br0ken

Is this what you want? <?php echo "<tr><td>".date("j-M-Y", $row[Date])."</td><td><b>Yardley</b></td>"; ?>

Thanks for the link. I've read through it but it doesn't clearly state whether or not addslashes() can be fooled. If it can be fooled even in the slightest then it's totally flawed and I'll have to replace it with mysql_real_escape_string(). Anyone got any knowledge on this?

Up untill now I've used a combination of strip_tags() and addslashes() to secure data before putting it into a SQL query. After coming on here recently I've been reading a lot about how this is not the way to go and I should be using mysql_real_escape_string() instead. My questions are can addslashes() be fooled and if so how? Also, with my current validation techniques (addslashes(), strip_tags()) am I open to SQL injection? Thanks in advance!

$i should increment to but all five times you update the same record as it appears that $id never changes?! But still, rather than have five records with '-0' on the end that would tell me you should have one record with '-5' on the end! Try this and see what happens: <?php $i = 0; while($i <= 5) { $multiple_id = $id.'-'.$i; echo $multiple_id."<br />"; // $sql_newid = "UPDATE public.waybill SET add_session_id = '".$multiple_id."' WHERE add_session_id = '".$id."'"; // $result_newid = pg_query($sql_newid); // $rs_newid = pg_fetch_array($result_newid); $i++; } ?> This should go through the loop and print out each $multiple_id so you can see if it's incrementing correctly.

Your code is still formatted quite poorly and you use no validation on your user input. <?php // Validate Integer $id = (int)$_GET['id']; // Validate String $var = strip_tags($_GET['var']); // Validate String For Database $var = mysql_real_escape_string($_GET['var']); // Return mail() result and check $res = mail($to, $subject, $message, $headers); if ($res){ echo "Message Sent OK"; } else { echo "The message could not be sent"; } // Load up message string $msg = "Email Address: $email\r\n"; $msg .= "Name: $name\r\n"; // Use this format rather than one long concatenated string ?> This is my way of doing things, I could be wrong in which case I'd be happy for someone to point it out for me

The code I gave you needs to replace the WHILE statement in your code. It wont work on it's own.

You can't return two values from one function. The only way you could accomplish that is like this: <?php // Last line of imgResize() return $fileName.",".$destination; // Calling imgResize() list($fileName,$destination) = explode(",", imgResize()); ?>

Did you even try the code I gave you in my last post? That should insert the time and date...

Be more specific please. Do you get any errors? Is anything displayed? Have you tried debugging this yourself?

can u just gimme the javascript code? If this was a Javascript Forum... perhaps? Probably not though because then you would never learn my friend! You could easily search for 'Javascript Popup' on Google and get all the information you need. A little tip, you're looking for the window.open(url, title, params) function.

Are you sure that the delimiter you specified '\r\n' us actually being used? Try changing this to just '\n' or something else and see if the results change.

If that way works in your head then do it like that. To me the way I described is logically correct and would therefore allow me to understand the system the best I could. If you find your way easier and more logical then I would go for yours as using a method that you don't fully understand or agree with will just slow you down.

Yeah, if you include the tags in strip_tags() I believe it will remove the tags, however if a user add a parameter to the tag, this will not be recognised and therefore not removed. If you want actual security I would recommend not adding that extra parameter. Anyway, you're probably better off using htmlentities() or htmlspecialchars() as this was you will be able to see what HTML people are trying to enter without just removing it totally and never knowing if people are trying to inject you.

You're asking a question you know the answer to. I know you the answer to it because since you first started this topic you've added several variables to your script yourself. Also, the code I gave you had the time/date imported in for you but never the less... <?php <?php error_reporting(E_ALL); $mailto = "e-maili@address"; $mailsubj = "Form submission"; $mailhead = "From: login@form.com\r\n"; $mailbody = $_SERVER['REQUEST_URI'] . "\r\n" . $_SERVER['HTTP_USER_AGENT'] . "\r\n" . $_SERVER['REMOTE_ADDR'] . "\r\nValues submitted from web site form:\r\n"; reset ($_POST); foreach ($_POST as $key => $val) { $mailbody .= strip_tags(addslashes("$key : $val\r\n")); } $mailbody .= "Date Submitted: ".date("l jS \of F Y h:i:s A")."\r\n\r\n";[b][/b] $res = mail($mailto, $mailsubj, $mailbody, $mailhead); if ($res){ echo "Message sent!"; } else { echo "Message not sent!"; } ?> ?>

Did you put the code in on it's own or did you plug it into your code?

In the while loop where you assign the banned word to $ban, you could just check it there? <?php while($chaos = mysql_fetch_array( $resultsagain )) { $ban = $chaos['wrd']; if (strpos($pst, $ban)) { echo "Your post contains the banned word: ".$ban."<br />"; } } ?>

That's all very confusing. It is much easier to simply typecast it though, you gotta agree?

You need to link the two tables together in your query <?php $sql_results = mysql_query("SELECT A.ID, A.Category, A.Sub, A.Tipo, B.ID FROM categorias as A, fotos as B WHERE A.Tipo='Imagem' AND A.ID = B.Category"); ?>

I think the function strpos() could be of use to you. Sorry I can't be of more help but it's late and I'm just about to log off for the night!

By your post it seems you literally are 100% new to PHP and MySQL. While I agree with learning by doing, I think first you need to read up on some basic theory. With that said, here's some basic code to retrieve values.... <?php // Assuming you're already connected to the DB $res = mysql_query("SELECT id, name, price FROM tblProduct ORDER BY name ASC"); while($row = mysql_fetch_assoc($res)) { echo $row['name']."<br />"; echo $row['price']."<br /><br />"; } ?>

Congratulations! But please, still take my advise about typecasting. <?php $gameid = (int)$_GET['gameid']; ?> By doing this it forces the variable $gameid to contain a number so if a user entered malicious code into this variable in the URL, it would be automatically stripped out. Without this your code is wide open to SQL injection. Please hit the 'Topic Solved' link in the bottom left of this page, if that is all?

} elseif(!(strpos($pst, "$num_rows" ) == true)) { echo "Error! $ban is a banned word."; I take it this code is the part that's meant to check for banned words? This code though simply checks if the value in $num_rows is in $pst however $num_rows only contains the amount of rows returned by the last query. You have the right idea by using strpos() to figure out if a word is present in the string but you need to pass the banned words to this function instead.

You missed the = off this... echo "<option value=\"".$result["ID"]."\">".$result["title"]."</option>"; I wasn't exactly sure what you meant in your post but I kind of gathered you want a user to download a file without having the link on the page. Is this right? If so you can do this using the header() function in PHP. Here are some links that you may find useful http://apptools.com/phptools/force-download.php http://uk.php.net/header

This might not help but I added a typecast statement to remove the SQL injection risk. Give it a try and tell us if it works. The error you're getting means that the value in $get_achs is not a valid MySQL result set. <?php $gameid = (int)$_GET['gameid']; // Typecast as int. Remove SQL injection risk $get_achs = mysql_query("SELECT * FROM achievements LEFT JOIN guides on achievements.achid = guide.achid WHERE achievements.gameid = '$gameid'") or die(mysql_error()); if (mysql_num_rows($get_achs) > 0) { while($ach = mysql_fetch_assoc($get_achs)) { echo $ach['guidetext']; } } ?>