premiso

Oh. May I suggest creating a class that connects to MySQL and storing the class in $_SESSION? Then putting mysql_close in the the __destruct function? mysql_close is unnecessary as russell pointed out php closes connections when the script exits. As for the class in session, that is fine, but you still have to re-instantiate/connect to the DB each time a page is loaded.

Thats because you did not write it =) 1. ult 2. sngl 3. mnth 4. ssn 5. po 6. spl <?php while($a = mysql_fetch_assoc($q)) { $packages; $packages[$a['package']] = $a['picks']; } $myOrder = array("utl", "sngl", "mnth", "ssn", "po", "spl"); $packages = orderMyArray($packages, $myOrder); foreach( $packages as $key => $value){ if($key == "ult"){ if($value == ""){ $key1 = ""; } else { $key1 = "Ultimate Lock Pick Package"; } } if($key == "sngl"){ if($value == ""){ $key1 = ""; } else { $key1 = "Single Pick Package"; } } if($key == "mnth"){ if($value == ""){ $key1 = ""; } else { $key1 = "Month Package"; } } if($key == "ssn"){ if($value == ""){ $key1 = ""; } else { $key1 = "Season Package"; } } if($key == "po"){ if($value == ""){ $key1 = ""; } else { $key1 = "Playoffs Package"; } } if($key == "spl"){ if($value == ""){ $key1 = ""; } else { $key1 = "Special Package"; } } echo "<strong>".$key1."</strong><br />".nl2br($value)."<br /><br />"; } function orderMyArray($array, $orderby) { sort($array); $cnt = count($orderby); for ($i=0; $i<$cnt;$i++) { $newArray[$orderby[$i]] = $array[$orderby[$i]]; } return $newArray; } ?> Try that and see if it works.

I just needed an array so Icould test the functionality. You would want to put the columns how you want them displayed exactly in order in the $dispArray definition and replace $array with the data array you want ordered. EDIT: Decided to make it a function <?php $array = array("utl" => "test", "sngl" => "Test2", "mnth" => "test3"); $dispArray = array("utl", "sngl", "mnth"); print_r($orderMyArray($array, $dispArray)); function orderMyArray($array, $orderby) { sort($array); $cnt = count($orderby); for ($i=0; $i<$cnt;$i++) { $newArray[$orderby[$i]] = $array[$orderby[$i]]; } return $newArray; } ?>

<?php $array = array("utl" => "test", "sngl" => "Test2", "mnth" => "test3"); sort($array); $dispArray = array("utl", "sngl", "mnth"); $cnt = count($dispArray); for ($i=0; $i<$cnt;$i++) { $newArray[$dispArray[$i]] = $array[$dispArray[$i]]; } ?> Not sure if that is what you are looking for, but yea for your own special order I would think you need something like that.

$adminaddress = $sitename . " <" . $adminaddress . ">"; Should work. Edit: Switched < and > to be correct.

Right, and it is not good to loop through $_POST like that and set variables. You never know what someone may try to inject. That is why you should know the variables coming in and should define them as so. IMO this is where PHP is flawed. It is "lazy" on variables. In most other languages you have to define a variable before you can use it. If PHP required that it would make it a bit more secure just because you have to know what values you want to use.

How did you crack the md5 passwords? md5 is a 1 way hash....there is no decrypting it and if you are using a unique salt, it should be very hard to crack. But yea you can connect to sitea's database from siteb as long as siteb as sitea's information if that makes sense. The technique for md5 hashing I always use is my own function <?php define("SALT1", "someRa#$%#$^@@#$"); define("SALT2", "@#$#$%sf¿#$^@@#$"); function my_md5($string) { return md5(SALT1 . $string . SALT2); } ?> That should guarantee a unique salt, and someone would have to have both salts exactly to guess passwords etc. MD5 is not flawed, although your usage of it maybe.

