Voodoo Jai

Where can I read all about safely creating, validating and sanitizing a form used to access a db. A good upto date tutorial would be good, how do I find out how upto date a web pages tutorials are.

Tried to set it to none but I cant get it to work, should I be editing the function poorman_toggle(id). I have tried replacing none with visible and hidden but still no go. VoodooJai

I have found a script that I want to use but I want it tpo hide the tables row and then show it if the icon is clicked, the reverse of what it does now. I can see which part does this but dont know how to reverse it. <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title> Show hide row </title> <script type="text/javascript"> function poorman_toggle(id) { var tr = document.getElementById(id); if (tr==null) { return; } var bExpand = tr.style.display == ''; tr.style.display = (bExpand ? 'none' : ''); } function poorman_changeimage(id, sMinus, sPlus) { var img = document.getElementById(id); if (img!=null) { var bExpand = img.src.indexOf(sPlus) >= 0; if (!bExpand) img.src = sPlus; else img.src = sMinus; } } function Toggle_trGrpHeader1() { poorman_changeimage('trGrpHeader1_Img', 'images/toggleDLminus.gif', 'images/toggleDLplus.gif'); poorman_toggle('trRow1'); } </script> </head> <body> <div align="center"> <table width="650" border="1"> <tr id="trGrpHeader1"> <td colspan="4"> <span onClick="javascript:Toggle_trGrpHeader1();"> <img src="images/toggleDLminus.gif" name="trGrpHeader1_Img" width="21" height="23" id="trGrpHeader1_Img"/>Header for row 1 </span> </td> </tr> <tr id="trRow1"> <td width="150"> Hello</td> <td width="100" class="number">10</td> <td width="200" class="number">1999-11-17 00:00:00</td> <td width="200" class="number">1999-12-15 00:00:00</td> </tr> </table> </div> </body> </html> I think that this is the code which show or hides the rows function poorman_toggle(id) { var tr = document.getElementById(id); if (tr==null) { return; } var bExpand = tr.style.display == ''; tr.style.display = (bExpand ? 'none' : ''); } could someone please explain it to me. Many thanks VoodooJai

I want to be able to show or hide a tables row/s that are created dynamically from a database. I dont know how many rows are returned but I just would like to be able to hide them from by using a checkbox. How would I do this, I have been looking at code that just hide a particular row but I cannot find multiple row hide examples. VoodooJai

I have tried this piece of code in a form field and all I get is the following output when I echo the var in the next page using the post variable does this mean that my page is a bit secure from an SQL attack or does this show its vulnerable. I see it has escaped the single quote so is all ok with my security.

I have a form that I think I have coded right but I want to test it against SQL injection. What would be a safe (ie no deleting of info) test statement to try in the form. I am very interested to see how my page would stand up against this type of attack. VoodooJai

I have a piece of code that I have been writing but I think its not secure and tatty, could you please check it for me and advise of possible problems. <?php require_once('Conn/Menu_con.php'); ?> <?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } if (isset($_POST['postcode'])) { $PostCodeVAR_Adverts = (get_magic_quotes_gpc()) ? $PostCodeVAR_Adverts : mysql_real_escape_string($PostCodeVAR_Adverts); } $PostCodeVAR_Adverts = $postcode; $postcode = $PostCodeVAR_Adverts; mysql_select_db($database_Menu_con, $Menu_con); $query_PostCodeSearc = "SELECT TakeawayID, Post_Code, Takeaway_Name, location, t.CountyID, t.LocationID, t.City, t.FreePhone, t.TextOrder, t.List_Type , t.EnhancedListing FROM takeaway t, location WHERE t.Post_Code like '$postcode%' AND t.locationID = location.town_cityID ORDER BY t.EnhancedListing DESC, t.List_Type DESC, location, Post_Code ASC"; $PostCodeSearc = mysql_query($query_PostCodeSearc, $Menu_con) or die(mysql_error()); $row_PostCodeSearc = mysql_fetch_assoc($PostCodeSearc); $totalRows_PostCodeSearc = mysql_num_rows($PostCodeSearc); if (isset($_POST['postcode'])) { $PostCodeVAR_Adverts = (get_magic_quotes_gpc()) ? $PostCodeVAR_Adverts : mysql_real_escape_string($PostCodeVAR_Adverts); } $query_Adverts = sprintf("SELECT AdvertID, Link, districtCode FROM adverts, postcodedistrict WHERE districtCode = %s AND adverts.PostalDistrict = postcodedistrict.PostCodeID;", GetSQLValueString($PostCodeVAR_Adverts, "text")); $Adverts = mysql_query($query_Adverts, $Menu_con) or die(mysql_error()); $row_Adverts = mysql_fetch_assoc($Adverts); $totalRows_Adverts = mysql_num_rows($Adverts); ?> I have changed some of the connections details. Many thanks in advance VoodooJai

