RestlessThoughts

There's lots of different ways to sanitize user input. For your specific examples, look at the ctype functions to check if the user enters the correct data. For example, ctype_alpha will return false with anything but letters, while ctype_alnum lets you use letters and numbers (and not things like symbols). For numbers, is_numeric would be a good test, or you could simply type cast it as an (int). ctype_alpha ctype_alnum is_numeric Integer type casting

$_SERVER['HTTP_REFERER'] seems to be your best bet, but it can be edited by users. Or have a variable started on the parent page and passed to the iframe (like iframe src="page.php?parent=blah", and then using $_GET in the iframe), though this can also be edited by users, or the parent page stored in a $_SESSION variable (which can't be user edited). Why are you wanting to use iframes anyway?

You shouldn't use javascript to solve this problem anyway, I'm sorry but it doesn't make sense to do it. You should only use javascript to enhance user experience, not for something that's absolutely necessary. Especially for something like this. Default values are the best way to go for a search page, it will function just as well as if the form was submitted. If you absolutely must have the parameters in the url, as I said before you should use a header at the very top of the page (before any html) to redirect the page if there's no parameters, or a javascript or meta redirect to do as much. if (!isset($_GET['term'])) { header('Location: page?term=&submit=Go'); } This will give you your default values as if the form was clicked on with no changes.

You could also have default values. if (!isset($_GET['term']) OR trim($_GET['term']) == '') { $_GET['term'] = 'Your Default'; } Or alternatively redirect back to the form page if there are no get values.

You move the file outside your public_html directory (or it may be a folder with your domain name ie yoursite.com), this is normally one directory (folder) up from your site. You should be able to create a new folder (not a sub-domain) where you can't direct your browser to view it by entering the url. If all else fails, use .htaccess or chmod to help prevent anyone from viewing the directory and files within.

Well you could use mod rewrite. Or you could write the link with the variables in it (ie <a href="text.com/page.php?term=&submit=Go">link</a>) or use a header('Location: test.com/page.php?term=&submit=Go') to redirect (or javascript or meta tags if you'd prefer). You could also use a form with a 'get' method that directs back to itself through the action part when a user submits it. <form action="test.com/page.php" method="get">

Thank you, that looks very interesting! I'm pretty rusty with Js, but that looks very much like what I'm wanting.

Edit: Oops, I'm too slow. Use sessions to keep track of where the user is at. If they haven't answered the question right, send them back to the previous question. <?php session_start(); if(isset($_POST['submit'])){ $number = $_POST['number']; if ($number == "elephant"){ $_SESSION['question'] = 2; header("Location: http://localhost/index-2.php"); exit();} } ?> Then on index-2: <?php session_start(); if (!isset($_SESSION['question']) OR $_SESSION['question'] != 2){ header("Location: http://localhost/index-1.php"); } ?>

Hi! I'd like to allow some user-submitted plugins or custom code bits on pages. I'm basically making an online game generator for dummies and would like to allow some extra customization. Obviously I don't want to offer the full capability of php. I found safer eval and I believe with php's tokenizer I could make a parser to check user-submitted scripts for malicious coding against a white list. (For html cleaning I'd use htmlpurifier, though I haven't found a good solution for any CSS or Javascript yet. The php cleaning seems a larger road block anyway.) I was wondering if anyone here had a better solution? I don't want to make up my own coding language and I would prefer not to have to look over each script before use. I know this is a bad idea in general, sorry if I give anyone a heart attack by my even considering doing this and thank you in advance for any help!

Just insert all same row values all at once. "INSERT INTO `table` (`a`,`b`,`c`) VALUES ('a','b','c')"; // AKA "INSERT INTO `table` (`$fields[$col]`,`$fields[$col+1]`,`$fields[$col+2]`) VALUES ('$fields[$col]','$fields[$col+1]','$fields[$col+2]')";

Remember with hidden values that users can edit them. Therefore, if this is going to be a live site, you can assume there will be users who will edit them. Make sure you compensate with plenty of security checks to make sure they're not editing entries their not allowed to, otherwise you may be sorry.

