PFMaBiSmAd

Your code inside the foreach() loops in loadChatbox.php and online.php is calling one or both of your $user->displayName(....) and $user->getRank(....) methods. Your code inside those two methods is executing a query using the passed id parameter and returning the resultant displayName or rank for that id. You have got to be kidding. It applies to the loops where you have put code inside of the loop that executes a query. If that is the case, how would your current code ever be able to operate on more than one id value and return the different displayNames for all the different people who have a message displayed in the chat window or who is listed as being online? You would use implode to form a comma separated list of id's to put into the IN() term in the query.

User names, by convention, are strings consisting of alphanumeric and special characters. The query you posted would produce an error - Unknown column 'the entered username' in 'where clause', because the $search term is not enclosed within single quotes and is being treated as a column name instead of a piece of string data. If you tested something that worked, it wasn't what the OP is doing in this thread. In fact, he is testing with his username - whopunk123 (see reply #10)

Literal string data in a query must be enclosed in single-quotes so that it is treated as a string instead of being treated as a keyword or a table/column identifier.

Your user class is doing what I suggested. You are figuratively killing your database server with all the queries inside of loops. Some suggestions - For loadChatbox.php: You need to get a list of the $message['userid'] values and execute one query that gets all the corresponding display names at one time, using WHERE id IN(a comma separated list of ids goes here...) in the query statement. Retrieve the display names into an array with the userid as the array key. Then simply reference the display name when you need it using $message['userid'] as the array index value. $id is a fixed value during any one invocation of your script. Therefore,$user->getRank($id) is a fixed value during any one invocation of your script. By putting $user->getRank($id) inside of the foreach() loop, you are executing a query every pass through the loop to get the same value over and over again. Just assign $user->getRank($id) to a variable once before the start of the loop and reference that variable where you have the $user->getRank($id) reference now. For online.php: You need to get a list of userid's and execute one query that gets all the corresponding display names at one time, using WHERE id IN(a comma separated list of ids goes here...) in the query statement. Retrieve the display names into an array and then simply iterate over the array of display names. Also, are your database tables properly indexed so that each query is as efficient as possible?

You are calling at least two different methods of your user class inside of loops. I will guess you are likely performing queries inside those methods. In the case of the loadChatbox.php code, that would result in up to 50 queries (assuming only one query is being executed in each method) every 2 seconds. What is the code in your user class, so that more specific help can be given? In general, you should never retrieve a set of data from a database by performing a query inside of a loop. You should form a query that gets all the data you want using one single query and then simply iterate over that data and output it the way you want.

The query posted in reply #8 is the only query in this thread that is error free and logically correct.

Sample of a mysql term that will extract the reason value string - SELECT SUBSTRING_INDEX(SUBSTRING_INDEX(SUBSTRING(wp_s2member_custom_fields,LOCATE('s:6:"reason";s:',wp_s2member_custom_fields)),'"',4),'"',-1); edit: simplified it a little

If you post examples of what these 12 different values are and what result you want for them (which of your #1,#2,#3,or #4 items they apply to), your problem would be clearer and someone might then be able to show how to write a query that is as efficient as possible at extracting/testing the values. I suspect that SUBSTRING_INDEX might be part of the solution - http://dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_substring-index along with a CASE statement in the query or in a stored procedure. Also, for your list of #1,#2,#3,or #4 items, showing what result you expect with some example data would help too. I.E. 'group them accordingly' doesn't mean anything to us without an example of what you consider to be groups and what about the data values defines which group it belongs in and how this relates to your existing results. Solving programming problems requires knowing what all the expected input values are (so that any patterns/limits can be seen that would lead to a general/optimum solution) and what the expected result is, defined for each possible input value.

See the second half of the following reply for more information about passing an array to the ->execute() method - http://forums.phpfreaks.com/index.php?topic=363187.msg1718935#msg1718935 From the PDO ->execute() doc -

The header() statement only sends a http header to the browser. It's the browser that requests the new URL. Your php code continues to run. The die statement stops your php code from running at that point.

I'm going to guess that the file is moved to the destination, but you also have code that runs and is deleting it. What's your complete code that reproduces the symptom?

As to escaping the table name being put into the query statement. A table name is not string data. It's an identifier. It's not enclosed within quotes inside the query statement, so there's nothing that escaping special characters in it would protect against. The term 'escape' as it applies to data means to prevent leaving/exiting from the quoted data. A) You should not be suppling the table name from external submitted data. That implies that you have same-meaning data spread out in a number of tables, rather than all same-meaning data in one table. B) To prevent sql injection, you would need to validate that the supplied table name is only and exactly an expected table name.

