mrMarcus

Yup. Please re-read my first reply for the answer.

I don't see where you're passing your recipients ($to) to the mail handler. Small, but annoying... why do this: $string2 = $email . "@yahoo.com" . "," . $email2 . "@yahoo.com" . "," . $email2 . "@hotmail.com"; $to = $string2; Just do: $to = $email . "@yahoo.com" . "," . $email2 . "@yahoo.com" . "," . $email2 . "@hotmail.com"; EDIT: my bad, I see that you're passing $string2. Confusion with your choice in variable names.

OP, just look at the line numbers for the errors. Line 13: if ($_POST['email'] && ... You must check if index 'email' has been set within the $_POST array: if (isset($_POST['email']) && ... Follow that logic for line 16, and any other instances that might arise.

Apply that same logic throughout the rest of your code. An undefined index means that index does not (yet) exist.

This is true. Leave the hidden field empty and check whether that field has an added value during form submission rather than trying to remove that value. Another trick that works like a charm is setting a timer from page load to form submission. Bots burn through forms/sites as quick as possible, where a human might takes several to many seconds before successfully submitting a form. For example: $_SESSION['start_time'] = time(); if (isset($_POST['submit'])) { $current_time = time(); if (!empty($_POST['start_time'])) { if (($current_time - $_POST['start_time']) < 5) { // 5 is number of seconds differential; change as you sit fit // someone/something has submitted this form in under 5 seconds from reaching the page // probably a bot exit(0); } } } ?> <form action="" method="post"> <input type="hidden" name="start_time" value="<?php echo $_SESSION['start_time']; ?>"/> <!-- other form fields --> <input type="submit" name="submit"/> </form>

if (!$_post['field']) $_post should be in CAPS across all instances where it's in lowercase (within your form, as well): if (!$_POST['field']) And email/telephone have not been set, yet you're echo'ing them out within the form. You need to first determine whether they're set variables before attempting to access their value. <td><input type=text size=30 name="email" value="<?php echo (isset($_POST['email']) ? $_POST['email'] : ''); ?>"> </td>

You can set the script timezone like so: date_default_timezone_set('America/Toronto'); $timezone = date_default_timezone_get(); echo date('c'); Or you can change your timezone directly in your php.ini which will affect all scripts. See: http://php.net/manual/en/function.date-default-timezone-set.php and List of Supported Timezones

Site does not render in IE7.

Is this "social network" niche driven or are you trying to compete with Facebook (bad idea)? Can't comment on the site, otherwise, as you seem to have taken it offline.

Well, you must establish a connection to the database at some point. Your queries simply won't execute without one. "MySQL server has gone away" can be caused from a number of things.

Seriously, man. Just check your error logs (or enable error logging if not already enabled). Could be something as simple as a syntax error in includes/application_top.php, but we've never know it.

Shouldn't isn't the same as can't. Don't rely on that. Checking both the MIME type and extension are in no way guarantees of safety. OP doesn't need to worry about this, however, as he's not storing files on his server.

He's obviously registered that function name as a trademark

My bad. I assumed you were also hosting the said files.

That's a bold statement. An .exe file can be uploaded as a .jpg and renamed back to .exe on the server (with gained permissions) and executed. It is quite possible, so I am not absolutely wrong about that. Simply checking the extension is not enough... if you care about system integrity. However, I am a bit off-topic here as I thought he was addressing files that currently resided on the server. So, for simple URL validation, simply checking the extension should suffice.

Replace your query block with the following: $sql = " UPDATE quote_tbl SET contact_id='".$row_Info['contact_id']."', F1='".$row_Info['F1']."', contact_contact='".$row_Info['contact_contact']."', contact_FirstName='".$row_Info['contact_FirstName']."', contact_LastName='".$row_Info['contact_LastName']."', contact_Phone='".$row_Info['contact_Phone']."', contact_phone2='".$row_Info['contact_phone2']."', contact_Fax='".$row_Info['contact_fax']."', contact_Street1='".$row_Info['contact_Street1']."', lawn_size='".$row_Info['lawn_size']."', quote_visitFee='".$_POST['visitFee']."', quote_visitsPerDay='".$_POST['visitDay']."', quote_hoursPerDay='".$_POST['dailyHours']."', quote_timePerVisit='".$_POST['timePerVisit']."', quote_gasCostPerDay='".$_POST['gasPerDay']."', quote_smallMaint='".$_POST['smallMaint']."'', quote_largeMain='".$_POST['largeMain']."', quote_largeMainPerYear='".$_POST['costPerYear']."', quote_speader='".$_POST['speader']."', quote_tank='".$_POST['Tank']."', quote_wands='".$_POST['wands']."', quote_Ins='".$_POST['insCost']."', quote_insCostPerYear='".$_POST['insPerYear']."', quote_vehicle='".$_POST['vehicleCost']."', quote_vehicleCostPerYear='".$_POST['vehiclePerYear']."', quote_liabilityIns='".$_POST['liabilityCost']."', quote_liabilityCostPerYear='".$_POST['liabilityPerYear']."', quote_WandTDay='".$_POST['WandTCost']."', quote_WandTperVisit='".$_POST['WandTperVisit']."', quote_LabourPerJob='".$_POST['labourPerJob']."', quote_managementAdmin='".$_POST['ManagementAdmin']."', quote_PervisitCost='".$_POST['perVisitCost']."' WHERE contact_id='".$_GET['Client']."' "; if ($result = mysql_query($sql)) { if (mysql_affected_rows() > 0) { // update successful; do something; } else { // update NOT successful; do something; } } else { echo $sql .'<br/><br/>'. mysql_error(); }

Are these paths to files being stored on your server? What I mean is: are these paths to files that have been uploaded to your server by public users? That's why I suggested you check the MIME type of the file. I had just assumed the files were present on the server and not just standalone URLs.

Then just manipulate your code to ensure the correct values are being placed in the option value: <option value=\"$city_key\">...</option>

Update the following: WHERE contact_id='".$_GET['Client']."'"); To: WHERE contact_id='".$_GET['Client']."'") or die(mysql_error()); So you can see if your query is failing and why.

Just checking the file extension does not offer any real additional security. You want to check the signature/MIME type.

If you read it, you'd know the answer to your question.

I'm glad it is for somebody Unless the issue is something that pops right out, this could be an all-day guessing game. You need to ensure error_reporting is on and errors are being logged. That way, we've got something to work with.

That's not your issue. See my last post for your issue. You're not understanding how form submissions work.

$location = $_POST['city_key']; That's the problem. city_key does not exist in your form. Only <select> can hold have a name attribute. <option> does not. <option> contains value="" which is what is passed through the form submission. You need to grab the value of the selected option like so: $location = $_POST['choose_city']; Furthermore, you need to sanitize your form data before blindly tossing it into a query. See mysqli_real_escape_string

Just by checking the source code of the link you provided, your script cuts short immediately following </head>. So, it is likely that your PHP code it tripping up there.