PFMaBiSmAd

You probably also want to prevent the SELECT query from executing. Your current code only prevents the UPDATE query from executing.

If the $id variable being put into that query is not being properly filtered/validated/cast, then yes a hacker can inject sql into that select query to also dump the complete contents of any of your database tables.

Numerical data that is put into a query statement must be validated as a number or more simply cast it as a number in order to prevent sql injection. Alternatively, you can use prepared statements if you are using a database class that supports them (mysqli, PDO.) Escaping a number has no effect because there are no quotes in the data to escape (you can inject sql that uses no quotes.)

You have a typo in one of your function names. Temporarily comment out the header(); statement or setup your server to log php errors so that you can see any php reported errors.

I'll guess one or more of the files being included have the BOM characters. See this thread with a similar problem - http://www.phpfreaks.com/forums/index.php?topic=355677.msg1680666#msg1680666

It's likely the select query that is in the save_edit_vars method. You can use debug_backtrace or debug_print_backtrace inside the code of that method to find out from where it is being called. I would use some conditional logic to only output or log the backtrace information when the $owner_id is empty. Once you know where the main code is that is calling that method, you can debug why the $owner_id parameter is empty (it's either a coding error or that value is coming from a login script that isn't working correctly...)

The query in question is a SELECT query. The 'auction' part of the query might come from a variable, so don't search too specifically.

Your code does not have a value for the owner id. You would need to determine why. You should also be validating all the external data being put into a query statement so that you don't execute the query if all the expected data is not present.

Only php code goes inside of <?php ?> tags. If your form does not contain any php code, it would go outside of any <?php ?> tags. Anything in a .php file that is outside of any <?php ?> tags is sent as is to the browser.

You would need to put a hidden field in the form before the checkbox and use the same name as the checkbox - <form method='post' action=''> <input type='hidden' name='some_name' value='off'> <input type='checkbox' name='some_name'> <input type='submit'> </form>

Since the problem started after someone gained unauthorized access to the files on the server, why would using/turning on output_buffering be a correct solution? The only ways code could have gone from not producing a header error to producing one is if the code in the file got altered or if output_buffering was previously turned on/being used and now it is not. The file could have been altered and is now outputting spam content or javascript on line 46. File permissions were mentioned/questioned as a possible cause, but since file permissions being changed to read/write could not have cause a php file to go from not producing a header error to producing one, the ACTUAL problem is something else and needs to be found. By finding the actual reason for the error, you would probably find what exactly the hacker changed.

Reply #2 states what is wrong with your code.

Back in the original code, when you had two columns, did adding a category work correctly? The code changes so far where to modify the code that produced two columns per row to produce n columns per row. I suspect that isn't even what you wanted to do. Mock-up and post a table showing what output you do want with some sample categories/sub-categories, and someone can probably help you.

What does the following php code, added right after the first <?php tag in your form processing code, show - echo "<pre>"; echo "POST:"; print_r($_POST); echo "</pre>";

You are missing a single quote at the start of the 'December' string.

If you are trying to build links with specific values for the lang=xx parameter (or even removing/unsetting the lang=xx parameter) while keeping the remainder of the query string as is, I have found that using http_build_query with the $_GET array as its source array is more straight forward. You can just assign values to the appropriate $_GET index or unset the appropriate $_GET index, then append the query string that http_build_query returns onto the end of the url. The values will already be urlencoded and you can specify '&' as the separator since you are outputting the links on a web page (rather than using them in a redirect.)

Exactly what did it do vs what you expected? A) I (we) recommend that you form you query statement in a php variable, then echo it to make sure it contains what you expect. B) You should be storing your event date in one column as a mysql DATE data type (YYYY-MM-DD format.)

You can create a custom ORDER BY term by using a FIELD() statement - ORDER BY FIELD(event_month,'January','February','March', list out the remainder of the month names here...,'December')

Depending on where you are at (you observed DST or not) there are not exactly 86400 seconds in each day. If you use strtotime() to do your date increment (i.e. '+1day') it should work.

When you do a 'view source' of the page using the php include, what do you see and where exactly is the extra space at? I suspect your navigation.php file is saved with the BOM (Byte Order Mark) characters it is the BOM that is causing the extra space.

You need to have php's error_reporting set to E_ALL (or even better a -1) and display_errors set to ON in your master php.ini on your development system so that php will report and display all the errors it detects. Your $database variable doesn't exist in several of your function definitions and each reference to it would be throwing php errors to alert you to the problem.

You are trying to move/copy a file within the file system on the server and must use valid file system path. A URL is not a file system path. It is a method of requesting a document through a web server and as the error messages states - HTTP wrapper does not support writeable connections. You must use either an absolute or relative file system path/filename as the destination.

What does the 'view source' of the form in your browser show?

Assuming you WANT to combine the string that your php function getUsername() returns with a ':' and the string that the mysql function NOW() returns, you would need to use - $query = "UPDATE posts SET content = '$content', lastedit = CONCAT('". getUsername() .":',NOW()) WHERE id = '$pid'"; You should also form your query statements in a php string variable (makes troubleshooting and error reporting easier.) Echo the $query variable so that you can see what portion of it php contributed and what the resulting sql syntax is.

There's nothing to show in your code. After you partition the data table, the WHERE clause in a query tells the database engine to only access the partition(s) that match the WHERE condition. If you are doing this based on dates, your where clause would included a date comparison that only matches the partition holding the records that you want to query.