MadTechie

can be used for either, as you could have the bad works enter the database so you can review later, and filter on display or just filter before entering the database

basically if you filter the characters that are used to inject the code ie ' and " then your safe hence the filter $login = preg_replace("/[^a-zA-Z0-9]/", "", $login); //limits username to numbers and letters

here is membership script <?php function authenticate ($login, $password) { global $db_name, $tbl_members; $login = preg_replace("/[^a-zA-Z0-9]/", "", $login); //limits username to numbers and letters $valid = mysql_fetch_array(mysql_db_query($db_name, "SELECT * FROM $tbl_members WHERE login='$login'")); if ($login) { if ($password == crypt($valid[password], $login)) { if ($valid[enabled] == "yes") {$result=$valid;} else {$result[error]="700";} } else {$result[error]="800";} } else {$result[error]="200";} return $result; } ?> as a side note this was on just a quick overview their maybe more bugs (but i am at work)

$login isn't filtered <?php $login = preg_replace("/[^a-zA-Z0-9]/", "", $login); //limits username to numbers and letters ?> EDIT: in the function authenticate

CRONing is the best option

from a quick look at your code i would guess change <?php /* Spruce up username, check length */ $_POST['user'] = trim($_POST['user']); if(strlen($_POST['user']) > 30){ include("createacc_error3.php"); exit(); } if(strlen($_POST['pass']) < 6){ include("createacc_error6.php"); exit(); } ?> to <?php //store filtered username $user = preg_replace("/[^a-zA-Z0-9]/", "", $_POST['user']); if($user != $_POST['user']) { die("Invalid Username");//error handling } //overwrite the old namename with new filtered one (for use below) $_POST['user'] = $user; /* Spruce up username, check length */ $_POST['user'] = trim($_POST['user']); if(strlen($_POST['user']) > 30){ include("createacc_error3.php"); exit(); } if(strlen($_POST['pass']) < 6){ include("createacc_error6.php"); exit(); } ?> **note this is untested

try this filter <?php $string = preg_replace("/[^a-zA-Z0-9]/", "", $string); ?> thats numbers and letters ONLY

<?php function filter($string) { $pattern[0] = "/badword1/"; $pattern[1] = "/badword2/"; $pattern[2] = "/badword3/"; $replacement[0] = "####"; $replacement[1] = "####"; $replacement[2] = "####"; return preg_replace($pattern, $replacement, $string); } ?>

could always create a function that extracts the data from the array, not sure how your return the data from the function the question we all want to know is WHY

SELECT * FROM table will retrieve a WHOLE row, it will go into an array you can then pull out the parts you want (or all of them) then edit them and then use UPDATE table SET (field1, field2, field3 ) VALUE ('$field1', '$field2', '$field3'); you can't edit them like an ADO connection

use die; the script will stop when it hits it

directly !! your have to fetch and then update

yeah i started a script to do that.. i have tried to shorten the process using REGEXP but even then my more compleax RegEx don't seam to work well.. probably just a bad day. will try in the morning. Thanx for all your help Wildbug

try $connection = mysql_connect($db_host, $db_user, $db_password) or die ("error connecting".mysql_error() ); whats the returned error ?

humm i can't see any errors Yet some WAMP servers don't support <? and must have <?php so try <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>Untitled Document</title> </head> <body> <table width="400" border="0" align="center" cellpadding="3" cellspacing="0"> <tr> <td><strong>Jelly Beans | <a href="guestbook.php">Rate the Bean </a> </strong></td> </tr> </table> <?php $host="localhost"; // Host name $username = me; // Mysql username $password = too; // Mysql password $db_name = test; // Database name $tbl_name=clearbook; // Table name // Connect to server and select database. mysql_connect("$host", "$username", "$password")or die("cannot connect server "); mysql_select_db("$db_name")or die("cannot select DB"); $sql="SELECT * FROM $tbl_name"; $result=mysql_query($sql); while($rows=mysql_fetch_array($result)) { ?> <table width="400" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC"> <tr> <td><table width="400" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF"> <tr> <td>ID</td> <td>:</td> <td><?php echo $rows['id']; ?></td> </tr> <tr> <td width="117">Name</td> <td width="14">:</td> <td width="357"><?php echo $rows['name']; ?></td> </tr> <tr> <td valign="top">Subject</td> <td valign="top">:</td> <td><?php echo $rows['subject']; ?></td> </tr> <tr> <td valign="top">Comment</td> <td valign="top">:</td> <td><?php echo $rows['comment']; ?></td> </tr> <tr> <td valign="top">Date/Time </td> <td valign="top">:</td> <td><?php echo $rows['datetime']; ?></td> </tr> </table></td> </tr> </table> <BR> <?php } mysql_close(); //close database ?> </body> </html> Note i assume you have set $username = me; // Mysql username $password = too; // Mysql password $db_name = test; // Database name $tbl_name=clearbook; // Table name correctly ie with quotes

posting the script may prompt a few ideas, or we can all just guess

add <?php $name = $_POST['name']; $email = $_POST['email ']; $comment = $_POST['comment']; $subject = $_POST['subject']; ?> after $datetime=date("y-m-d h:i:s"); //date time

what error exactly ? also your missing a } at the end of the script

change $result = mysql_query ("SELECT * FROM bnetupdates WHERE title = '$_GET[word]' LIMIT $from, $max_results"); to $result = mysql_query ("SELECT * FROM bnetupdates WHERE title = '{$_GET[word]}' LIMIT $from, $max_results");

i agree but the video did cheer me up, lol

replace $result=mysql_query($sql); with $result=mysql_query($sql) or die("query error:".mysql_error() ); atleast then your see the error personally it looks like and error here $sql="INSERT INTO $tbl_name(name, email, subject, comment, datetime)VALUES('$name', '$email', '$comment','$subject' '$datetime')"; change to $sql="INSERT INTO $tbl_name (name, email, subject, comment, datetime) VALUES ('$name', '$email', '$comment','$subject', '$datetime')";

change $sql = "SELECT id FROM users WHERE username='$_POST[username]' AND password='$_POST[password]'" or die("error3"); to $sql = "SELECT id FROM users WHERE username='$_POST[username]' AND password='$_POST[password]'" LOL love the video

in variables.php, is $_POST["agree"] being set ?

Redundant code is a computer programming term for code that is executed but has no effect on the output of a program (dead code is the term applied to code that is never executed).

some sample data always helps