PFMaBiSmAd

Every image on a web page requires an <img tag - http://w3schools.com/html/html_images.asp The URL that you put into the src="..." attribute must be to a .php script that outputs the correct content-type header followed by the image data (your GD code you posted.)

This might be a good time for some web server 101 - Web servers are stateless. They don't know or care what happened before or what will happen next. When any http/https request has been serviced, all resources used on the page that was requested are destroyed. The only information that ties any page request to any other page request is what the browser supplies when it makes the http/https request to the server. You would need to create an instance of your class in a session variable if you wanted it to persist between any separate http/https page requests.

Double-quotes should work. Is there a chance that the name is all numeric characters? I would convert spaces to an under-score

To pre-select choices in the drop-down select lists, I would do the following - <?php // example data - three start times, four fields (12 games) $fields = array(1,2,3,4); $times = array('6:30','7:00','7:30'); $teams = range(1,24); // make up some data, actual teams would come from a database... // make up some existing picks to preselect the drop-down menus, actual values would come from a database... $data = array(); // array of existing picks $data['1|6:30|a'] = '2'; $data['1|6:30|b'] = '3'; $data['1|7:30|a'] = '4'; $data['1|7:30|b'] = '5'; // ... load array with remainder of data // time heading - $time_heading = ''; foreach($times as $time){ $time_heading .= "<th>$time start</th>"; } // produce form/table - $content = " <form method='post' action='formproc.php'> <table border='1'> <tr> <th>Field:</th>$time_heading </tr>"; // loop for each field and time - foreach($fields as $field){ $content .= "<tr> <th>$field:</th>"; foreach($times as $time){ $indexa = "$field|$time|a"; $team_optionsa = ''; foreach($teams as $team){ $select = ''; if(isset($data[$indexa]) && $data[$indexa] == $team){ $select = " selected='selected'"; } $team_optionsa .= "<option value='$team'$select>$team</option>\n"; } $indexb = "$field|$time|b"; $team_optionsb = ''; foreach($teams as $team){ $select = ''; if(isset($data[$indexb]) && $data[$indexb] == $team){ $select = " selected='selected'"; } $team_optionsb .= "<option value='$team'$select>$team</option>\n"; } $content .= "<td> <select name='slot[$indexa]'> $team_optionsa </select> VS <select name='slot[$indexb]'> $team_optionsb </select> </td>"; } $content .= "</tr>"; } $content .= "</table> <input type='submit' name='sumbit'> </form>"; echo $content; ?>

At some point in time you moved the following two lines of code from where they were (after the point where $num was assigned a value) to where they are (before the query is even executed) - $i=0; while ($i < $num) { You need to slow down and proofread your code to make sure it has any logical meaning.

Ummm. What error? It would indicate exactly at what point something was found in the query that was out of place. Best guess is that $rows is dependent on a previous query and it does not contain what you or mysql expects. All data put into a query must be validated.

That's generally the step that you would do right after you write something. Did it produce the expected results when you tried it?

Either someone has figured out one of your passwords that allows access to the files, you have a file upload feature (perhaps for a avatar or for a specific file upload) that allowed a .php file to be placed onto the server that was then browsed to, your admin section of a script is not actually preventing the remainder of code on the admin page(s) from being executed and someone used your admin script to modify your files, or you have some code using eval() (they should have spelled that evil()) that allowed some php code to be executed that was posted as content that is being displayed.

The posted code is a function definition. Where are you calling that function?

If you request your script using the whole request string like what is in the log (I would change the actual URL in it to known safe .txt file on your server), what do you get? There could be other ways that request string is bypassing something in your script. What exactly is getting changed on your site? A file? Contents in a database? How do you know someone had access to all the files on the server?

Then remote file inclusion is not how they are getting access to your site and the requests in the logs with a URL as a value are just probing attempts to find if your script allows remote file inclusion.

Yes, it could. The swf file can be fetched (that is how the browser gets it.) The raw contents of the file can then be parsed by a script.

Yes, simple, allow_url_include should be off (and if you are not yet using php5, where allow_url_include was added, you should be.) All external data cannot be trusted and must be validated to insure it contains only expected values.

Unfortunately, you can use URL encoded characters to get around that method - %48ttp will be seen as Http in the php code doing the include statement.

