bri0987

I was not sure if I made the wrong chooses, that a hacker could could in and RUN "DELETE TABLE" scripts or something like that... what do ya think? or should I not worry about it?

For the MySQL database associated with my PHP shopping cart... What is the Privileges I should set for the database user that my admin and customers use with the database? >>> Currently the user has these privileges: SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, FILE, INDEX, ALTER, CREATE TEMPORARY TABLES, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE (FYI: I use PhpMyAdmin) Thanks BRI

mysql_insert_id(); is what I was using when I got that bad problem with some customers getting other customer order details... because they were ordering at the same time. > Also what do you mean when you said "it's void do not put the..."

TOPIC CONTINUED AT: http://www.phpfreaks.com/forums/index.php/topic,169563.0.html

Table: "ORDERS" The Order_ID field for the table "Orders" is also the Invoice Number for the Customer and is set to auto_increment. The problem I am having: When a customer successfully completes the checkout process (in a custom made shopping cart). PHP INSERTS the customers order information into the MySQL Database table "Orders". The "Thank You Page" for the customer will need to display the Invoice (Order_ID) number to the customer for their reference and to track their order online. I was going to just use PHP and pull the last created Order_ID number and display it to the customer BUT I found that if bandwidth is low and multi customers are ordering at the same time, some customers WILL get other customer Order information... This is BAD. How can I get the Order_ID field that I am currently INSERTing into and capture the ID field and set it into a $_session so that I can display the RIGHT Order_ID to the RIGHT Customer? Any help on this topic will be useful.

Okay I figured that part out but know I have a new problem. In the THANK YOU PAGE for the customer I have to give them the Order/invoice number. I could get the most recently made ID from the database and display it to them but that would cause some BIG problems if there are a few hundred people on the web site at one time and ordering products. So my question is: How can I get the ID for the information as the same time I insert the data? (I hope I asked that right) Thanks BRI

How do I start the ORDER_ID at "100000" so that the first ORDER_ID will come out at "100001" Thanks, BRI

Okay here I go: I have a custom built shopping cart. After the customer checks out, I inserting the order information into the MySQL Database. The fields I have are: ORDER_ID >> (auto_increment filed) Orderstatus_ID (the status) Invoice_Num (THE PROBLEM!!!!) Customer_ID (Customer info) Product_ID (What they ordered) Component_ID (options for what they ordered) Order_Date >> (Time stamp) IP_Address >> (the customers IP address, just incase of a hack or something, I thought it would be good) I need the invoice number to be at least 6 digits long (at least) I tried doing auto_increment on the Invoice_Num field but MySQL says only one auto increment field for just one table, and Order ID is already set to use the auto increment I dont care how many digits is in the Invoice number but I wanted to stay away from random numbers just because there is a small chance of getting the same random number. How can I auto increment the Invoice_Num field in this table or use some sneaky php code to get around it: Thanks for reading BRI

I need to "x" out part of a credit card... So if the credit card is: 1111555567891234 I need it to echo: xxxx-xxxx-xxxx-1234 Anyone know how to do this. Thanks, BRI

ok... You know of any easy to use encryption and decryption functions by any chance?

You forgot the single quotes... see below $build_array[ ' $value['config_name'] ' ] = $value['config_value'];

How can I change these two numbers into phone numbers? 5551231234 9009876789 echo INTO: (555) 123-1234 (900) 987-6789 Thanks, BRI

Then how can I get the info to the other page... (I do not want to store the info into a database... I think that would be a BIG mistake). What else can I do?

Is passing information from one page to another page using $_SESSION okay and secure. Like First name, last name, address, social security number. ... or is there a more secure way of passing the information? Thanks, BRI

You have to clear out your Cashe files Try that and also click refresh a time or 2 once you clear out your cookies and what not...

You have to connect to a database... ADD this line "mysql_select_db($database, $Db_connection);" Example: include("includes/connect.php"); mysql_select_db($database, $Db_connection); $query = mysql_query("SELECT * FROM articles, article_cat WHERE articles.feature1 = 1 AND article_cat.feature1 = 1 ORDER BY id ASC"); $numrows=@mysql_num_rows($query); if($numrows != 0) { while ($result = mysql_fetch_array($query)) { ?> $database variable will look something like this: $database = "mysql_database_name_here"; $Db_connection will look like: $Db_connection = mysql_pconnect($hostname, $username, $password) or trigger_error(mysql_error(),E_USER_ERROR);

You have to use "deposit_Amt[]" in your form (not "deposit_Amt") That way all of your values will go into the array: $_POST['deposit_Amt'] use: print_r($deposit_Amt); to see the array. you can pull info from the array by using: $deposit_Amt[0] $deposit_Amt[1] $deposit_Amt[2] $deposit_Amt[3] etc etc etc etc

