per1os

The best way is to have a field in your db that states "Last action time". Use that in your script that if a user's times is greater than 5 minutes it updates the "loggedin" field to be set to 0. There is no other way to obtain this as it is impossible to tell if a user closes their browser/goes to another site. --FrosT

The action messes with the php? I do not think it does bud. Without the action you cannot tell the script where to go...grant it that this one references the same page. Maybe try this <body> <?php if (isset($_POST'Profession'])) //if "email" is filled out, send email { //send email $Profession = $_POST['Profession']; $SetName = $_POST['SetName']; $HeadPiece = $_POST['HeadPiece']; $ChestPiece = $_POST['ChestPiece']; $ArmPiece = $_POST['ArmPiece']; $LegPiece = $_POST['LegPiece']; $FeetPiece = $_POST['FeetPiece']; mail("[email protected]", "Subject: Armor Set", $message, "$head - $SetName - $HeadPiece - $ChestPiece - $ArmPiece - $LegPiece - $FeetPiece" ); echo "Thank you for using our mail form"; } else //if "email" is not filled out, display the form { echo "<form method='POST' action='input.php'> Profession: <input type='text' name='Profession'/><br /> Armor Set Name: <input type='text' name='SetName'/><br /> Armor Set ID(Head Piece): <input type='text' name='HeadPiece'/><br /> Armor Set ID(Chest Piece): <input type='text' name='ChestPiece'/><br /> Armor Set ID(Arm Piece): <input type='text' name='ArmPiece'/><br /> Armor Set ID(Leg Piece): <input type='text' name='LegPiece'/><br /> Armor Set ID(Feet Piece): <input type='text' name='FeetPiece'/><br /> <input type='submit' /> </form>"; } ?> I do not know why you chose the request for the check in the isset when you reference the $_POST to grab the variables. --FrosT

You do not know what recursion is and you are trying to make your own language? Wow dude. google.com recursive functions. Read up on it, that is a major key to save time with a lot of codes. Just you are lucky that programming languages like PHP provide array functions for you. --FrosT

If that is it willpower, my answer should be sufficient no? The mysql_real_escape_string works great for the sql injection. If you are worried about the js exploit, that can be done pretty easily with an str_replace statement Either way you should be safe as long as you do escape the data you are putting into mysql. --FrosT

Your greatest resource is php.net They have every single function you could imagine. As for the books, especially if the book tells you to just call $username without doing $username = $_POST['username']; You know that book is a piece of junk. I think you wasted your money on a book on what could of been found easily on www.php.net --FrosT

Maybe this might fix it? '$this-> mp_max')"; to '$this->mp_max')"; You had an extra space there. --FrosT

If you can drop any table from my site using any form, I will say that I am wrong and you screwed me over. www.aeonity.com Feel free to try a SQL Injection. --FrosT

Yep, order is a reserved word in MySQL, I would change the table name to orders or rorder or %YOURPREFIXHERE%_order --FrosT

Edit to mine: <?php $searchArr = array("search1", "search2", "search3"); // replace this with the field names foreach ($_POST as $key => $val) { if (in_array($key, $searchArr)) { $whereClause .= $key . "='".mysql_real_escape_string($val)."' AND "; } } $whereClause = substr($whereClause,0,-5); $sql = "SELECT * FROM TABLE WHERE " . $whereClause; ?> Damn quotes. --FrosT

As long as you use that mysql_real_escape_string, you should be fine. If you are really worried you can do checks for that. But yea, see the website posted above. That explains the sql injection perfectly. As long as you follow those guidelines you have nothing to fear. That and make sure that guest users do not have access to a delete function in the code or something ridiculous like that. --FrosT

It sounds like there needs to be a user authentication system in place if you ask me. But yea I do not know the full story =) Have fun with it! --FrosT

The best way to prevent sql injection is to mysql_real_escape_string() anything that comes from outside before it is put into the db. As for the privileges, I have never had the need to limit in my php applications because when I code them I make sure that the delete functions require a valid administrator. So for say you have a function called deleteRow, this is how I would set it up: <?php function deleteRow($rowID) { if (!isAdmin()) { die("You are not an Administrator!"); } mysql_query("DELETE FROM table_name WHERE rowid = '".mysql_real_escape_string($rowID)."' LIMIT 1") or DIE("Could not delete row: " . mysql_error()); return true; } ?> Hope that helps. --FrosT

Without any code its like the blind leading the blind, maybe this will help: <?php $searchArr = array("search1", "search2", "search3"); // replace this with the field names foreach ($_POST as $key => $val) { if (in_array($key, $searchArr)) { $whereClause .= $key . "='".mysql_real_escape_string($val)."' AND '; } } $whereClause = substr($whereClause,0,-5); $sql = "SELECT * FROM TABLE WHERE " . $whereClause; ?> --FrosT

<?php include('class.php'); $CLASS = new NEW; ?> <html> <head> <style type="text/css"> p {font-family: courier} <?= $CLASS->DISPLAY();?> </style> </head> <body> </body> </html> Is that what you are looking for? --FrosT

<?php function randName($file) { $file_temp_dir = "../fotos"; //Random name $file_name = $file['name']; //get the file extension. $getExt = explode ('.', $file_name); $file_ext = $getExt[count($getExt)-1]; //create a random file name $rand_name = md5(time()); $rand_name= rand(0,999999999); if (($file!="none")&&($file!="")) { move_uploaded_file($file, "$file_temp_dir/$rand_name.$file_ext"); }else { $filename = $HTTP_POST_VARS['imagen']; } } foreach ($_FILE as $key => $val) { randName($val); } ?> Is that what you are looking for? --FrosT

Maybe "div" is a special word in MySQL? I would check your column names and make sure that they do not also dub as a special word in mysql. IE: Sum for a column name would throw an error because sum(column) is a function in MySQL. --FrosT

$sql = "SELECT `div`, `division`, `gameid`, `date`, `time`, `home`, `h_score`, `visitor`, `v_score`, `field`, `field_no` FROM `s2007schedules` WHERE div='$div';"; Maybe the semi-colon at the end is required? Have you been able to pull any data at all? If so what query did you use? --FrosT

Can you post the database structure? --FrosT

In the code you posted I do not see where you have placed the done portion. Maybe try adding that input line I posted above after the <form etc...> call. --FrosT

Ohhh my bad, mis-read the question. Try this: <?php $form_array = array('title', 'entry', 'comment', 'rating'); foreach ($form_array as $key => $cs) { $query = mysql_query('SELECT value FROM prefix_config WHERE name = "'.$cs.'"'); $test = mysql_fetch_array($query); $form_array[$key] = $test['value']; } ?> --FrosT

str_replace with the single quotes usually doesn't for \n it needs to be double quotes. It may have to do with the accept-charset? I am not sure, I try not to think about the charsets =) --FrosT

Maybe your version of php and mysql would help diagnose the problem. Because as far as my knowledge goes, and every line of code that I have written what I posted above holds true. --FrosT

Yea, I am still trying to figure out the whole path thing. It is a pain in my butt at times. --FrosT

hmm maybe try this: $sql = "SELECT `div`, `division`, `gameid`, `date`, `time`, `home`, `h_score`, `visitor`, `v_score`, `field`, `field_no` FROM `s2007schedules` WHERE div='$div'"; If that does not work, what version of MySQL are you using? --FrosT

=) Yea, str_replace would of probably been better. Oh well it didn't work. I am not sure what is going on can you post the html code of the form you are using to post the data with? --FrosT