Have you tried, by chance, sticking your php script into a file, then calling that file into a variable, putting the addslashes or htmlentities function to it and then doing whatever to it, like echoing it out in a textbox? Without really knowing the details, I don't see why that couldn't work just as well for whatever editing/creating you need php to do with the other script. $myFile = "file.php"; $fh = fopen($myFile, 'r'); if(file_exists($myFile)) { $theData = fread($fh, filesize($myFile)); fclose($fh); $text = addslashes($theData); echo "<textarea cols='50' rows='20'>$text</textarea>"; }else{ echo "Nope, file not found."; } Best of luck to you, hope you find and squash your bugs soon.

Put your stack of inputs inside a variable then in an array. Then every time you click the duplicate button, have some code to stick another copy of the input variable in the array. Then just loop through the array, echoing out the input stacks. This will also keep your inputs in line when sticking them in a database (or whatever else you're doing with them), as the first set of inputs would be like $myvar[0], the second $myvar[1], etc. Just make sure that you change your variable names in your input form to fit the array format, ie name='hyperlink[]'. Well I'm too tired to give code, but maybe you understand what I'm getting at?

No, The Little Guy, in this case it doesn't make a difference. You do know that sessions are not a great way to do this, if they close their browser they can just come back and see the video again. Anyway, as MadTechie mentioned you can view source code and find the video url in any brower since you're echoing it out on file1. I'm thinking you can hide the file if you just play the video on file2 instead of on file1, ie the embed src code is part of file2 instead of file1. Then I think when viewing the source code they should just see the link to file2, in which case on file2 you just use a server call to fetch the page url and if it's file2 instead of file1 boot them off or give an error instead of playing the video. Then again it may just show the video link anyway. Haven't tested it and I'm very tired and may just be making up gibberish. If they can see the video link, maybe encrypting it and using php to decrypt would work? Just spitballing here.

Nah, that should be enough, there's no SQL that can be done with just lowercase and numbers.

Yeah that's true ignace. But I figured using the if statement would make it easier for them to adapt code to other security issues. And trim just makes it so there's no whitespace around the variable, complusive habit of mine to add it in. Good luck with your site onthespot.

Last I heard 000webhost was being investigated for fraud and frequently deletes sites (especially game sites) from their servers at random, so I wouldn't suggest using them. There's plenty of other free php hosts out there with better reps, like awardspace or freehostia. What you want done doesn't sound too difficult. There's a couple of free clickable adoptables site scripts out there which should help you get started. You'd only have to modify them to make clicking other pets mandatory then. Hang around the forums of other pet sites like chickensmoothie.com and you'll find them (and other tips on how to create/run such a site). As ignace said, plan out what you want and what needs done. Then you can research tutorials (because no doubt they're already out there) on features or features similar to what you want as needed. For example, if you couldn't find an account creation tutorial, look for a tutorial on sessions, forms and database insertion/retrieval so you could piece it together yourself. And of course, as ignace also said, you can always post problem scripts here for help. That way it's not hopeless if you can't find someone to walk you through it step by step. Because detailed tutorials are much harder than just giving out the script.

I know this topic says solved, but I just had to jump in and mention that, as ignace was trying to point out, there is zero security in this script. :-\ Also, in your first post the variables don't match the query statment. Changing this... $userfinal=$_SESSION['username']; $user=$userfinal; $messageid = $_GET['messageid']; to the following would be much safer/better. $user=$_SESSION['username']; $message_id = trim($_GET['messageid']); if(!is_numeric($message_id)){ die("Sorry, but that's not a proper message id!"); } This way, your database is better protected and the rest of your code works as written.

Right, don't need the FOR function, sort() cycles through the whole of the array already. I made the same mistake first time I used sort() too.

