Bricktop

Hi confuzzled, You say at the moment the form is posting the ID but I can't see how it can be. You have: $record = $_POST['record']; But you're not POSTing "record", you're POSTing "id" ("id" being the "name=" attribute defined for the input field on "edititem.php". Your code in edit1.php should be changed to: $record = $_POST['id']; Hope this helps.

Whoops! Typo! Change it to read: $sql = "SELECT (login, encrypted_password, gm, banned, lastlogin, lastip, email, flags, muted, reward_points, banreason) FROM accounts WHERE login = '".$Account."' AND encrypted_password = '".$md5_password."'); There was an extra " at the end of the query I posted.

Hi postbil.com, Post your code for an accurate answer.

Hi chris270, You're missing the final ) from the end of your MySQL statement. Change it to read: $sql = "SELECT (login, encrypted_password, gm, banned, lastlogin, lastip, email, flags, muted, reward_points, banreason) FROM accounts WHERE login = '".$Account."' AND encrypted_password = '".$md5_password."'"); Also, you're not validating or sanitizing your $_POST data which is a major security flaw. Have a look at Daniel's excellent security tutorial for more information on this. Hope this helps.

That's why posting your code ALWAYS helps. As well as fixing the problem cags has also escaped your email $_POST, which before was being entered directly into your MySQL statement - a MAJOR security flaw! Nice solution cags.

Yes, sorry I pasted the wrong code snippet, glad it's working now. The second line: global $db=mysql_select_db("blog",$con); Is the wrong syntax, it should be: global $db; mysql_select_db("blog",$con);

Hi jefffan24, Post your code for an accurate answer.

Hi zoran, The easiest way woul dbe to declare the $db variable as global after you run the connect function. For example: connect_db_Blog(); global $db; var_dump($db); if (!$db) { echo "sorry, cannot connect to database"; } else { here comes some code.. Hope this helps.

Hi Leveecius, It's just about right, you have your speechmarks in the wrong place though. CHange your code to read: if ($mylevel ==2){ echo '<font color="orange">Entertainer</font>';} if ($mylevel ==5){ echo '<font color="lime">Help Desk Operator</font>';} if ($mylevel ==10){ echo '<font color="blue">Moderator</font>';} if ($mylevel ==15){ echo '<font color="red">Administrator</font>'; Hope this helps.

Hi zoran, Post your code and we'll be able to give a more accurate answer.

Hi daktau, Your echo statement is using the incorrect syntax. Change your code to read: <? $errorLog_FilePath = "error_log.txt"; $handle = @fopen($errorLog_FilePath,'a+'); $strError = "hi!"; if(!fwrite($handle, $strError)){ //this is line 5 echo 'Cannot write to file'; } ?> Hope this helps.

Also, how are you running your PHP install? Is it running locally from a WAMP/XAMPP installation? Is it externally hosted? Is it a CGI build? What platform is it running on (Windows/Linux)?

Did the mail arrive as you mentioned before, or has the mail not actually arrived either? Add some error reporting to your script, run it and then report back: ini_set ('display_errors', 1); error_reporting (E_ALL & ~ E_NOTICE); include_once("mailer.php"); if(mail($toto1,$subject1,$message,$headers)) { $mail_went=1; $_SESSION['msgstatus']= "Mail sent to ".$toto1."<br>"; }else{ $mail_went=0; $_SESSION['msgstatus']= "Mail send failure - message not sent <br>"; }

OK, just try the following code and report back with what gets echo'd to screen. include_once("mailer.php"); if(mail($toto1,$subject1,$message,$headers)) { $mail_went=1; $_SESSION['msgstatus']= "Mail sent to ".$toto1."<br>"; echo "Mail Sent!"; }else{ $mail_went=0; $_SESSION['msgstatus']= "Mail send failure - message not sent <br>"; echo "Mail Not Sent!"; }

Are you sure? The code I posted is the correct way to do it and should give the desired result.

Hi vikela, Just put the mail() funtion directly into the if statement. Change your code to read: include_once("mailer.php"); if(mail($toto1,$subject1,$message,$headers)) { $mail_went=1; $_SESSION['msgstatus']= "Mail sent to ".$toto1."<br>"; }else{ $mail_went=0; $_SESSION['msgstatus']= "Mail send failure - message not sent <br>"; } Hope this helps.

Hi Miss Ruth, Try the ofllowing: $headers = "From: OUR TEAM <".$themail.">\r\n"; Hope this helps.

Hi Miss-Ruth, Try the following: $to = "CEO <abc@mail.com>"; You still need to include the email address for the email to be able to send. Hope this helps.

Hi sixseven, You could use PHP's array_change_key_case() to do this. Change your code to read: $lcget = array_change_key_case($_GET); $gallery = $lcget['gallery']; if($gallery=="arte x arte") { $userImage = "arte_x_arte.jpg"; } The above is useful if you have other $_GET requests you wish to make lowercase, as it will convert the entire $_GET array. Or you could just use PHP's strtolower() function to perform a conversion on the single $_GET using: $gallery = $_GET['gallery']; if(strtolower($gallery)=="arte x arte") { $userImage = "arte_x_arte.jpg"; } Hope this helps.

Yes, I totally agree, I did suggest that codeboy89 did this for that exact reason, also you get everyone's opinion on the problem not just one person's. However, he said he didn't want to post his code on the forums, but it turns out he did in the end (as well as PM'ing it to me!) Oh well, at least he got a solution. Thanks

Hi codeboy89, No, if you have done that (as per my PM) then that's fine. @MadTechie, codeboy89 has also been PM'ing me so I think there's been a bit of overlapping of code etc.

Hi codeboy89, XSS issues are really only relevant if code is being inputted by a user and then outputted back to the screen. Have a look at the tutorial I posted (specifically section 4), in the code you posted I don't think it's particularly relevant. Therefore, you won't need to use htmlentities(). But essentially, what htmlentities() does is turn HTML code into its relevant entity, i.e. < becomes < and > becomes >. This helps stop users posting dangerous Javascript code directly into your application, which when retrieved back to the screen will be run.

Hi codeboy89, Have a look at Daniel's excellent PHP Secutiy Tutorial which should give you al lthe information you need but looking through your code it all looks pretty secure except you're not using mysql_real_escape_string() on the POSTed password variable. Change your code to read: if(isset($_POST['password']) && !empty($_POST['password'])) { $password = mysql_real_escape_string($_POST['password']); $password = md5($password); As a general rule of thumb as long as you use mysql_real_escape_string() on POSTed date or data retrieved via GET before entering it into the database you should be fine. As covered in the above tutorial, use htmlentities() to protect against XSS attacks. Hope this helps.

Hi Brian, No problem at all. In answer to your first question, yes that's possible, just change your PHP code to read: <? if ($send=="yes") { $to = "my@address"; $subject = "$subjectVar"; $body .= "$msgVar\n\nAnswer 1: $answer1Var\n\nAnswer 2: $answer2Var\n\nAnswer 3: $answer3Var"; $from = "$nameVar"; $tfrom = "From: <$emailVar>"; mail($to,$subjectVar,$body,$tfrom); } echo "&errormessage=Email has been sent&"; ?> In answer to your second question, yes that's also possible. Tickboxes send an "on" or "off" response, but these responses aren't very "user friendly". To get around this you could do something along the lines of: if($tickboxVar=="on") { $tickboxVar="Yes"; } else { $tickboxVar="No"; } Hope this helps.

Hi speedy_rudolf, Post your actual code and someone will be able to give you an answer.