setting $id to a value at before you put it into into the query?

The $host name you use to connect to the database server is not your web address. According to the x10hosting.com KB article, you should be using 'localhost' - http://kb.x10hosting.com/questions.php?questionid=15

Have you completely deleted the pg_escape_string from the source and retyped it in case you have some non-printing characters as part of the name in the source?

For debugging purposes, add the following three lines of code starting on the line immediately after your <?php tag in both files - ini_set("display_startup_errors", "1"); ini_set("display_errors", "1"); error_reporting(E_ALL); You should actually have the error_reporting/display_errors settings already set to those values on your development system so that php will help you when developing and debugging php code.

There's no way anyone can help you with what your code is doing or not doing without seeing your actual relevant code and any errors you are getting.

The INSERT query you have been posting (both times in this thread) contains a php syntax error and your code is not even being executed. Are you developing and debugging php code on a development system with error_reporting set to E_ALL and display_errors set to ON in your master php.ini so that php will help you by reporting and displaying all the errors it detects. You will save a TON of time.

How do you know that? Your querySqlServer() function code is setting a variable named $resultSet, but it is testing a variable named $result.

DROP FROM does not exist as a command and produces an sql error. You do need to use an UPDATE query. You need to debug why the update query you tried did not work.

Because your development system is not setup properly so that the code you write will work on the most common system configurations. Turn output_buffering OFF in your master php.ini (stop and start your web server to get any change made to the master php.ini to take effect.) Make sure that you get the same error as on your live server in case the php.ini that you are changing is not the one that php is using. As to why the output is occurring on line 3 of your file, you likely have 3 blank lines before the <?php tag and they need to be removed from the file because you cannot output any characters to the browser before you send a header to the browser.

http://us2.php.net/magic_quotes If the data contains escape characters \, either it was escaped an extra time (once by php due to magic_quotes_gpc and once by your code) when it was put into the database or it is being escaped (by php due to magic_quotes_runtime) when it is being retrieved from the database. If the escaping is done correctly (i.e. only your code is escaping the data once before it is put into the query), the escape characters \ are NOT present in the database. If the escape characters \ are present in the database, then magic_quotes_gpc is causing the problem. If the escape characters \ are NOT present in the database, then magic_quotes_runtime is causing the problem.

ORDER BY the_column will cause rows having the same value in the column to be together in the result set. You then detect when the value changes (a new 'group' starts) in your presentation code that is processing and outputting the data.

http://dev.mysql.com/doc/refman/5.1/en/example-maximum-column-group-row.html

Any chance of doing this - Do the values match what you are putting into session_set_cookie_params()? You are the only one here who can investigate what is happening on your server.

When you examine the session id cookie in your browser while at each URL, what do you get? If you start a session at the http://hello.example.net/site/hello address and stay at that address, does the session work?

Any chance you are switching between http and https as well? Are these subdomains actually hosted on the same server as the main domain? Post the full URL's (i.e. http://subdomain.domain.com/path/file.php) that you are using that don't work when you switch between them (xxxxx out the actual subdomain and domain if you don't want to post them, but show everything else as it actually is.)

Using cookies would likely have the same problem because by default the session id is propagated between pages using a cookie. You need to troubleshoot why your code is not working. Is your header() redirect changing the hostname/subdomain (i.e. changing to/from www. and no-www.) on the URL or going to a different path on the end of the URL from where the session was started?

The only information the server receives that ties any http request to any other http request is what the browser supplies. You can directly pass information between http requests by using cookies, post data (assuming you have a form), or as get data (as part of the URL.) You can indirectly pass information between requests using sessions or by passing some other unique id as part of the http request that is then tied to data you have stored somewhere on the server that is associated with that unique id.