I have a piece of code that I have been writing but I think its not secure and tatty, could you please check it for me and advise of possible problems. <?php require_once('Conn/Menu_con.php'); ?> <?php if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } if (isset($_POST['postcode'])) { $PostCodeVAR_Adverts = (get_magic_quotes_gpc()) ? $PostCodeVAR_Adverts : mysql_real_escape_string($PostCodeVAR_Adverts); } $PostCodeVAR_Adverts = $postcode; $postcode = $PostCodeVAR_Adverts; mysql_select_db($database_Menu_con, $Menu_con); $query_PostCodeSearc = "SELECT TakeawayID, Post_Code, Takeaway_Name, location, t.CountyID, t.LocationID, t.City, t.FreePhone, t.TextOrder, t.List_Type , t.EnhancedListing FROM takeaway t, location WHERE t.Post_Code like '$postcode%' AND t.locationID = location.town_cityID ORDER BY t.EnhancedListing DESC, t.List_Type DESC, location, Post_Code ASC"; $PostCodeSearc = mysql_query($query_PostCodeSearc, $Menu_con) or die(mysql_error()); $row_PostCodeSearc = mysql_fetch_assoc($PostCodeSearc); $totalRows_PostCodeSearc = mysql_num_rows($PostCodeSearc); if (isset($_POST['postcode'])) { $PostCodeVAR_Adverts = (get_magic_quotes_gpc()) ? $PostCodeVAR_Adverts : mysql_real_escape_string($PostCodeVAR_Adverts); } $query_Adverts = sprintf("SELECT AdvertID, Link, districtCode FROM adverts, postcodedistrict WHERE districtCode = %s AND adverts.PostalDistrict = postcodedistrict.PostCodeID;", GetSQLValueString($PostCodeVAR_Adverts, "text")); $Adverts = mysql_query($query_Adverts, $Menu_con) or die(mysql_error()); $row_Adverts = mysql_fetch_assoc($Adverts); $totalRows_Adverts = mysql_num_rows($Adverts); ?> I have changed some of the connections details. Many thanks in advance VoodooJai

If I have the genereal public access my db with a user that has only view access rights, does this mean that an SQL injection could not happen. Or is an injection only possible with a user that has been granted more than just view right to the database. Many thanks VoodooJai

Many thanks yes that works great I just coould not figure out ho to write it, thanks again. Also the pages are for restricted users so should I still clense them, if so what should I be doing.

I want to pass a dynamic value into a confirm button so I get the correct form value. The form uses this script <script type="text/javascript"> function go_there() { var r=confirm("Printing a receipt confirms the payment has been received!" + '\n' + " PRINT A RECEIPT!"); if (r==true) { window.location="http://localhost/mark-paid.php?PaperworkID=<?php echo $row_PreviousInvoices['PaperworkID']; ?>&ID=<?php echo $row_Recordset1['TakeawayID']; ?>"; } } </script> and this to start it <FORM> <INPUT TYPE="button" value="Print a receipt!" onClick="go_there()"> </FORM> I want to pass a dynamic piece of data into the input button that is then used in the script. Something like this <FORM> <INPUT TYPE="button" value="Print a receipt!" onClick="go_there(<?php echo $row_PreviousInvoices['PaperworkID']; ?>)"> </FORM> which is then used in the script like <script type="text/javascript"> function go_there($DYNAMIC_DATA) { var r=confirm("Printing a receipt confirms the payment has been received!" + '\n' + " PRINT A RECEIPT!"); if (r==true) { window.location="http://localhost/mark-paid.php?PaperworkID=$DYNAMIC_DATA&ID=<?php echo $row_Recordset1['TakeawayID']; ?>"; } } </script> I have highlited the DYNAMIC_DATA in lime green to show you how and what I want to pass. Basically can I pass a variable into the confirm submit button and the pass this into the next page for use. Complicated but many thanks in advance VoodooJai

Got it eventually thanks all $ListFee = 58.00; $BorderFee = 12.00; $TotalAmount = $ListFee + $BorderFee; $Amount = printf("%01.2f", $TotalAmount);

This still does not give me the ZERO's after the INT didgits. Have looked at the PHP manual but don't understand what I am looking for exactly. Cheers all.

