PFMaBiSmAd

If you search this forum, under my username, for the keywords - 'unique hard guess', you well get a number of posts describing what you should be storing in a 'login/remember me' cookie, then using the unique and hard to guess value in the cookie only to identify the visitor to find his user information in your user table, and then determining the logged in/out status based on a value stored solely on the server, and not based on the simple existence of a cookie.

I suggest you fix the following flaw in your login code, ASAP - You also didn't answer the question I asked.

Just remove the part of the code that is applying the basename() function to the array of files.

See this link - http://p2p.wrox.com/book-professional-ajax-isbn-978-0-471-77778-6/48331-ajax-get-dynamic-images.html

The link I posted in reply #5 in this thread shows how you would insert multiple values/variables in each row of the multi-row insert query.

Use the mysql DATE_FORMAT() function in your query to format your date (or datetime or time) column any way you want when you select it - http://dev.mysql.com/doc/refman/5.0/en/date-and-time-functions.html#function_date-format

How do you know they weren't logged in? Also, if you are just testing for the existence of a cookie or even a cookie with a publicly displayed username in it for a value, anyone can send a cookie with any value when they make a http request for pages on your site. Does your log in check code have any logic to prevent the remainder of the code on the page from running if someone isn't logged in? Does your form processing code check if someone is logged in before processing the form data? It would take actually seeing your code to pin down if or how someone posted to it without being logged in.

Your <form ....> tag is missing the enctype attribute that is needed for uploads to work. Ref: http://us3.php.net/manual/en/features.file-upload.post-method.php

You should be able to escape it \$ an have it treated as a literal $

Debug why the second mysql_select_db statement is failing by changing it to the following - mysql_select_db ("database2", $mysql_con) or die("Select db database2 failed due to: " . mysql_error($mysql_con));

The security is the same for either method. However, by preventing the http request for the files in the first place, you will save some server resources if someone does start trying to directly request the file. For the case of putting the conditional test in each file, if the file is requested, the php language engine will be invoked, the entire file will be parsed and tokenized, then execution will start until it reaches and evaluates the if(){} statement.

Sample code that would just insert the filename.ext - <?php require("header.php"); $path = "uploads/"; $files = array_map('mysql_real_escape_string',array_map('basename',array_filter(glob("{$path}*.*"),'is_file'))); if(empty($files)){ echo "There were no matching files to insert into the database."; } else { $query = "INSERT INTO uploads (url) VALUES ('" . implode("'),('",$files) . "')"; if(!mysql_query($query)){ echo "There was a problem inserting the data."; trigger_error("Query failed: $query<br />Error: " . mysql_error()); } else { echo "The data was inserted successfully."; } }

Do you just want the image filename.ext and not the uploads/ path to be inserted into the database table?

Put all the auxiliary files into a folder that is either outside (closer to the disk root) your htdocs folder or if you can only put folders inside your htdocs folder, use a .htaccess file to prevent all http requests to the files in that folder.

glob

You need to urlencode anything being put into a URL that might contain characters that are not normally permitted in a URL. As to INSERTing the data into a database table, where exactly are you stuck at? You form an insert query with the data you want in it and execute it. If you want to save on the number of queries being executed, you would use one multi-value insert query. Here's a link showing how to form a multi-value insert query - http://www.phpfreaks.com/forums/index.php?topic=354447.msg1674108#msg1674108

You are probably getting 'broken' images for any folders within the folder and for the . and .. entries. If so, you would need to use is_file to test for actual files.

When you previously tested the get_magic_quotes_gpc() value in a script, was that .php file in the same folder where you are running your actual script? I'm thinking you have one or more local php.ini and one of them, in a folder with your actual script, is turning on magic_quotes_gpc. Likewise, has the script with the phpinfo() statement in it being run in the same folder where your actual php script is at? P.S. you can only put php settings in a .htaccess file when php is running as an Apache Module. It's a server error otherwise, because the php_flag command is not recognized.

