PFMaBiSmAd

Read the error - There is no mysql link resource (connection) in the $link variable at the time the query was executed. Either your code is not attempting to make a connection to the database server at all or it did not set the $link variable or the code that is attempting to make the connection failed. What is in the include("include/session.php"); file?

You need an exit; statement after your header() redirect to prevent the remainder of the code on the page from being executed/accessed. All a hacker needs to do is ignore the header and he can access the page the same as if that code was not present. As to your original problem in the first post in this thread, you were probably getting a header() error (output sent before the header statement) and without the exit; statement the code on the page was executed the same as if the header statement was not even there. Are you developing and debugging this code on a system with error_reporting set to E_ALL and display_errors set to ON so that you would know if you were or were not getting any header errors? Edit: The $$_SESSION['sessid'] == ' ' part of your logic expression makes no sense and is probably always FALSE.

You will want to start by looking at using array(s) in your form - http://www.php.net/manual/en/faq.html.php#faq.html.arrays You can then simply use php array functions, such as a foreach(){} loop to iterate over the data.

Basically, yes. You will want to either cast the value as an integer or validate that it only contains an integer in order to prevent sql injection (i.e. all external data cannot be trusted.) You will also want to check if it is set or not (what does your current code do when the page is requested without an ?id=value on the end of the URL) so that you don't execute any of the code without having an id value.

The ?id=value on the end of the URL will be available in the php code as $_GET['id']

Your WHERE clause contains a logical OR. What do we know about a TRUE value OR'ed with anything? It is TRUE. You need to use () in your logical statement to force the Operator Precedence that you want. I'll guess you actually want this for the WHERE part of the query - WHERE (`item_name` LIKE '%mac%' OR `item_description` LIKE '%mac%') AND `item_end_time` > '2010-03-25 09:30:43'

Your browser is requesting the page twice, once with the form's data and once by just referencing the URL of the page. Different browsers do this for different reasons, but the biggest offender is FF because some of the debugging add-on's request the page a second time. Also, some web server setups and url rewriting can cause this. Your form processing code is not validating the data and in fact it is not even checking if the form was submitted before executing the mysql_query() statement.

Actually, I think I understand. You want to provided an arbitrary list of classes (2 or 1,2 or 1,3,10 ...) and you want the staff that have attended each of the classes in the supplied list? The only generic way I know of and have used for doing this is by using the HAVING clause, but you must supply how many classes to match (i.e. if your list of classes contains two values, you need to supply the number 2 in the HAVING clause.) If you are willing to do that (or you could figure out how to get mysql to do this for you), the following should work - $num = 2; // produce the number 'classes' for the HAVING clause. The IN() term is a list containing two items, $num is the value 2 $query = "SELECT s.name, count(*) as cnt FROM staff s JOIN classes c ON s.id = c.staff WHERE c.class IN (1,2) GROUP BY c.staff HAVING cnt = $num"; Since php would be dynamically producing the list in the IN() term, it would be a simple matter to produce the correct $num value. I have seen a more complex way of joining a table to itself, once for each item it the list (the example using IN(1,3,10) would consist of a table joined to itself three times) but this requires that you dynamically produce the whole query, rather than just dynamically producing the IN() list and a number for the HAVING clause.

http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function_date-format

You need to set up a default value when the page is visited and there is no session variable set.

You must enforce security on each page, not just by outputting links or redirecting. You cannot achieve security by hiding pages. Sooner or later someone will find them. Each page must check if the current visitor is both logged in and has permission to access that page.

magic_quotes_gpc is causing your form data to be automatically escaped (though not necessarily correctly for the character set being used in your database table.) Your use of mysql_real_escape_string() causes the data to be double-escaped. When the data is retrieved from the database it is still escaped because of the double-escaping. If you can, you should turn off magic_quotes_gpc. It can be turned off using a local php.ini (when php is running as a CGI application) or in a .htaccess file (when php is running as an Apache Module.) If you cannot turn it off, you should check if it is on in your code using get_magic_quotes_gpc() and the use stripslashes() on the data to remove the first set of escape characters only when get_magic_quotes_gpc() is TRUE. Then use mysql_real_escape_string() on the data. If you unconditionally use stripslashes(), that will prevent anyone from being able to enter a \ as data when magic_quotes_gpc is OFF.