Hi again all I have 2 variables that I take from my database that are of the type FLOAT what I want to do is add them together to give a FLOAT value. My problem is that I want it to show the figures after the decimal point even if they are ZERO figures. <?php $ListFee = "58.00"; $BorderFee = "12.00"; $TotalAmount = ($ListFee + $BorderFee); echo $TotalAmount; ?> the output gives me 70 I want 70.00 Many thanks in advance again VoodooJai

Got a typo, comma missing feeling daft again. Got it working now. Thanks guys N girlz VoodooJai

I have this piece of code that is used a number of times within my page so I would like to turn into a function can it be done. <?php //*********************************************************************************************** // if listing type is either Standard or Superior then show row OPENING HOURS //*********************************************************************************************** if ($row_away['List_Type'] == 3 || $row_away['List_Type'] == 5 ) { echo"<table width=\"749\" border=\"0\">"; echo "<tr> <td align=\"center\"> <strong> Opening Hours </strong>"; echo"<table border=\"0\"> <tr> <td width=\"50\" align=\"left\"> Mon </td>"; $a = $row_away['Mon_hr_1']; if ($a <> NULL) { echo"<td width=\"60\" align=\"right\">"; echo $row_away['Mon_hr_1']. "-". $row_away['Mon_min_1']; echo "</td>"; echo"<td width=\"50\" align=\"left\">"; echo $row_away['MonHrAmPm']; echo "</td>"; echo"<td width=\"30\" align=\"center\">"; echo "to"; echo "</td>"; echo"<td width=\"60\" align=\"right\">"; echo $row_away['Mon_hr_2']. "-". $row_away['Mon_min_2']; echo "</td>"; echo"<td width=\"50\" align=\"left\">"; echo $row_away['Mon2HrAmPm']; echo "</td>"; echo"<td width=\"60\" align=\"right\">"; echo $row_away['Mon_hr_3']. "-". $row_away['Mon_min_3']; echo "</td>"; echo"<td width=\"50\" align=\"left\">"; echo $row_away['Mon3HrAmPm']; echo "</td>"; echo "<td width=\"30\" align=\"center\">"; echo "to"; echo "</td>"; echo "<td width=\"60\" align=\"right\">"; echo $row_away['Mon_hr_4']. "-". $row_away['Mon_min_4']; echo "</td>"; echo"<td width=\"50\" align=\"left\">"; echo $row_away['Mon4HrAmPm']; echo "</td>"; } else { echo"<td width=\"535\" align=\"left\">"; echo "Closed"; echo"</td>"; } echo"</tr>"; echo"</table>"; echo"</td> </tr> </table>"; } ?> I have tried to create one but I think I'm on the wrong track, heres my creation <?php function OpenTime($ListType, $Day, $Hr1, $Min1, $Hr1AmPm, $Hr2, $Min2, $Hr2AmPm, $Hr3, $Min3, $Hr3AmPm, $Hr4, $Min4, $Hr4AmPm) { //*********************************************************************************************** // if listing type is either Standard or Superior then show row OPENING HOURS //*********************************************************************************************** if ($ListType == 3 || $ListType == 5 ) { echo"<table width=\"749\" border=\"0\">"; echo "<tr> <td align=\"center\"> <strong> Opening Hours </strong>"; echo"<table border=\"0\"> <tr> <td width=\"50\" align=\"left\"> $Day </td>"; $a = $Hr1; if ($a <> NULL) { echo"<td width=\"60\" align=\"right\">"; echo $Hr1. "-". $Min1; echo "</td>"; echo"<td width=\"50\" align=\"left\">"; echo $Hr1AmPm; echo "</td>"; echo"<td width=\"30\" align=\"center\">"; echo "to"; echo "</td>"; echo"<td width=\"60\" align=\"right\">"; echo $Hr2. "-". $Min2; echo "</td>"; echo"<td width=\"50\" align=\"left\">"; echo $Hr2AmPm; echo "</td>"; echo"<td width=\"60\" align=\"right\">"; echo $Hr3. "-". $Min3; echo "</td>"; echo"<td width=\"50\" align=\"left\">"; echo $Hr3AmPm; echo "</td>"; echo "<td width=\"30\" align=\"center\">"; echo "to"; echo "</td>"; echo "<td width=\"60\" align=\"right\">"; echo $Hr4. "-". $Min4; echo "</td>"; echo"<td width=\"50\" align=\"left\">"; echo $Hr4AmPm; echo "</td>"; } else { echo"<td width=\"535\" align=\"left\">"; echo "Closed"; echo"</td>"; } echo"</tr>"; echo"</table>"; echo"</td> </tr> </table>"; } } OpenTime($row_away['List_Type'], "Mon", $row_away['Mon_hr_1'], $row_away['Mon_min_1'], $row_away['MonHrAmPm'], $row_away['Mon_hr_2'], $row_away['Mon_min_2'], $row_away['Mon2HrAmPm'] $row_away['Mon_hr_3'], $row_away['Mon_min_3'] $row_away['Mon3HrAmPm'] $row_away['Mon_hr_4'], $row_away['Mon_min_4'], $row_away['Mon4HrAmPm']); ?> I think the problem is the HTML code within the function. Hope someone can give some help without laughting to much VoodooJai