See my replies in the following thread, on how you can keep your $_GET['cat'] value and build the pagination links - http://forums.phpfreaks.com/index.php?topic=363172.0

edit: never mind, in case you saw what I posted as a reply

By building a sub-menu from the records that the query matches for the submitted first letter and then outputting that sub-menu in the proper place when you are building the main A-Z navigation links - <?php // list of letter/labels $nav=array('A'=>'Alpha', 'B'=>'Bravo', 'C'=>'Charlie', 'D'=>'Delta', 'E'=>'Echo', 'F'=>'Foxtrot', 'G'=>'Golf', 'H'=>'Hotel', 'I'=>'India', 'J'=>'Juliet', 'K'=>'Kilo', 'L'=>'Lima', 'M'=>'Mike', 'N'=>'November', 'O'=>'Oscar', 'P'=>'Papa', 'Q'=>'Quebec', 'R'=>'Romeo', 'S'=>'Sierra', 'T'=>'Tango', 'U'=>'Uniform', 'V'=>'Victor-Zulu'); /* 'W'=>'Whiskey', 'X'=>'Xray', 'Y'=>'Yankee', 'Z'=>'Zulu'); */ // process the page request $search = isset($_GET['nav']) ? strtoupper(trim($_GET['nav'])) : ''; $search = isset($nav[$search]) ? $search : ''; if($search != ''){ // one of the possible letters was submitted // if V, requires special handling to match V-Z if($search == 'V'){ $where_clause = "WHERE some_column REGEXP '^[v-z]'"; // regexp could be used in all cases, but it is likely much slower than a LIKE comparison } else { $where_clause = "WHERE some_column LIKE '$search%'"; } $query = "SELECT * FROM your_table $where_clause ORDER BY some_column"; echo $query; // show resulting query for demo purposes // execute your query and loop over the results $result = mysql_query($query); $sub_menu = ''; // define as empty string in case there are zero matching rows if(mysql_num_rows($result) > 0){ $sub_menu = "<ol>\n"; while($row = mysql_fetch_assoc($result)){ $_GET['id'] = $row['id']; // set the id=x key/value for producing the link // build the link, keeping any existing get parameters as is $sub_menu .= "<li><a href='?" . http_build_query($_GET, '', '&') . "'>{$row['name']}</a></li>\n"; } $sub_menu .= "</ol>\n"; } } // build navigation $nav_menu = "<ul>\n"; foreach($nav as $key=>$value){ $nav_menu .= "<li><a href='?nav=$key'>$value</a>"; if($key == $search){ $nav_menu .= $sub_menu; // insert sub-menu under the correct letter's main menu } $nav_menu .= "</li>\n"; } $nav_menu .= "</ul>\n"; // output navigation where you want it on your page echo $nav_menu; The links you build in the sub-menu would contain the id of the field as a get parameter on the end of the url (or you could use the field name instead.) You would use that id in a query statement on the target page to retrieve the information for the requested field.

<?php // list of letter/labels $nav=array('A'=>'Alpha', 'B'=>'Bravo', 'C'=>'Charlie', 'D'=>'Delta', 'E'=>'Echo', 'F'=>'Foxtrot', 'G'=>'Golf', 'H'=>'Hotel', 'I'=>'India', 'J'=>'Juliet', 'K'=>'Kilo', 'L'=>'Lima', 'M'=>'Mike', 'N'=>'November', 'O'=>'Oscar', 'P'=>'Papa', 'Q'=>'Quebec', 'R'=>'Romeo', 'S'=>'Sierra', 'T'=>'Tango', 'U'=>'Uniform', 'V'=>'Victor-Zulu'); /* 'W'=>'Whiskey', 'X'=>'Xray', 'Y'=>'Yankee', 'Z'=>'Zulu'); */ // build navigation $nav_menu = "<ul>\n"; foreach($nav as $key=>$value){ $nav_menu .= "<li><a href='?nav=$key'>$value</a></li>\n"; } $nav_menu .= "</ul>\n"; // output navigation where you want it on your page echo $nav_menu; // process the page request $search = isset($_GET['nav']) ? strtoupper(trim($_GET['nav'])) : ''; $search = isset($nav[$search]) ? $search : ''; if($search != ''){ // one of the possible letters was submitted // if V, requires special handling to match V-Z (left as a programming exercise...) $query = "SELECT * FROM your_table WHERE some_column LIKE '$search%' ORDER BY some_column"; echo $query; // show resulting query for demo purposes // execute your query and loop over the results }

^^^ If you did this, you could also get a count of the number of airfields for each letter and display that next to the link - Alpha (25) Bravo (73) ...