I think you are missing it. You were never setting $username or $password the $_POST variable. This is why the script was not working. In the old script you just assumed that $password would be populated instead of making sure it was populated. Your old line: $encrypted_password = md5($password); This was not good practice because if register_globas gets turned off, $password now does not have a value because $password was never set. However if you did it this way: $password = (isset($_POST['password']))?$_POST['password']:false; $encrypted_password = ($password != false)?md5($password):false; The above would not throw an error because you are defining $password to be equal to $_POST['password'] if that value has been set. If that value has not been set we make it a default of false, so we can check if that value was passed through or not. Make sense? Before you were never defining $username or $password, you were just assuming that register_globals would always be on =)

I do not see any security implications on doing this...as long as $GLOBALS work, it should be fine.

lol sorry. $encrypted_password = (isset($_POST['password']))?md5($_POST['password']):false; <?php session_start(); // put session_start at the top. //include the variables include("../vars.php"); //encrypt the password $encrypted_password = (isset($_POST['password']))?md5($_POST['password']):false; //connect to the server $conn = mysql_connect($host, $db_user, $db_pass); //connect to the database mysql_select_db($db); $username = isset($_POST['username'])?mysql_real_escape_string($_POST['username']):false; //make the query if ($username != false && $encrypted_password != false) $query = "SELECT * FROM login WHERE username = '$username' LIMIT 1"; // always limit your queries if you only are expecting 1 row. else die('No username or password was passed in.'); //get the results $results = mysql_query($query); //count the number of rows $count = mysql_num_rows($results); //if the username exists fetch the results if ($count > 0) { $row = mysql_fetch_assoc($results); // removed the password/username checks due to the check above. if($username != $row['username']) { echo "Please enter a valid username!"; }elseif($encrypted_password != $row['password']) { echo "That password is incorrect!"; }else { $_SESSION['logged_in'] = TRUE; $_SESSION['username'] = $username; $_SESSION['tech_id'] = $row['id']; $_SESSION['membership'] = $row['membership']; header("Location:index.php"); } }else { echo 'Invalid username.'; } ?> That should work. It was a silly mistake by me.

echo "<div class='title_class'>" . $row['title'] . "</div>"; He forgot quotes around $row['title']

Could you give me an example of that free small program? And can I use this on say a GoDaddy account? Thank you very much. Probably not, you would need access to the SHELL to install it, unless they have it installed for you. LAME is an example of the dll you would need to do it. It offers a command line mode etc. But the chances of this actually being allowed by godaddy is slim to none.

You would have to setup a connection to sitea's database to check it. So instead of "localhost" for the database it would be something along the lines of "mysql.yoursite.com" or "yoursiteasip" with the same DB information. If you are on a dedicated host and the sites are hosted on the same server, you should just have to specify the database username/password and database name to access it.

<?php session_start(); // put session_start at the top. //include the variables include("../vars.php"); //encrypt the password $encrypted_password = (isset($_POST['password']))?md5($password):false; //connect to the server $conn = mysql_connect($host, $db_user, $db_pass); //connect to the database mysql_select_db($db); $username = isset($_POST['username'])?mysql_real_escape_string($username):false; //make the query if ($username != false && $encrypted_password != false) $query = "SELECT * FROM login WHERE username = '$username' LIMIT 1"; // always limit your queries if you only are expecting 1 row. else die('No username or password was passed in.'); //get the results $results = mysql_query($query); //count the number of rows $count = mysql_num_rows($results); //if the username exists fetch the results if ($count > 0) { $row = mysql_fetch_assoc($results); if(!$username) { echo "Please enter a username!"; }elseif(!$password) { echo "Please enter a password!"; }elseif($username != $row['username']) { echo "Please enter a valid username!"; }elseif($encrypted_password != $row['password']) { echo "That password is incorrect!"; }else { $_SESSION['logged_in'] = TRUE; $_SESSION['username'] = $username; $_SESSION['tech_id'] = $row['id']; $_SESSION['membership'] = $row['membership']; header("Location:index.php"); } }else { echo 'Invalid username.'; } ?> That way if no username or password was passed in we do not check the script. Your username that you are querying is now preventing sql injection, and if no rows are returned we echo out that the username was invalid. Any questions on it let me know.

