charleshill

http://www.php.net/strip_tags strip_tags — Strip HTML and PHP tags from a string

Ahem.... You can do multiple file uploads like this: <form action="" method="post" enctype="multipart/form-data"> <input type="file" name="upload_files[]" value="" /> <input type="file" name="upload_files[]" value="" /> <input type="file" name="upload_files[]" value="" /> <input type="submit" value="Upload" /> </form> Then the PHP can get complicated, because there's lots of checks you'll want to do for file uploads. I do the following just to get a more easy-to-work with array from $_FILES $files = array(); foreach ($_FILES[$key]['tmp_name'] as $n => $dummy) if (!empty($_FILES[$key]['tmp_name'][$n])) $files[$n] = array( 'tmp_name' => $_FILES[$key]['tmp_name'][$n], 'name' => $_FILES[$key]['name'][$n], 'size' => $_FILES[$key]['size'][$n], 'error' => $_FILES[$key]['error'][$n], 'type' => $_FILES[$key]['type'][$n], ); $key would be 'upload_files' in this example, because the name of the upload field is 'upload_files' I then do foreach ($files as $file) to process each file individually making checks like file size, file extension, etc etc

Most attacks on sites are by bots, not humans... so they'll try everything possible (sending post data and get data). It really doesn't matter if you take the info from $_REQUEST, $_POST, or $_GET... you still have to clean it the same.

$data = ereg_replace('[^a-zA-Z0-9_-]', '', $data);

You need to have a column in the table that contains the timestamp (not a formatted date) I use this code to find the upper and lower limit timestamps of a specific date given in the URL's query string: // start with false... $date_valid = false; $date = explode('_', $_GET['date']); // reindex and clean the values... $date = array( 'day' => isset($date[2]) ? (int) $date[2] : 0, 'month' => isset($date[1]) ? (int) $date[1] : 0, 'year' => isset($date[0]) ? (int) $date[0] : 0, ); $first_month = $date['month']; $last_month = $date['month']; $first_day = $date['day']; $last_day = $date['day']; // numeric values for first and last months... if (empty($date['month'])) { $first_month = 1; $last_month = 12; $date['day'] = 0; $first_day = 1; $last_day = 31; } // numeric values for the first and last days... elseif (empty($date['day'])) { $first_day = 1; // months with 31 days... if (in_array($date['month'], array(1,3,5,7,8,10,12))) $last_day = 31; // months with 30 days... elseif (in_array($date['month'], array(4,6,9,11))) $last_day = 30; // 29 days o rly? elseif (($date['year'] % 4) == 0) $last_day = 29; // month with 28 days... else $last_day = 28; } // check the date $date_valid = checkdate($last_month, $last_day, $date['year']) && checkdate($first_month, $first_day, $date['year']); // timestamp for last second of given date... $date['last_timestamp'] = mktime(23, 59, 59, $last_month, $last_day, $date['year']); // timestamp for first second of given date... $date['start_timestamp'] = mktime(0, 0, 0, $first_month, $first_day, $date['year']); note: the GET variable date should look like this in the URL ..... date=YEAR_MONTH_DAY ... ie date=2009_4_6 for today

I use an anti-bot function with a few combined techniques to stop bots from spamming my forms. There are well-designed bots that are capable of defeating a few or several techniques used by web application designers to stop them, but few bots that can get around all of them. Minimum time -- load timestamp including microseconds on form page load and compare to the timestamp in microseconds when it was submitted reCAPTCHA -- very effective Bot traps -- create a random number of input fields in the form that are hidden using css, if any of these inputs have anything in them add the user to a "bad bots" database table (ip address among other info) and disallow form submission from them. I haven't used this technique yet... Block certain domains in email addresses -- using a regular expression pattern you can separate out the domain name of their email address from the one they submitted and decide if you want to block it or not. mail.ru is a common one used by spammers.

http://yoursite.com/script.php?1 For the above URL, you could just do isset($_GET['1']) ... or isset($_GET[1]) might work... I don't use numbers as get variables in URLs. Strings work fine in this manner though...

