MmmVomit

Perfect. Thank you. I've got the PHP security book by Chris Shiflett. He doesn't mention email anywhere in the book, which made me think it wouldn't be a big concern.

I'm putting together a simple HTML form with a PHP back end. The user submitted data will be compiled and sent as an email to a hard coded email address. One mantra I've learned for programming secure applications is "filter input, escape output". In this case, my output is an email message. Is there any type of escaping I need to worry about when compiling the email? Are there other security concerns I need to be aware of when sending an email using PHP? I'll be using the mail function.

All the right files seem to be in the right place, so I'm just as confused as you are. I didn't do the initial setup on the server. One of our IT guys did. Pretty much all of his experience is using Windows, so he went with what he knew. I could uninstall IIS and install Apache instead, but then I would be the only person who knew how the hell it worked. Since I'm not part of IT, that probably wouldn't be the best thing.

Okay, I tried that, rebooted the server, and no change. I gave the IUSR_machinename account read and execute privileges on C:\PHP and its subdirectories.

I rebooted the machine after trying everything suggested in this thread. The last time I rebooted it was about 15 minutes ago. This is @#$%ing frustrating.

PHP, MySql and IIS were all installed for the first time on this server last week. There are no other copies of libmysql.dll or php_mysql.dll lying around anywhere on the hard drive, and the only version I have is the one that came with the newly installed version of PHP.

This is just a page I have to test whether the MySql extension is working. Source code: <html> <head> <title> </title> </head> <body> <pre> Grrr. Work! <?php echo "test\n"; echo "moo\n"; echo $a; // reference an undefined variable to make sure display_errors is on print_r($_GET); $connection = mysql_connect('localhost', 'root', '***'); // password obfuscated $db = mysql_select_db('test', $connection); $sql = "SELECT * FROM waste;"; $result = mysql_query($sql); while($row = mysql_fetch_assoc($result)) { print_r($row); } ?> </pre> </body> </html> Output: Grrr. Work! test moo Notice: Undefined variable: a in C:\Inetpub\wwwroot\sqltest.php on line 20 Array ( [foo] => bar ) Fatal error: Call to undefined function mysql_connect() in C:\Inetpub\wwwroot\sqltest.php on line 24

Okay. I wasn't sure about that in PHP. The manual did make mention of it, but it looked like that may have been only in earlier versions.

You're missing the HTML tags that define table rows. Change this: echo "<td>".$a['Num']."</td> <td>".$a['Amount']."</td>"; To this: echo "<tr><td>".$a['Num']."</td> <td>".$a['Amount']."</td></tr>"; Also: for ($x=0; $x < mysql_num_rows($query); $x++) { $a = mysql_fetch_array($query); $a['Num']; \\ this line of code does nothing $a['Amount']; \\ this line of code does nothing $b = mysql_fetch_array($query2); $b['Amount']; \\ this line of code does nothing $c = mysql_fetch_array($query3); $c['Amount']; \\ this line of code does nothing echo "<td>".$a['Num']."</td> <td>".$a['Amount']."</td>"; }

You might try changing the order of the functions in the code. This might make a difference. You essentially have: function disp_query_results_HTML($data) { //... disp_fld_names_HTML($fld_names); //... } function disp_fld_names_HTML($header_list, $bgcolor = "#ffffdd") { /... } You should try this instead: function disp_fld_names_HTML($header_list, $bgcolor = "#ffffdd") { /... } function disp_query_results_HTML($data) { //... disp_fld_names_HTML($fld_names); //... }

I'm trying to get the MySql extension working on a Windows machine using IIS. I've looked at numerous tutorials, including several threads on these forums already, and can't get the $%#!@ing thing to work. Here's what I've done so far. 1. In php.ini, I've set the extension_dir variable to "C:\php\ext" 2. I've added extension = "php_mysql.dll" to php.ini 3. I've added "C:\php" to the PATH environment variable so that the computer should be able to find libmysql.dll 3a. I also tried copying libmysql.dll to "C:\WINDOW\System32", but that didn't work either 4. Restarted both IIS and the server numerous times. I know that I'm editing the right php.ini file, because other changes I've made have been working just fine. For example, turning on display_errors (this is a test server). It's still not working, and I don't know what the deal is. Have I missed anything blazingly obvious?

In the SESSION array.

Some other problems with your script. What is this line supposed to do? $_POST["repsName"] . $_POST["clientsName"]. $_POST["clientsPhone"]. $_POST["clientsUrl"]. $_POST["shortDescroption"]. $_POST["longDescription"]; Here you potentially give access to any file on your server. Pretend I entere a clientsName of "../../etc". $folder = "./files/".$_POST["clientsName"]."/";

First, code tags are your friend. Please use them. Here's a quick and dirty solution. <?php ///my flash variables $_POST["repsName"] . $_POST["clientsName"]. $_POST["clientsPhone"]. $_POST["clientsUrl"]. $_POST["shortDescroption"]. $_POST["longDescription"]; $folder = "./files/".$_POST["clientsName"]."/"; if(!is_dir($folder)) mkdir($folder, 0755); $mode = file_exists($folder.'user_input.txt')?'a':'w'; // append if file exists otherwise create it $fp = fopen($folder.'user_input.txt',$mode); // open file foreach($_POST as $K=>$V) { if($K != '_searchKey') { fwrite($fp, "$K = $V\r\n"); // dump the contents of the $_POST array to the file } } fclose($fp); ?>

Actually, this should do it <?php if ($town == 1) { if (($co_ord_y != 14 || $co_ord_x != 20) && ($co_ord_y != 19 || $co_ord_x != 15)) { echo "You are no longer near a river."; DIE(); } } ?>