PFMaBiSmAd

$_SERVER['REQUEST_URI'] has the same issue as $_SERVER['PHP_SELF']. If the requested URL contains any xss scripting in it and you blindly echo it out on a page back to the browser without using htmlentities/htmlspecialchars on it, then the xss scripting in it will be sent as is to the browser. You must always treat external data (anything received with the http request, even the URL itself) as dangerous and must filter/validate it if you are going to output it back to any browser.

Not according to the code you have posted at the github link. Your form submits to process.php. The ONLY code that is in process.php is - <?php if (isset($_POST['username'])) { $username = $_POST['username']; $username = htmlspecialchars($username); $password = $_POST['password']; $password = htmlspecialchars($password); $password = hash("sha512", $password); $query = $db->select("sb_users", "*", "username={$username} AND password={$password}"); $count = $db->num_rows($query); if ($count == 1) { $_SESSION['username'] = $username; header("location: index.php"); } else { echo "Incorrect username or password."; } } ?>

Web servers are stateless. Other than an entry in the access log file, they don't know or care what happened before the current http request and they don't know or care what will happen after the current http request. Every page that is requested is completely separate from every other page request. All values, except session variables, that exist in the code on any page are destroyed when the code on that page finishes running. The $_POST data (what was searched for) that was submitted to your page and the data from the database query no longer exist after the code on the page finishes running. To pass the search term and type with the pagination links, you will need to build the pagination links with keys/values for the 'q' and 'type' in them, then use $_GET['q'] and $_GET['type'] to access the values.

You must not have php's error_reporting/display_errors set to show all php detected errors. Your process.php page is failing with a fatal runtime error because the $db variable doesn't exist on the process.php page. Web servers are stateless. Other than an entry in the access log file, they don't know or care what happened before the current http request and they don't know or care what will happen after the current http request. Every page that is requested is completely separate from every other page request. Your process.php code must include all the code needed to define and create an instance of your db class before it can use any of the methods or properties in that class.

Do you have php's error_reporting set to E_ALL and display_errors set to ON so that any session_start() related errors will be reported and displayed?

The most common reason navigating or redirecting around on a site does not carry session variables is because the URL's change between having and not having the www. on them and by default the session id cookie only matches the exact variation of your domain name where the session was first started. Do the URLs consistently use the same variation of your domain, all with or all without the www. in them?

<?php session_start(); // form processing code if(isset($_POST['submit'])){ if(isset($_SESSION['start_time'])){ // if it is not set, the form was never visited/generated $time = time() - $_SESSION['start_time']; if($time < 2) { // form submitted in less than 2 seconds echo "You're a vile spammer.<br /><br />"; } else { echo "Phew, you're human, I can go ahead and process your data.<br /><br />"; } echo $time . " seconds elapsed before hitting Submit."; // for my own info unset($_SESSION['start_time']); // unset the value so that someone cannot keep submitting data without revisiting the form } else { // form data submitted without visiting the form echo "You're a vile spammer.<br /><br />"; } } // form code $_SESSION['start_time'] = time(); ?> <form id='form1' method='POST' action=''> <input name='submit' type='submit' value='submit'> </form>

It would take a hacker about 10 seconds to figure out that a value in a hidden field that looks like a Unix Timestamp could be submitted as an older timestamp value to bypass this check. You would need to pass the generated timestamp in a session variable for it to be secure.

Your code is specifically setting error_reporting to zero, so of course you are not seeing any errors. Your php.ini error_reporting setting is also turning off the reporting of E_WARNING and E_NOTICE errors, the two most common types of errors that would help you determine when and where your code is having a problem. You need to have php's error_reporting always set to E_ALL and on a development system you need to have display_errors set to ON (output reported errors to the browser) and on a live site you need to have display_errors set to OFF and log_errors set to ON (write reported errors to the error log file.) By having these settings in the php.ini, there's no need to have them in your code files (the times you have seen it suggested to add error_reporting/display_errors settings in a code file to show php detected errors, were strictly for debugging purposes.)

Your <form ... tag does not have the enctype attribute that is needed to allow files to be uploaded and you are missing a closing </form> tag. I recommend reading the upload handling section in the php.net documentation - http://us.php.net/manual/en/features.file-upload.php

Just using a time is ambiguous. You should be using the id (auto-increment key) in links to reference any particular entry.