Here's what I do to normalize the $_FILES array as $files... // we do this so that even file upload fields that are not arrays, are processed as arrays... it's easier if (!is_array($_FILES[$key]['tmp_name'])) $_FILES[$key] = array( 'tmp_name' => array($_FILES[$key]['tmp_name']), 'name' => array($_FILES[$key]['name']), 'size' => array($_FILES[$key]['size']), 'error' => array($_FILES[$key]['error']), 'type' => array($_FILES[$key]['type']), ); $files = array(); foreach ($_FILES[$key]['tmp_name'] as $n => $dummy) if (!empty($_FILES[$key]['tmp_name'][$n])) $files[$n] = array( 'tmp_name' => $_FILES[$key]['tmp_name'][$n], 'name' => $_FILES[$key]['name'][$n], 'size' => $_FILES[$key]['size'][$n], 'error' => $_FILES[$key]['error'][$n], 'type' => $_FILES[$key]['type'][$n], ); $key is just the name of the file upload field(s) in your form.

@ ToonMariner.... ehhh... <?php ..... lots of code... ?> <table border="0" cellspacing="0" cellpadding="0"> <tr> <td> <a href="browse.php?fatherID=<?php echo $subcat['ID']; ?>"' title="<?php echo $subcat['Title']; ?>"> <img src="icons_folder/folder.jpg" border="0" alt="<?php echo $subcat['Title']; ?>" > <?php .... ?> ^ not optimal... The following is preferable... <?php ..... lots of code... echo ' <table border="0" cellspacing="0" cellpadding="0"> <tr> <td> <a href="browse.php?fatherID=', $subcat['ID'], '" title="', $subcat['Title'], '"> <img src="icons_folder/folder.jpg" border="0" alt="', $subcat['Title'], '" />'; .... ?>

// select the database mysql_select_db($database_connC, $connC); // get a single row from the db table (ck) $request = mysql_query("SELECT * FROM ck LIMIT 1", $connC) or die(mysql_error()); // for every row of data in the result resource ($request) we do stuff... there should be only 1 though while ($row = mysql_fetch_assoc($request)) { $variables = array(); $values = array(); // build the variables and values arrays foreach ($row as $field_name => $dummy) { // if there is a $_POST variable set for a field, add it to variables and values if (isset($_POST[$field_name])) { $variables[] = $field_name; // we do it this way to ensure that the data is safe for use in a database query $values[] = sprintf('\'%1$s\'', mysql_real_escape_string(htmlspecialchars((string) $_POST[$field_name]))); } } break; } // this frees up memory by destroying the mysql result resource mysql_free_result($request); if (!empty($variables)) /* now we can insert the row into the database using the column names (variables) and the corresponding, sanitized post data (values) */ $result = mysql_query(" INSERT INTO ck (" . implode(',', $variables) . ") VALUES (" . implode(',', $values) . ")", $connC); I added comments...

All you have to do is change action="THIS_SCRIPT" to the URL for the script you put this code in: $errors = array(); $processed = array(); // form was submitted if (isset($_POST['name'])) { if (empty($_POST['name'])) $errors['name'] = 'Name cannot be blank.'; if (empty($_POST['msg'])) $errors['msg'] = 'Message cannot be blank.'; if (empty($errors)) { // no errors occurred... do stuff you'd do upon success of form submission } } echo ' <form action="THIS_SCRIPT" method="post"> <table width="100%">'; // there were errors... if (!empty($errors)) echo ' <tr> <td align="center">The following error(s) occurred:<br />', implode('<br />', $errors), '</td> </tr>'; echo ' <tr> <td', isset($errors['name']) ? ' style="color:red;"' : '', '>Name</td> <td><input type="text" name="name" value="', isset($_POST['name']) ? $_POST['name'] : '', '"', isset($errors['name']) ? ' style="border:1px solid red;"' : '', ' /></td> </tr> <tr> <td', isset($errors['msg']) ? ' style="color:red;"' : '', '>Message</td> <td><input type="text" name="msg" value="', isset($_POST['msg']) ? $_POST['msg'] : '', '"', isset($errors['msg']) ? ' style="border:1px solid red;"' : '', ' /></td> </tr> </table> </form>';

I just installed DevPHP. Looks pretty good. I've tried notepad++ and didn't care for it.