String replace works with Strings. <?php // Provides: <body text='black'> $bodytag = str_replace("%body%", "black", "<body text='%body%'>"); // Provides: Hll Wrld f PHP $vowels = array("a", "e", "i", "o", "u", "A", "E", "I", "O", "U"); $onlyconsonants = str_replace($vowels, "", "Hello World of PHP"); // Provides: You should eat pizza, beer, and ice cream every day $phrase = "You should eat fruits, vegetables, and fiber every day."; $healthy = array("fruits", "vegetables", "fiber"); $yummy = array("pizza", "beer", "ice cream"); $newphrase = str_replace($healthy, $yummy, $phrase); // Use of the count parameter is available as of PHP 5.0.0 $str = str_replace("ll", "", "good golly miss molly!", $count); echo $count; // 2 // Order of replacement $str = "Line 1\nLine 2\rLine 3\r\nLine 4\n"; $order = array("\r\n", "\n", "\r"); $replace = '<br />'; // Processes \r\n's first so they aren't converted twice. $newstr = str_replace($order, $replace, $str); // Outputs: apearpearle pear $letters = array('a', 'p'); $fruit = array('apple', 'pear'); $text = 'a p'; $output = str_replace($letters, $fruit, $text); echo $output; ?> If you need to change things actively on a page as it loads you can try to use JavaScript

Anyone? What is the most secure way to redisplay sensitive information to the user? I was thinking of just setting some $_SERVER variables (First name, address Credit card info, etc) and then display them on the Review Page for the user before they click submit. Then I will destroy the variables once the page is loaded.

$result=msyql_query("SELECT MAX(id) FROM invoices"); $row=mysql_fetch_array(); $newid=$row['MAX(id)']+1;

I dont think you have seen this product from paypal then. The user never knows I am using a paypal gateway to process there order. The user stays on my domain under the SSL I pass a string to paypal using "curl_init()"... for example: USER=SAMPLE&VENDOR=SAMPLE&PARTNER=PayPal&PWD=SAMPLE&TENDER=C&TRXTYPE=A&ACCT=5105105105105100&EXPDATE=1209&STREET=123 Main St.&CVV2=123&VERBOSITY=MEDIUM&AMT=1.00 Then PayPal send a result. It is passed back to me inside of a $result variable for example: HTTP/1.1 200 OK Connect: close Server: VPS-3.033.00 X-VPS-Request-ID: 5241f7e9dc17d21571525f80ae0b692e Date: Tue, 13 Nov 2007 00:29:19 GMT Content-type: text/namevalue Content-length: 40 $RESULT=26&RESPMSG=Invalid vendor account But I dont need to know how to work paypal. I know so far. What I need to know is: What is the most secure way to redisplay sensitive information to the user? I was thinking of just setting some $_SERVER variables (First name, address Credit card info, etc) and then display them on the Review Page for the user before they click submit. Then I will destroy the variables once the page is loaded. Does that sound like it is okay or is there a better way of doing it... like Encrypting and Decrypting the data in the $_SERVER variables? I'm not sure of this

Also with your code... You do not have to keep your TABLE in PHP... you can go in and out of it as long as it's within php brackets Example: <?php while($row = mysql_fetch_assoc($result)) { $Html_Listp = $Html_Listp ?> <table width='84%' border='0' align='center' cellpadding='2' cellspacing='0'> <tr> <td width='4%'><input name="CHECKID" type='checkbox' class='title_list1' value='<?php echo $id; ?>'></td> <td width='32%' class='title_list'><?php echo $row['name']; ?></td> <td width='26%' class='title_list'><?php echo $row['user']; ?></td> <td width='24%' class='title_list'><?php echo $row['Points']; ?></td> <td width='14%' class='title_list'><?php echo $row['id']; ?></td> </tr> </table> <?php // end the while loop here. } ?> Also if you do it this way I would say to change the single quotes ( ' ) to double quotes ( " ) for html...

You could say something like: if ($row['Points'] == "") { // do something here } else { // do something else here } >> OR if your using NULL fields in your database << if ($row['Points'] == NULL) { // do something here } else { // do something else here }

Okay let me start over. I am using paypal as a gateway... Thats it. Nothing more. The user (customer) never knows paypal was used in the processing of there credit card. The user never leaves the domain. (Paypal works in the back ground). >>> Here is what I want to happen. <<< ... After the user enters in all of their information... The user will sent to a review page. The review page will allow the user to see everything one last time before clicking SUBMIT. >>> My question <<< What is the most secure way to redisplay the information to the user? I was thinking to just set some $_SERVER variables and then display them on the Review Page for the user before they click submit. Then I will destroy the variables once the page is loaded. Does that sound like it is okay or is there a better way of doing it... like Encrypting and Decrypting the data in the $_SERVER variables? >>

I was or the phone with paypal so I dont know what your trying to say. >>> Let me ask my question in a different way <<< Paypal does not send back the credit card information to a webpage. They only send back a result. >>>> I need to RE show the customers information before they click submit. So on the last page the customer will be able to review their information. Example: Shipping Info blah blah Billing Info Blah Blah Credit Card Info: xxxx-xxxx-xxxx-1234 Exp Date: 02/2008 blah blah then when they click SUBMIT >>> Paypal will take over and process the Credit card information. Paypal will return a result. ex: "Result = 0" "Result = -1" "Result = 1" "Result = 2" etc etc... I will use the result to header locate to the appreciate page. ... My question is: What is the most secure way to send the customers credit card information and billing information to the "Review Page" I was just thinking about using $_SESSION variable's and then destroying the variables once the user gets to the review page Does that sound secure or should I go another way... What does everyone think? Thanks BRI