The { is unexpected because you are missing a ) immediately before it.

The undefined index error was always present in your code, but was being hidden by the error_reporting/display_errors settings. You should be using isset to test for the existence of variables that might not exist when your code runs.

When used inside of a double-quoted string, the \ starts an escape sequence of characters. Either use single-quotes around the string or since php under Windows converts / in file paths to the Windows \, you can simply use - $filename="C:/xampp/htdocs/rcm/denman2.txt";

What does a phpinfo() statement show for the auto_prepend_file setting, in case someone (web host) is running a script to escape all external data?

What have you done, other than looking at the end result in the database table, to pin down exactly what your data is and if it is correct (without \ characters) at any point in the process? What is your form. Is the data coming through a hidden field or is it being entered by the user or copy pasted by the user? Is the data supposed to have actual \ characters in it? What is the actual data you are dealing with and seeing when you look in the database table? Also, how you are looking at the data in the database table, in case the display method is adding the escape characters to the output?

Here's another possibility for why code might act flaky under different conditions. Are Register_globals on? Actually, my crystal ball seems to be hinting at an equal = assignment statement vs an == comparison statement as the cause of at least one of the problems.

Edit: Longer version of what thorpe stated. For user #1, you need to determine why the included file cannot be found (i.e. No such file or directory.) Either the path is incorrect or the filename is incorrect or the capitalization of the path/filename in incorrect (assuming you are on an operating system that is case-sensitive.) Also, if this behaves differently for different users or for different client locations, your code IS doing something or you have something in a .htaccess file that is dong something to cause it. For user #2, those errors are occurring on a mysql_query statement. That means that either your mysql_connect() statement is not being executed at all or it is being called and is failing but it has error_reporting and/or display errors turned off/suppressed at the time or you have called a mysql_close statement in your code somewhere between the mysql_connect and the mysql_query statements. Are you sure error_reporting is set to E_ALL, so that all the php detected errors will be reported? You are likely getting some notice messages that would help pin point where the first symptoms of the problem are starting at. Here are some possible things your CODE could be doing that could cause these symptoms - 1) Using short open tags 2) Not having exit; statements after header() redirects to stop the remainder of the code on the page from running while the browser requests the new page. 3) Other relevant php detected errors are occurring, but are hidden either due to the error_reporting/display_errors/log_errors settings or use the @ error suppressor on statements or using or having output_buffering turned on and discarding the buffer or redirecting. 4) Logic errors in the code that are doing different things for different logged in users and/or race conditions in the code (see item #2) that vary depending on the connection speed. For the user #1 errors, if you want us to help, you would need to post enough information about your directory structure so that we would know where the main page is at and where the profiles folder is at and what the exact spelling and capitalization of the folders and files are and at least the code from the start of all the relevant files (showing the opening <?php tags too) through to where the include statements are at. For the user #2 errors, you need to determine if the mysql_connection statement is being called/executed at all (echo something right after the line with the statement), if it is failing or not (do you have error checking logic in your code?), and if it is succeeding, why is it being closed by the time the mysql_query statement is being executed. Short-answer: Your code IS the most likely cause of the problem (there are millions of php web pages that have includes and database connections that work.) If you cannot determine what is causing the problems, then we need to see the relevant code (less any database connection details) that would be needed to reproduce any particular coding problem/symptom/error (you have at least two problems - 1) An include problem prior to your login code, 2) A connection problem prior to your menu code) so that the many different possibilities can be reduced to just a few and then specific suggestions can be made to pin down the problem further. Seeing the relevant code also allows the code to be eliminated as the cause of the problem, which then suggests which of the next more likely things need to be looked at. Edit2: Here's a possibility for why it behaves differently for you depending on location. You have a remember-me feature in your login logic and you don't actually have to log in when connecting remotely, so the code where the problem is occurring at does not actually get executed. Shorter-answer: Post the relevant code to get the quickest solution.