What does a phpinfo() statement show for both the magic_quotes_gpc and magic_quotes_runtime settings?

If your column is a DATE or DATETIME data type (it should be if it is not), just use the mysql YEAR() function - SELECT * FROM Calendar WHERE YEAR(Cal_Date)='$temp_date'

All external data cannot be trusted and must be validated to make sure it only contains expected values and in your proposed scheme you would need to validate that the entered database/table name was one that the current visitor has permissions to use (i.e. so that a general user cannot specify your 'user' database/table name and dump all the usernames/passwords/email addresses...) As to your proposed scheme. You should be using a single database to hold all data that your project uses. In general, all same type/structure data that only differs in the value it contains should be in one single table within your database. The values that your user enters should only determine which row(s) are selected, not which databases or tables are operated on. You will find that this results in the simplest code and the fastest operation.

Are you still trying to find classes that have two staff members in them? An example using your new table structure would help. And do you want only results that have exactly two staff members in a class or is it actually two or more in a class? In general, here is what you would need to do to check if there are x (or more) rows in a group - 1) The GROUP BY should actually be on the class value column. 2) You need to do a count(*) to get the number of rows in each group. 3) Use a HAVING clause to only return results that have x (or more) rows in a group. Edit: You would actually only use a WHERE clause if you want to pick a subset of either the classes or the staff to include in the check.

Also, fix #2 will take care of the case where someone on a shared web server has intentionally used a short session.gc_maxlifetime (in a misguided attempt to log people out after a short period of inactivity) and it is randomly causing the sessions for your visitors to be deleted.

You should use isset() when checking variables that might not exist when your code is executed. if(isset($_POST['_submit_check'])){

You have two apparent problems - 1) Your form processing code is not checking if the current visitor that submitted data to the form processing code is logged in, and 2) Your sessions are ending while a visitor is entering information in the form. The fix for item #1 is obvious. The fix for item #2 is to set session.gc_maxlifetime to a longer value and if you are on shared web hosting and are using the default session.save_path setting you will also need to set the session.save_path setting to be to a folder within your account's folder tree so that only your session settings apply to your sessions. All session settings just mentioned need to be set before every session_start() statement, so it is best to globally set them in the master php.ini (when you have access to it), in a local php.ini (when php is running as a CGI application), in a .htaccess file (when php is running as an Apache Module), or in your script.

You want to find records where buyers_ID is like $queryString or listingBuyers_name is like $queryString? $query = "SELECT * FROM listingsmanager_buyers WHERE buyers_ID LIKE '$queryString%' OR listingBuyers_name LIKE '$queryString%' LIMIT 10";

That should cause your UPDATE query to operate on the record that matches the invoice number they changed to (using the WHERE clause), not to alter the invoice number in the record they started with. Allowing the invoice number in an existing record to be changed makes no sense, it is what identifies what record you are operating on. Short-answer: For an UPDATE query, you should only be putting the invoice number in the WHERE clause, not in the SET term edit: or you should not be allowing the invoice number to be altered at all.

You are asking for dates that are less-than or equal to the result of the date_add(), which will be all the dates that are less-than or equal to one month from the current date/time - WHERE promotions.expiry <= DATE_ADD( now(), INTERVAL 1 MONTH) What exactly do you want to match, relative to the current date? Also, NOW() is a date/time value. What type of values are in expiry? If you want to compare just the date parts, use CURDATE() instead of NOW().

There's nothing technically wrong with the posted code, provided that you have an array named $products1 with indexes 0 - 22 and values that match the post index names. It would take some point of reference, such as your form and your definition of the $products1 array to be able to help you.

It's most likely that your database connection details are not correct for the actual database server that your account should be using. Somewhere in phpmyadmin or in your web hosting control panel or in your web host's FAQ section, it should state what hostname or IP address you should use for the database server for your hosting account. Slightly off topic: Is there some reason you are not going through a tutorial like this on a local development system? You would save a ton of time. Also, a lot of tutorials don't have any protection or validation logic in them and they would make it easy for a hacker to exploit a live server.

Are there any other instances of 'php' settings in your httpd.conf file?