Post your code, it seems you are not properly setting password or username following the methods I laid out. Post the first 50 lines of that code and I will correct it for you so you can see what you would need to do for the rest of the script.

It is because they both have black in them. How exactly do you imagine this working? Only return where both statements are true if they defined them? <?php $where = "WHERE "; $where .= (isset($make_id) && !empty($make_id))?"`make_id` = '" . $make_id. "' AND ":''; $where .= (isset($colour_id) && !empty($colour_id))?"`colour_id` = '" . $colour_id. "' AND ":''; $where .= (isset($model_id) && !empty($model_id))?"`model_id` = '" . $model_id. "' AND ":''; $where .= (isset($status_id) && !empty($status_id))?"`status_id` = '" . $status_id. "' AND ":''; $where .= (isset($location_id) && !empty($location_id))?"`location_id` = '" . $location_id. "' AND ":''; $where = substr($where, 0, -4); $query = "SELECT * FROM `tbl_vehicles` " . $where; ?> Try that out. Edit fixed syntax of single quote.

What happens when you turn off register_globals? What breaks?

Not a problem. Just remember <?php $qry = mysql_query("select * from ..."); while ($row = mysql_fetch_assoc($qry)) { echo $row['type'] . ", " . $row['value'] . ", " . $row['something'] . ", " . $row['something2'] . "<br />"; } ?> Is pretty much the basis for looping through query data.

I believe the ffmpeg package allows it, and you have to use exec to do it.

You said it in your topic...switch AND to OR =)

Calling it using $_POST['name'] is just fine, it is when you would call it by $name without any $_POST definition etc is where you get in trouble. <?php if ($name == "nick") echo 'Hello Nick!'; ?> That is wrong. <?php $name = isset($_POST['name'])?$_POST['name']:''; if ($name == "nick") echo 'Hello Nick!'; else echo 'Not Logged in!'; ?> Would be a truly proper and safe usage. Checking the isset, will help thwart notice errors (not fatal but can be inefficient). Really the main security flaw, as far as I understand it, is with the session variables. <?php session_start(); // you have a $_SESSION['name'] that determines if the user is logged in. if ($name) echo 'Hello Nick!'; ?> Calling the above with http://www.yoursite.com/index.php?name=1 would evalutate to true even though they are not logged in. That is wrong. <?php session_start(); $name = isset($_SESSION['name'])?$_SESSION['name']:false; if ($name) echo 'Hello Nick!'; else echo 'Not Logged in!'; ?> That would prevent them from using GET data to validate themselves.

register_globals is a security flaw. Basically it creates variables from global variables such as $_POST and $_GET, which you should define your own variables from this. What this can do, say you have a script with a session of 'loggedin' set to check if someone is logged in. I could call the url like: http://www.yoursite.com/index.php?loggedin=1 Since register_globals is on, and if you do not set $loggedin = $_SESSION['loggedin'] and just check if ($loggedin) I am now an active member on your site. That is why register_globals is now off to force people to properly code and define their variables before assuming that they are what they should be.

<?php $qry = mysql_query("select * from ..."); while ($row = mysql_fetch_assoc($qry)) { $types[] = $row['type'] . ", " . $row['value'] . ", " . $row['something'] . ", " . $row['something2']; } $cnt = count($types); for ($i=0; $i<$cnt; $i++) { echo $type[$i] . "<Br />"; } ?> Should do the trick. Or without the for loop: <?php $qry = mysql_query("select * from ..."); while ($row = mysql_fetch_assoc($qry)) { echo $row['type'] . ", " . $row['value'] . ", " . $row['something'] . ", " . $row['something2'] . "<br />"; } ?>

} elseif (isset($_POST['REG']) && !empty($_POST['REG'])) { empty Should do the trick.

That and I would read through this post to regarding "magic_quotes" as if they are on that will fubar your data. http://www.phpfreaks.com/forums/index.php/topic,230771.0.html But I would not say do it to "all data". You should know what the data is, if you expect an INT, check that the variable is an int and treat it as such using the (int) cast method. If you expect a string, then do the escape on the string. Also if you want to avoid XSS injection html_entities on data that should not be including html/js data.