The suggestion that Barand posted was how to create a SELECT query statement that does what you asked about. However, your list of separate hard-code pages - alpha.php, bravo.php, charlie.php, ... is not how you should be doing this. You should have one page that accepts a $_GET parameter on the end of the URL that specifies what to display. Something like - <li><a href="index.php?nav=a">Alpha</a></li> <li><a href="index.php?nav=b">Bravo</a></li>... You would put the $_GET['nav'] value (after validating it) into the LIKE '$search%' term in the query. You should also have an array of navigation values/labels $nav = array('a'->'Alpha','b'=>'Bravo',...), so that you can dynamically produce your Alpha, Bravo, ... navigation links and so that you can validate the submitted $_GET parameter before putting it into the query statement (you would make sure that the submitted value is exactly only one of the array keys or that the array element with that key isset.) You could also query your database table to get just a list of the actual starting first letters and only output navigation links for the letters that exist in the data.

Your code is likely triggering some relaying restrictions on your email server, if the to/from address is not hosted on the email server. In your code you are putting the second email address into both the to and from addresses, whereas the 'working' email has a different from address. The email is being sent from your mail server. It is not being sent from the second email address. I recommend the following - 1) $HTTP_POST_VARS were depreciated about 10-11 years ago; were turned off by default in php5.0; finally throw a deprecated error in php5.3 (where the deprecated error category was introduced), and have been completely removed in php5.4. You need to use $_POST in place of $HTTP_POST_VARS. 2) You need to make a html form that submits the expected $_POST data for testing purposes so that you can easily see all the output being sent back from the server side form processing code. 3) You need to have php's error_reporting set to E_ALL and display_errors set to ON so that php will help you by reporting and displaying all the errors it detects. 4) Echoing the value that the mail() statement returns will show a '1' for a true value, but won't show anything for a false value (I thinks a false, treated as a string, becomes an empty string '' when you echo it). Your program logic should have an if/else statement testing the value that the mail() statement returns and output (or log) a specific value/message when the mail statement fails. 5) After you do items #2 and #3, see if you get any php errors being output from the mail() statement(s). 6) I would make the FROM address in the second email exactly the same as your first working email. I'm not sure why you changed anything other than the TO: parameter.

ENT_QUOTES should be used as the 2nd parameter in htmlentities so that both single and double quotes in the data are converted to entities.

If someone made a phishing site that looked like your site and got one of your visitors to goto the phising site instead of your site, and there was a form that submitted to your site's form processing code with XSS code as part of the the actual $_POST['name'] data, that XSS code would be output to and ran in the client's browser, sending any of actual data that your site just output to the client back to the hacker. All external data ($_POST, $_GET, $_COOKIE, $_FILES, and some of the $_SERVER variables) cannot be trusted and can be anything and must be validated/filtered/escaped/type cast...

Why do you think you want the \ characters in the actual database table? That requires more storage and if you ever want to search for a value, you must take into account the extra \ characters in the data. You will also need to strip the extra \ characters if you ever display the values in a browser or if you need to perform any math operation on the values.

If your data is escaped properly (only once), the \ characters are NOT inserted into the database table. Only the literal data will be in the database table.

Locking thread, to prevent additional wasted time on it...

#2. The sql query statement can only be what was prepared (assuming you didn't put any external user supplied values into the query statement when you prepared it.) The values that are put into the query when it is executed are used as data only. By automatically escaping string data, prepared statements prevent sql errors when the data contains special sql characters. Passing an array of data via the ->execute() method has one disadvantage that I know of. All the data values are treated as string data (the same as if you bound them using PDO::PARAM_STR) and they are surrounded with single-quotes when they are placed into the query. This will cause numerical data to be treated as a string containing a number, which causes extra processing and problems if the number is a decimal data type (at least mysql converts a string containing a number to type float, then uses the resulting floating point number) and causes a sql error if the parameter being replaced is in a LIMIT clause (LIMIT 'x' is invalid syntax, it must be LIMIT x.)