PFMaBiSmAd

The date_format() function has absolutely nothing to do with adding anything to your columns. It returns information about date values (in columns or otherwise) and some of the choices listed include getting the day of the week, either as a three letter abbreviation, the whole day name, or as a number, depending on which formatting parameter you choose.

http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function_date-format

In order to sort the actual file names, you must first put them into an array. You can use code similar to this recent thread - http://www.phpfreaks.com/forums/index.php/topic,287388.0.html (just remove the call to the array_reverse() function.)

The reason for htmlentities() on $_SERVER['PHP_SELF'] is in case someone posts a link to your site that contains XSS code as part of the link and gets someone else to click on that link.

Are you developing and debugging code on a system with error_reporting set to E_ALL and display_errors set to ON so that php WOULD report and display all the errors it detects?

Umm. Don't loose sight of the fact that the error message is just the end result of your code not escaping data being put into a query. The data you are testing with by adding a ' on the end of the URL happens to cause a syntax error. A hacker will be injecting actual SQL, which won't trigger an error, but will in fact either dump data in your tables or cause any username/password combination to cause him to become logged in as you.

If you go back to my last post in this thread and expand upon the // do your application level error reporting here... so that it includes the 5 W's - Who (the logged in username, IP address..), What (the actual query...), When (date/time...), Where (file name and line number), and Why (the result or error...) about the function call that is failing, you will know who caused the error, what data caused error, when it occurred, where it occurred, and why it occurred.

The actual files should be stored in a location that prevents direct access through all HTTP/HTTPS requests. Either outside the document_root folder or if that option is not available, then a .htaccess file with a deny all statement in it could be used. To access the files, you should dynamically output them through a .php file, something like - access.php?file=some_file_id The code in access.php (or what ever name you choose) will then check and enforce which files the currently logged in visitor has access to and will map the some_file_id to the actual file, then output a correct content-type header followed by the contents of the correct file. The code would also check to make sure that the current connection is through HTTPS before outputting anything.

In order to output either the submit button or a message, the submit button code must be inside the conditional statement. Now it is not.

Aside from the mail() function call being commented out in the code, the From: address must be a valid email address at the sending mail server. Any email address entered in the form should be put into a Reply-to: address, not the From: address. You also need to validate anything that comes from a visitor that is being put into the header parameter to prevent spammers from sending their email through your mail server.

The earlier you correct design problems, the less it costs in man-hours and money.

A) Why not separate the name into separate columns, and B) You can always use mysql string functions in the query to extract the last name, but this or any use of php code to accomplish this will always be slower than using option A).

ORDER BY school, last_name

When you execute the query directly against your database, using your favorite database management tool, does it produce the expected results? I would guess that your presentation logic that is retrieving the results from the result set is probably at fault.

mysql_error() has nothing to do with using the mysqli OOP. You would need to use $mysqli->error

You cannot use a URL as the target/destination of a file write operation (unless you are using FTP.) You must use a file system path. The second error is fairly self explanatory, the number of columns and the number of data values don't match in your query and since we don't know if the list of columns or the list of data values is correct, it would be up to you to determine which part of the query to fix.

Web servers are stateless. All resources created on any page request are destroyed when the request for that page has been serviced. The only connection between any two http requests is what the browser supplies. Sessions work by passing a unique session id between pages by the browser which is matched up with the corresponding session data file on the server. You can create an instance of a class in a session variable by causing the class definition to exist before the session_start() statement. <?php require 'your_class.php'; session_start(); if(!isset($_SESSION['some_object_name'])){ // create instance $_SESSION['some_object_name'] = new your_class(); echo 'object created<br />'; } else { echo 'object exists<br />'; } $_SESSION['some_object_name']->class_function(); echo $_SESSION['some_object_name']->class_variable; ?>

What does a phpinfo() statement show for the output_buffering setting?