What is the purpose of getting all the rows of the table first? Aren't you just trying to insert new row(s) to the table? edit... I think I figured out what u were trying to do... try this mysql_select_db($database_connC, $connC); $request = mysql_query("SELECT * FROM ck ORDER BY id ASC LIMIT 1", $connC) or die(mysql_error()); while ($row = mysql_fetch_assoc($request)) { $variables = array(); $values = array(); foreach ($row as $field_name => $dummy) { if (isset($_POST[$field_name])) { $variables[] = $field_name; $values[] = sprintf('\'%1$s\'', mysql_real_escape_string(htmlspecialchars((string) $_POST[$field_name]))); } } break; } mysql_free_result($request); if (!empty($variables)) $result = mysql_query(" INSERT INTO ck (" . implode(',', $variables) . ") VALUES (" . implode(',', $values) . ")", $connC);

Where is the data coming from that goes into this file?

The logic flow of your script should be as follows..... * User accesses php script * Script determines that no data has been submitted via the form yet and displays the form * User sees blank HTML form in browser, fills it out, and submits it * User accesses php script again * Script determines that data has been submitted this time, and processes it accordingly. If successful, do something with the data and then redirect the user to success page. If failed, build array of errors to display and display the form again (without redirecting the user) * User sees form again, but this time it has error messages

function cut_string($str, $length) { return strlen($str) > $length ? substr($str, 0, $length) : $str; }

$_GET is a super global in PHP. Which means you don't have to declare it as a global or anything like that. If a URL you are using to access a PHP script looks like the following: http://yoursite.com/script.php?id=1 Then, provided script.php exists in your site's root directory, it will be accessed and you can use $_GET to retrieve the information from the query string of the URL (the ?... part). So in script.php $_GET['id'] would be equal to 1 in this example. Whenever using information from $_GET, $_POST, $_REQUEST, $_COOKIE you should always assume the data is malicious and shouldn't be trusted. That doesn't mean you can't use it. In this case, if you know that $_GET['id'] should always be an integer, you can use the following to "sanitize" the info you get from it: $id = (int) $_GET['id']; edit... The code given by Ashoar above is not secure. He has used information from $_GET directly in a mysql query without sanitizing it. That code is highly susceptible to SQL injection. Before using a string in a mysql query you should always use mysql_real_escape_string() on it.

I still have no clue what you're actually trying to do...

Ok I just looked at your post.php.... You have to store the forum_id (board_id) of threads when you post them. Otherwise it's impossible to determine where they belong.

In board.php.... change: $info="SELECT * from post_reply where parentid='0' order by lastrepliedto DESC"; to: $info="SELECT * FROM post_reply WHERE parentid='0' AND forum_id = " . (int) $_GET['id'] . " ORDER BY lastrepliedto DESC"; $_GET['id'] is in the URL used to access the script (ie... yoursite.com/board.php?id=1)

Please do not make us guess what you're trying to achieve... What exactly do you want this code to do for you?

If all you want is to read the contents of a file into an array... just use file() You only need to serialize the resulting array if you want to insert it into a database table.

Well if you're trying to store an array in a database table, you need to turn it into a string. I use serialize() to convert complex or associative arrays into a string before insertion into a database table. You will have to use unserialize() on the string when you retrieve it from the database table to convert it back to its array form.

You can use a timestamp column to order things by their date. You can also order them using their month and year columns... ORDER BY year DESC, month DESC Haven't ever done it, but I'd imagine you can use any number of columns to order the data with... So try ORDER BY year DESC, month DESC, day DESC too if you want.

You can make that form with HTML and DHTML (View page source and then look at the onclick attribute in the HTML tag around the Leave a comment checkbox). The actual processing of the form could be done with PHP. If you explain more specifically what parts of this you are having difficulties with I can help you.