Voodoo Jai

Where can I read all about safely creating, validating and sanitizing a form used to access a db. A good upto date tutorial would be good, how do I find out how upto date a web pages tutorials are.

Tried to set it to none but I cant get it to work, should I be editing the function poorman_toggle(id). I have tried replacing none with visible and hidden but still no go. VoodooJai

I have found a script that I want to use but I want it tpo hide the tables row and then show it if the icon is clicked, the reverse of what it does now. I can see which part does this but dont know how to reverse it. <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title> Show hide row </title> <script type="text/javascript"> function poorman_toggle(id) { var tr = document.getElementById(id); if (tr==null) { return; } var bExpand = tr.style.display == ''; tr.style.display = (bExpand ? 'none' : ''); } function poorman_changeimage(id, sMinus, sPlus) { var img = document.getElementById(id); if (img!=null) { var bExpand = img.src.indexOf(sPlus) >= 0; if (!bExpand) img.src = sPlus; else img.src = sMinus; } } function Toggle_trGrpHeader1() { poorman_changeimage('trGrpHeader1_Img', 'images/toggleDLminus.gif', 'images/toggleDLplus.gif'); poorman_toggle('trRow1'); } </script> </head> <body> <div align="center"> <table width="650" border="1"> <tr id="trGrpHeader1"> <td colspan="4"> <span onClick="javascript:Toggle_trGrpHeader1();"> <img src="images/toggleDLminus.gif" name="trGrpHeader1_Img" width="21" height="23" id="trGrpHeader1_Img"/>Header for row 1 </span> </td> </tr> <tr id="trRow1"> <td width="150"> Hello</td> <td width="100" class="number">10</td> <td width="200" class="number">1999-11-17 00:00:00</td> <td width="200" class="number">1999-12-15 00:00:00</td> </tr> </table> </div> </body> </html> I think that this is the code which show or hides the rows function poorman_toggle(id) { var tr = document.getElementById(id); if (tr==null) { return; } var bExpand = tr.style.display == ''; tr.style.display = (bExpand ? 'none' : ''); } could someone please explain it to me. Many thanks VoodooJai

I want to be able to show or hide a tables row/s that are created dynamically from a database. I dont know how many rows are returned but I just would like to be able to hide them from by using a checkbox. How would I do this, I have been looking at code that just hide a particular row but I cannot find multiple row hide examples. VoodooJai

I have tried this piece of code in a form field and all I get is the following output when I echo the var in the next page using the post variable does this mean that my page is a bit secure from an SQL attack or does this show its vulnerable. I see it has escaped the single quote so is all ok with my security.

I have a form that I think I have coded right but I want to test it against SQL injection. What would be a safe (ie no deleting of info) test statement to try in the form. I am very interested to see how my page would stand up against this type of attack. VoodooJai

I have a piece of code that I have been writing but I think its not secure and tatty, could you please check it for me and advise of possible problems. <?php require_once('Conn/Menu_con.php'); ?> <?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } if (isset($_POST['postcode'])) { $PostCodeVAR_Adverts = (get_magic_quotes_gpc()) ? $PostCodeVAR_Adverts : mysql_real_escape_string($PostCodeVAR_Adverts); } $PostCodeVAR_Adverts = $postcode; $postcode = $PostCodeVAR_Adverts; mysql_select_db($database_Menu_con, $Menu_con); $query_PostCodeSearc = "SELECT TakeawayID, Post_Code, Takeaway_Name, location, t.CountyID, t.LocationID, t.City, t.FreePhone, t.TextOrder, t.List_Type , t.EnhancedListing FROM takeaway t, location WHERE t.Post_Code like '$postcode%' AND t.locationID = location.town_cityID ORDER BY t.EnhancedListing DESC, t.List_Type DESC, location, Post_Code ASC"; $PostCodeSearc = mysql_query($query_PostCodeSearc, $Menu_con) or die(mysql_error()); $row_PostCodeSearc = mysql_fetch_assoc($PostCodeSearc); $totalRows_PostCodeSearc = mysql_num_rows($PostCodeSearc); if (isset($_POST['postcode'])) { $PostCodeVAR_Adverts = (get_magic_quotes_gpc()) ? $PostCodeVAR_Adverts : mysql_real_escape_string($PostCodeVAR_Adverts); } $query_Adverts = sprintf("SELECT AdvertID, Link, districtCode FROM adverts, postcodedistrict WHERE districtCode = %s AND adverts.PostalDistrict = postcodedistrict.PostCodeID;", GetSQLValueString($PostCodeVAR_Adverts, "text")); $Adverts = mysql_query($query_Adverts, $Menu_con) or die(mysql_error()); $row_Adverts = mysql_fetch_assoc($Adverts); $totalRows_Adverts = mysql_num_rows($Adverts); ?> I have changed some of the connections details. Many thanks in advance VoodooJai