Oh my that was stupid of me. No I had not, and now it WORKS! My god you're a genius Sasa! Thank you sooo very much! That was a simple and elegant solution and it works amazingly now, thankyou thankyou thankyou!

Hey cool, that almost worked! Queries now read as follows: UPDATE `table` SET `Champion`='Quine', `Reserve Champion`='Steve', `1st`='Bob', `2nd`='Frank', `3rd`='Francies', `4th`='', `5th`='', `6th`='', `7th`='', `8th`='', `9th`='', `10th`='' WHERE `ID` = '0' UPDATE `table` SET `Champion`='Filly', `Reserve Champion`='Tester', `1st`='Test', `2nd`='Testing', `3rd`='OMG', `4th`='', `5th`='', `6th`='', `7th`='', `8th`='', `9th`='', `10th`='' WHERE `ID` = '1' UPDATE `table` SET `Champion`='Freaking', `Reserve Champion`='Animals', `1st`='Dog', `2nd`='Cat', `3rd`='Meow', `4th`='', `5th`='', `6th`='', `7th`='', `8th`='', `9th`='', `10th`='' WHERE `ID` = '2' It's advancing the ID array without repeating everything 100x, yay! Now to only get it to read the proper ID, haha. Thank you for your help Sasa. Might you have any more gems to share?

Thanks but I'm sure that's not the problem, every field is a properly named array as that part of the form code is in a while loop. I've figured out how to print the queries out properly (go me ) so I know the results array is working correctly. The problem seems to be that it's inserting every result into the same ID row. I can't get the ID array to advance properly. These are the query readouts for Show 16: UPDATE `table` SET `Champion`='Quine', `Reserve Champion`='Steve', `1st`='Bob', `2nd`='Frank', `3rd`='Francies', `4th`='', `5th`='', `6th`='', `7th`='', `8th`='', `9th`='', `10th`='' WHERE `ID` = '404' LIMIT 1 UPDATE `table` SET `Champion`='Filly', `Reserve Champion`='Tester', `1st`='Test', `2nd`='Testing', `3rd`='OMG', `4th`='', `5th`='', `6th`='', `7th`='', `8th`='', `9th`='', `10th`='' WHERE `ID` = '404' LIMIT 1 UPDATE `table` SET `Champion`='Freaking', `Reserve Champion`='Animals', `1st`='Dog', `2nd`='Cat', `3rd`='Meow', `4th`='', `5th`='', `6th`='', `7th`='', `8th`='', `9th`='', `10th`='' WHERE `ID` = '404' LIMIT 1 And this is my live testing site: clicky I'd really appericate any help I can get in working this snag out. :-\

This is a bump, cause I'm still stumped.

Yes, PHP can reload a page without javascript. And it doesn't have to be with a submit button. It can just be a text link, too. There's several ways to code it. One way is like so: <form method="GET" action="{$_SERVER['PHP_SELF']}"> <a href="{$_SERVER['PHP_SELF']}?variable=A">A</a> <a href="{$_SERVER['PHP_SELF']}?variable=B">B</a> </form>

EDIT: lol everyone beat me to it. Go with Xtopolis' idea. Yes, purely php way to accomplish this. When the form is submitted for the show, php querys the mysql database to insert the data, correct? Just stick a second query right below this query that updates the users table. It'd look something like this: (warning, writing this code off the top of my head!) mysql_query("/*code to insert show information into the concert table when successfully submitted*/"); $paythem = mysql_query("SELECT Tracker FROM UsersTable WHERE user=$user") or die(mysql_error()); //$user would be the person logged in, set it with a session variable, their use of a password or whatever else you're using to identify them with. while (mysql_fetch_array($paythem)) { $newTracker = $paythem['Tracker'] + 1; } mysql_query("UPDATE UsersTable SET Tracker=$newTracker WHERE user=$user"; That should work to update the Tracker number every time they submit the form.