Assuming you are getting the date/time ($row['date']) and title ($row['title']) in the rows from your query and the rows are in the order that you want the result to be in, you can directly and simply loop over the data and produce the desired output - // execute your query here to get the data you want in the order that you want it.... $last_year = null; $last_month = null; $output = '<ul>'; while($row = mysql_fetch_assoc($result)){ list($year,$month,,,,) = sscanf($row['date'],"%d-%d-%d %d:%d:%d"); // extract just the year and month if($last_month != $month){ // month changed or is the first one if($last_month != null){ // not the first one, close out (produce) the previous month section $month_name = date("F",mktime(0, 0, 0, $last_month)); $year_data .= "<li>$month_name ($month_count)</li><ul>$month_data</ul>"; } $month_count = 0; $month_data = ''; $last_month = $month; } if($last_year != $year){ // year changed or is the first one if($last_year != null){ // not the first one, close out (produce) the previous year section $output .= "<li>$last_year ($year_count)</li><ul>$year_data</ul>"; } $year_count = 0; $year_data = ''; $last_year = $year; } // each piece of data under the current month $month_data .= "<li>{$row['title']}</li>"; $month_count++; $year_count++; } // close out the last section $month_name = date("F",mktime(0, 0, 0, $last_month)); $year_data .= "<li>$month_name ($month_count)</li><ul>$month_data</ul>"; $output .= "<li>$last_year ($year_count)</li><ul>$year_data</ul>"; $output .= '</ul>'; echo $output;

Each protected page must have php code on it to check if the current visitor can access that page. How does your login code 'remember' who the current visitor is after he/she has authenticated themselves and what's your code on each page to check and limit access to protected pages?

I split your post into its own thread. Please start new threads for your problems so that they will be replied to correctly and you can find them as topics under your username. Please post your table definition, since the error is indicating that table doesn't have a column by that name.

Ummm. The code you posted above doesn't have anything in it like the screen_check code you have been posting in this thread. P.S. I removed the apparent account and phone numbers that was in the above code.

If you are trying to find if a value exists in a database table, you would generally do that in the query itself.

What's ALL the code on your page? Edit: Also, when the 800 is reported, what is the URL in the address bar?

Sorry to be blunt, but the information you are posting is useless. You didn't even identify which variable is having the problem and what data is being submitted and what portion of it is being cut off. We are not standing right next to you. We don't know what your code is, what your data is, what you entered, or what result you saw. Since adding a die statement changed the symptom, there is something in the code ON YOUR PAGE that is causing the problem. You are asking someone else to help find the problem, but you aren't, can't, or won't post all the code that reproduces the problem and what data values are being used (this could be due to the actual data and a html problem in your form.)

It's likely you have an error in your logic that is causing the update problem. Most likely you have a header() redirect that doesn't have an exit; statement after it, so when the remainder of your code on the page runs while the browser is performing the redirect, you get unexpected results. It would take having all your code that reproduces the problem (less any database credentials) and a specific example of what data you are submitting, what data was in the database at the start and what incorrect data is left in the database after the code runs.

Obviously not. None of the three different pieces of php code from the w3schools site can produce the output you stated. Which of those three different pieces of php code are you using? Without your actual code and the actual output you got from it, it's not possible to help you with what is wrong with your code. Also, the last two pieces of code on the w3schools site are CRAP and should not be used for anything. It tests uploaded file information before it tests for upload errors. If there is an upload error, the uploaded file information will be empty and the generic "Invalid file" message will be displayed and you will never see the upload error output "Return Code: x" that would provide information about why the upload is failing. The logic needs to test for upload errors first before it tries to use any of the uploaded file information. Another glaring problem with that code is that is lumps together both the mime type and file size tests and outputs one common non-descriptive error message. When validating user input, you should never do that. Good validation code should have separate tests for each possible problem with the submitted data and output a separate, specific, descriptive message for each validation test that fails.

If you have your own code and have a question, problem, or error that you need help with, start your own thread. Locking this thread....

You should use a switch/case statement when you have different logic you need to run. For simple key/value lookups, you should use some form of mapping to associate the key with the value. Some different methods - <?php // if the $info value exactly matchs the $row associative index names (which is not what you show for some of your key/value pairs), with no error checking (if the $info value doesn't exist, you get null data back) return $row[$info]; ?> <?php // same as above, but with some error checking if(isset($row[$info])){ return $row[$info]; } else { return 'Invalid info index name.'; } ?> <?php // using a lookup array to associate the $info values with the actual index names // just modify the $lookup array to add/remove/change any entries $lookup = array('name'=>'username','group'=>'usergroupid', 'the rest of your key/value pairs go here...'); if(isset($lookup[$info])){ // lookup key found if(isset($row[$lookup[$info]])){ return $row[$lookup[$info]]; } else { return 'No data index with the requested name.'; } } else { return 'Invalid info index name.'; }