Yes, of course. Anything a web server outputs can be read by a script. Do a "view source" of your form in your browser and that is what a script sees when it requests your page. Anything that is directly output or anything that appears as a link on that page can be used by a script.

Data is posted directly to the form processing code, which is why anything you do on the form page with javascript has no effect.

What does a phpinfo() statement show for register_globals?

Your login in/member system needs groups/permissions. It should not just be enough that someone is logged in, they must also be a member of the group that has permission to access any particular resource. Edit: Anything you can do to the underlying operation of the session (or the session id cookie) would prevent any one from being able to access more than one folder. You must handle this with code on each page (in your common logged in check logic) to check if the current logged in visitor has permission to access that particular page.

Php variables are not parsed when enclosed in single-quotes. You only need quotes when you are trying to form a string. Why do you have quotes around the variable $p in the function call?

You are executing a query in the edit.php code. mysql_error() no longer has the value from the UPDATE query that is failing, it has the value from the SELECT query in edit.php.

What is the code in edit.php? It is likely doing something that is causing mysql_error() to not have a value.

Code to dynamically produce the form - <?php // example data - four fields, three start times - $fields = array(1,2,3,4); $times = array('6:30','7:00','7:30'); $teams = range(1,24); // make up some data, actual teams would come from a database... // time heading - $time_heading = ''; foreach($times as $time){ $time_heading .= "<th>$time start</th>"; } // team options - $team_options = ''; foreach($teams as $team){ $team_options .= "<option value='$team'>$team</option>\n"; } // produce form/table - $content = " <form method='post' action='formproc.php'> <table border='1'> <tr> <th>Field:</th>$time_heading </tr>"; // loop for each field and time - foreach($fields as $field){ $content .= "<tr> <th>$field:</th>"; foreach($times as $time){ $content .= "<td> <select name='slot[$field|$time|a]'> $team_options </select> VS <select name='slot[$field|$time|b]'> $team_options </select> </td>"; } $content .= "</tr>"; } $content .= "</table> <input type='submit' name='sumbit'> </form>"; echo $content; ?>

That indicates a bad design, as you just found out, because it makes it difficult to find the same type of information in more than a single table. There is no table 'wild card' that you can put into a single query. You must either loop through all the tables or form a UNION query as has been shown in the posts above. A correct database design would put the same type of data into one table. Whatever value that is different between that data now that you are using to cause separate tables would simply become a value in a 'catagory' column in a single table.

I would dynamically generate the select options as follows - <select name="slot[1|6:30|a]"> There are three values represented, separated by the | character. The first one is the field number, the second the time, the third is either an a or b for one of the two teams selected. The HTML of the form that your php code generates would look something like this - <form method="post" action="formproc.php"> <table border="1"> <tr> <th>Field:</th><th>6:30 start</th><th>7:00 start</th><th>7:30 start</th> </tr> <tr> <th>1:</th> <td> <select name="slot[1|6:30|a]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> ... remaining choicses ... </select> VS <select name="slot[1|6:30|b]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> </select> </td> <td> <select name="slot[1|7:00|a]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> </select> VS <select name="slot[1|7:00|b]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> </select> </td> <td> <select name="slot[1|7:30|a]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> </select> VS <select name="slot[1|7:30|b]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> </select> </td> </tr> <tr> <th>2:</th> <td> <select name="slot[2|6:30|a]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> </select> VS <select name="slot[2|6:30|b]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> </select> </td> <td> <select name="slot[2|7:00|a]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> </select> VS <select name="slot[2|7:00|b]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> </select> </td> <td> <select name="slot[2|7:30|a]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> </select> VS <select name="slot[2|7:30|b]"> <option value="team1">team1</option> <option value="team2">team2</option> <option value="team3">team3</option> <option value="team4">team4</option> </select> </td> </tr> <tr> </table> <input type="submit" name="sumbit"> </form> When this is submitted, code like the following can iterate over all the values - <?php foreach($_POST['slot'] as $key => $value){ list($field,$time,$team) = explode('|',$key); echo "Field: $field, Time: $time, Team: $team, Value: $value<br />"; } ?> Giving a result like this (tested) -

INSERT queries DON'T have WHERE clauses.