You would need to use a session in order to preserve data between http requests - http://www.php.net/manual/en/book.session.php

When you use a URL in an include statement, it causes php to make a HTTP request back to your web server, the same as if you browsed to the file. This takes 10-100 times longer than if you use a file system path. Include is intended to be used with file paths.

You need to use name attributes. ID's only matter in the browser.

INSERT queries don't have WHERE clauses. They create a new record. Are you trying to create a record or UPDATE an existing one?

Why don't you show how you are including the files. We just went through this with some other member where he insisted that he did not need to show the actual relavant code. Had he done so, his problem would have been fixed in a few minutes rather than the day+ that it actually took.

Using mysql_real_escape_string() on string data will only prevent the sql syntax from breaking and will prevent sql injection via string data. SQL can still be injected in numeric data (see RussellReal's post above.) Someone can still trigger mysql errors by doing things like injecting a large amount of data that exceeds the max_allowed_packet or can cause 'server has gone away' errors. In general, you should not cause the output from mysql_error() to appear on a live web site (display_errors should be OFF and log_errors should be ON and your logic should cause mysql_error() to use a php function that makes use of the error_reporting/display_errors/log_errors settings) and you should use error checking logic on all your queries (and in fact on all functions that can fail) to detect if an error occurred, output a meaningful user error message when it does, report/log system level information so you can find and fix problems, and take an appropriate action in the remainder of your code on the page. Typical logic to do this for SELECT, SHOW, DESCRIBE, EXPLAIN... type queries - <?php $query = " ... "; // your query in a string variable (makes error reporting easier because you can log or display the actual query) // execute the query and check for success or failure if($result = mysql_query($query)){ // the query executed without any errors and returned a result resource (SELECT, SHOW, DESCRIBE, EXPLAIN... type queries) // check if any rows were returned by the query (SELECT... type queries) if(mysql_num_rows($result)){ // the result set contains one or more rows // process the row(s) in the result set here... } else { // no rows were matched, output a helpful user error message echo "The query did not match any rows in the database<br />"; } } else { // the query failed and returned a FALSE value // do your application level error reporting here... trigger_error("Query failed: $query<br />" . mysql_error()); // output a user error message echo "The query could not be executed at this time due to an error...<br />"; } // the remainder of the code on the page having nothing to do with the above query logic ?> Typical logic to do this for INSERT, UPDATE, DELETE, DROP... type queries - <?php $query = " ... "; // your query in a string variable (makes error reporting easier because you can log or display the actual query) // execute the query and check for success or failure if($result = mysql_query($query)){ // the query executed without any errors and returned a TRUE value (INSERT, UPDATE, DELETE, DROP... type queries) // check if any rows were affected by the query (INSERT... type queries) if(mysql_affected_rows()){ // one or more rows were affected, do success processing... // output a success user message - echo "The row was successfully UPDATED in the table<br />"; } else { // no rows were affected, do failure processing... // output a user error message echo "The query could not UPDATE the row in the table (likely because the WHERE clause is FALSE)<br />"; } } else { // the query failed and returned a FALSE value // do your application level error reporting here... trigger_error("Query failed: $query<br />" . mysql_error()); // output a user error message echo "The query could not be executed at this time due to an error...<br />"; } // the remainder of the code on the page having nothing to do with the above query logic ?>

The fact that a ' will break the SQL syntax means that you are not escaping string data being put into a query. That also means that SQL can be injecting into your queries. The SQL that is injected can be used to dump all the contents of your table by adding a UNION to a SELECT query and it can also be used to cause a SELECT query to return ANY matching row instead of an exact matching row, such as in a login script. So, for the query that is failing, are you using mysql_real_escape_string() on each piece of string data being put into it that could have come from the visitor via GET, POST, COOKIE, FILES, SERVER, ENV variables or indirectly through SESSION variables that were at one time GET, POST, ... variables? Edit: Because mysql_query() does not support multiple queries separated by ; it is not directly possible to inject sql that will do things like drop tables.