You would do the same as in a database pagination script, except the total number of rows is the count of your array entries, and instead of making a LIMIT clause in a query to define which rows are retrieved and displayed, you calculate the starting and ending array indexes. Simple pagination script, modified to use an array as the data source - <?php // pagination from db -> array $arr = range(1,32); // simulate data (index starts at 0) $rows_per_page = 15; // get total number of rows /* $query = "SELECT count(*) FROM table WHERE ..."; $result = mysql_query($query, $db); list($numrows) = mysql_fetch_row($result); */ $numrows = count($arr); // Calculate number of $lastpage $lastpage = ceil($numrows/$rows_per_page); // condition inputs/set default if (isset($_GET['pageno'])) { $pageno = $_GET['pageno']; } else { $pageno = 1; } // validate/limit requested $pageno $pageno = (int)$pageno; if ($pageno > $lastpage) { $pageno = $lastpage; } if ($pageno < 1) { $pageno = 1; } // Find start and end array index that corresponds to the reuqeted pageno $start = ($pageno - 1) * $rows_per_page; $end = $start + $rows_per_page -1; // limit $end to highest array index if($end > $numrows - 1){ $end = $numrows - 1; } // database query /* $query = "SELECT * FROM table $limit"; $result = mysql_query($query, $db); //... process contents of $result ... */ // display array from $start to $end for($i = $start;$i <= $end;$i++){ echo $arr[$i] . '<br />'; } echo "<br />"; // first/prev pagination hyperlinks if ($pageno == 1) { echo " FIRST PREV "; } else { echo " <a href='?pageno=1'>FIRST</a> "; $prevpage = $pageno-1; echo " <a href='?pageno=$prevpage'>PREV</a> "; } // Display current page or pages echo " ( Page $pageno of $lastpage ) "; // next/last pagination hyperlinks if ($pageno == $lastpage) { echo " NEXT LAST "; } else { $nextpage = $pageno+1; echo " <a href='?pageno=$nextpage'>NEXT</a> "; echo " <a href='?pageno=$lastpage'>LAST</a> "; } ?>

Here's some 'final answer' code that works correctly for any amount of matching data in the footballodds table. This also correctly selects the newest 20 matches and displays them in ascending order - <?php $outcomes = array('Home','Draw','Away'); // list of outcomes and the order to display them in the html table $query = " SELECT * FROM ( SELECT f.id, f.date, th.name home_name, ta.name away_name, GROUP_CONCAT(CONCAT_WS('|',o1.outcome,o1.price,s.name) SEPARATOR '||') as result FROM footballfixtures f INNER JOIN footballteams th ON th.id = f.home INNER JOIN footballteams ta ON ta.id = f.away LEFT JOIN footballodds o1 ON o1.gameid = f.id LEFT JOIN sitenames s ON s.id = o1.companyid WHERE (o1.price=(SELECT MAX(o2.price) FROM footballodds o2 WHERE o1.outcome = o2.outcome AND o1.gameid = o2.gameid) AND o1.type='Match Betting') or o1.price <=> null GROUP BY o1.gameid ORDER BY f.date DESC LIMIT 20 ) t ORDER BY date ASC "; $result = mysql_query($query) or die(mysql_error()); echo "<table>"; while($row = mysql_fetch_assoc($result)){ $id = $row['id']; $maindate = date('Y-m-d g:ia',$row['date']); // full date/time $homename = $row['home_name']; $awayname = $row['away_name']; echo "<tr class='rowmouseover'><td width='160' class='greymatchbar'>".$maindate."</td><td width='300' class='greymatchbar'><a href='/test/Betting/".$var2."/".$var3."/".$var4."/".$id."/".$homename."-".$awayname."/Win-Draw-Win'>"; echo $homename." v ".$awayname."</a></td>"; // extract data $data = explode('||',$row['result']); // 0-3 entries of outcome|price|site i.e. "Home|2.34|site1||Away|1.23|site1||Draw|6.00|site2" $data2 = array(); foreach($data as $str){ if($str != ''){ list($outcome,$price,$site) = explode('|',$str); $data2[$outcome] = array('price'=>$price,'site_name'=>$site); } } foreach($outcomes as $key){ $site_name = 'none'; $price = 'none'; if(isset($data2[$key])){ $site_name = $data2[$key]['site_name']; $price = $data2[$key]['price']; } echo "<td width='60' class='greymatchbar2' align='center' title='".$site_name."'>".$price."</td>"; } echo "<td width='80' class='greymatchbar'><a href='/test/Betting/".$var2."/".$var3."/".$var4."/".$id."/".$homename."-".$awayname."/Win-Draw-Win'>See All</a></td></tr>\n"; } echo "</table>"; ?>

Here's another correction to the query (that's what you get when you don't test with enough sample data). The line - WHERE o1.outcome = o2.outcome) Needs to be - WHERE o1.outcome = o2.outcome AND o1.gameid = o2.gameid)