I have a piece of code that I have been writing but I think its not secure and tatty, could you please check it for me and advise of possible problems. <?php require_once('Conn/Menu_con.php'); ?> <?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } if (isset($_POST['postcode'])) { $PostCodeVAR_Adverts = (get_magic_quotes_gpc()) ? $PostCodeVAR_Adverts : mysql_real_escape_string($PostCodeVAR_Adverts); } $PostCodeVAR_Adverts = $postcode; $postcode = $PostCodeVAR_Adverts; mysql_select_db($database_Menu_con, $Menu_con); $query_PostCodeSearc = "SELECT TakeawayID, Post_Code, Takeaway_Name, location, t.CountyID, t.LocationID, t.City, t.FreePhone, t.TextOrder, t.List_Type , t.EnhancedListing FROM takeaway t, location WHERE t.Post_Code like '$postcode%' AND t.locationID = location.town_cityID ORDER BY t.EnhancedListing DESC, t.List_Type DESC, location, Post_Code ASC"; $PostCodeSearc = mysql_query($query_PostCodeSearc, $Menu_con) or die(mysql_error()); $row_PostCodeSearc = mysql_fetch_assoc($PostCodeSearc); $totalRows_PostCodeSearc = mysql_num_rows($PostCodeSearc); if (isset($_POST['postcode'])) { $PostCodeVAR_Adverts = (get_magic_quotes_gpc()) ? $PostCodeVAR_Adverts : mysql_real_escape_string($PostCodeVAR_Adverts); } $query_Adverts = sprintf("SELECT AdvertID, Link, districtCode FROM adverts, postcodedistrict WHERE districtCode = %s AND adverts.PostalDistrict = postcodedistrict.PostCodeID;", GetSQLValueString($PostCodeVAR_Adverts, "text")); $Adverts = mysql_query($query_Adverts, $Menu_con) or die(mysql_error()); $row_Adverts = mysql_fetch_assoc($Adverts); $totalRows_Adverts = mysql_num_rows($Adverts); ?> I have changed some of the connections details. Many thanks in advance VoodooJai

If I have the genereal public access my db with a user that has only view access rights, does this mean that an SQL injection could not happen. Or is an injection only possible with a user that has been granted more than just view right to the database. Many thanks VoodooJai

Many thanks yes that works great I just coould not figure out ho to write it, thanks again. Also the pages are for restricted users so should I still clense them, if so what should I be doing.

I want to pass a dynamic value into a confirm button so I get the correct form value. The form uses this script <script type="text/javascript"> function go_there() { var r=confirm("Printing a receipt confirms the payment has been received!" + '\n' + " PRINT A RECEIPT!"); if (r==true) { window.location="http://localhost/mark-paid.php?PaperworkID=<?php echo $row_PreviousInvoices['PaperworkID']; ?>&ID=<?php echo $row_Recordset1['TakeawayID']; ?>"; } } </script> and this to start it <FORM> <INPUT TYPE="button" value="Print a receipt!" onClick="go_there()"> </FORM> I want to pass a dynamic piece of data into the input button that is then used in the script. Something like this <FORM> <INPUT TYPE="button" value="Print a receipt!" onClick="go_there(<?php echo $row_PreviousInvoices['PaperworkID']; ?>)"> </FORM> which is then used in the script like <script type="text/javascript"> function go_there($DYNAMIC_DATA) { var r=confirm("Printing a receipt confirms the payment has been received!" + '\n' + " PRINT A RECEIPT!"); if (r==true) { window.location="http://localhost/mark-paid.php?PaperworkID=$DYNAMIC_DATA&ID=<?php echo $row_Recordset1['TakeawayID']; ?>"; } } </script> I have highlited the DYNAMIC_DATA in lime green to show you how and what I want to pass. Basically can I pass a variable into the confirm submit button and the pass this into the next page for use. Complicated but many thanks in advance VoodooJai

Got it eventually thanks all $ListFee = 58.00; $BorderFee = 12.00; $TotalAmount = $ListFee + $BorderFee; $Amount = printf("%01.2f", $TotalAmount);

This still does not give me the ZERO's after the INT didgits. Have looked at the PHP manual but don't understand what I am looking for exactly. Cheers all.

Hi again all I have 2 variables that I take from my database that are of the type FLOAT what I want to do is add them together to give a FLOAT value. My problem is that I want it to show the figures after the decimal point even if they are ZERO figures. <?php $ListFee = "58.00"; $BorderFee = "12.00"; $TotalAmount = ($ListFee + $BorderFee); echo $TotalAmount; ?> the output gives me 70 I want 70.00 Many thanks in advance again VoodooJai

Got a typo, comma missing feeling daft again. Got it working now. Thanks guys N girlz VoodooJai