Fantastic reply cheers VoodooJai

Not sure if this is the right section to post this, but here goes. I have nearly finished my web site but would like it all to be checked over by an expert for any trouble spots, a bit like when your at school and teachers checks your homework. How do I go about having this done. VoodooJai

After a bit of digging I get this error msg Warning: Cannot modify header information - headers already sent by (output started at /hsphere/local/home/poochima/lostmymenu.com/statistics2.php:3) in /hsphere/local/home/poochima/lostmymenu.com/statistics2.php on line 13 Warning: Cannot modify header information - headers already sent by (output started at /hsphere/local/home/poochima/lostmymenu.com/statistics2.php:3) in /hsphere/local/home/poochima/lostmymenu.com/statistics2.php on line 15 it looks as though it wont let me set the cookie at line 13 of the pagewhy is this. VoodooJai

When I try to view the cookie using FF cookie editor its not there. I dont think its being set by the page as when I set the expression to FALSE it works fine. VoodooJai

I think so could you explain more.

I have a page that is supposed to set a cookie but when I check the cookies its not there. part of the code is here: <?php if($_GET["action"] == "2"){ $username = $_POST["username"]; $password = $_POST["password"]; $referrer = "http://host.com"; if($username == "username" && $password == "password" && str_replace("www.", "", $_SERVER['HTTP_REFERER']) == $referrer."statistics2.php") { setcookie("JumboJai", "poochimasta", 0); } } ?> If I set the cookie not to be TRUE then my page does what its supposed to: <?php if($_COOKIE["JumboJai"] != "poochimasta") { mysql_select_db($database_host_conn, $host_conn); echo "COOKIE WORKING"; ?> I'm confused.com LOL VoodooJai

Here is the function below: mysql("Counters","UPDATE Count SET Number='$Number' WHERE Base='$Base' AND URL='$URL'"); hope this helps

I am getting the following error msg: and this is the code it refers to $result=mysql("Counters","SELECT * FROM count WHERE Base='$Base' AND URL='$URL'"); LINE 8 next while ($row = mysql_fetch_row($result)) { $ChkBase=$row[0]; $ChkURL=$row[1]; $ChkCount=$row[2]; $Count=$ChkCount; } if ($ChkURL == "") : mysql("Counters","INSERT INTO count VALUES ('$Base','$URL','0')"); $Count=0; endif; $Count++; mysql("Counters","UPDATE count SET Number='$Count' WHERE Base='$Base' AND URL='$URL'"); $result=mysql("Counters","SELECT * FROM count WHERE Base='$Base' AND URL='$URL'"); LINE 22 next while ($row = mysql_fetch_row($result)) { $Base=$row[0]; $URL=$row[1]; $Count=$row[2]; } I cannot see what the problem is. VoodooJai

Thats great thank you very much. VoodooJai