HPWebSolutions

What I mean is, don't do mysql_real_escape_string on variables you are going to be inserting into the database dozens of lines of code before the sql query, which can happen in larger applications. Always do the the escaping right as you're doing the query so you are 100% certain that everything going into the MySQL query is properly escaped. For example, instead of doing $num = mysql_real_escape_string($_POST['num']); // 20 more lines of code mysql_query("UPDATE num SET value=$num, someField=$num WHERE id=1;"); do this instead: $num = $_POST['num']; // 20 more lines of code mysql_query("UPDATE num SET value='".mysql_real_escape_string($num)."'. someField=".mysql_real_escape_string($num)." WHERE id=1;"); or: $num = $_POST['num']; // 20 more lines of code $set_pairs = 'value='.mysql_real_escape_string($num).', someField='.mysql_real_escape_string($num); mysql_query("UPDATE num SET $set_pairs WHERE id=1;");

No problem, let me know if you have any more trouble.

Is switching web hosts an option? I support it on our shared web hosting accounts. I don't think it is too unusual of a thing, as there is a ton of software out there that requires encryption to run. I run WHMCS, which is encrypted, with no problems on our server. You can read more about our hosting plan at http://hpwebsolutions.com/Web-Site-Hosting.html. The prices aren't the cheapest because our market is people who require a ton of support which increases costs tremendously. If you can't encrypt the software then there's not really any other way to secure the source code other than not providing it to the customer. You could manage all of the instances of your software on your own server that only you have ftp access to.

Does the user have to be logged in to look at the page? If so, you could store the number of times they looked at a particular page that day in a database, and stop them from looking at it anymore that day if they exceed the threshold. If they aren't going to be logged in, you could store a $_SESSION variable with data in it regarding the number of times the user looked at each page, and deny access to the page if they have looked at it too many times. The key will be checking these values before displaying any page.

You are very welcome, glad I could help. As far as mysql_real_escape_string goes, I'm not sure how you regulate usernames, but for instance if a user had a username that could inject sql into your db, such as '; DROP TABLE users; -- then you might have a problem. That may not be a good example, but I hope you see what I mean. To be on the safe side, I use it every single time I make a db query. You'll always want to use it right before or in the query on the query string to ensure that everything is escaped and that you didn't miss something.

One potential solution is that you could use AJAX to call each process separately, notifying the user that the processes have been started using some javascript. You could even use a javascript progress bar to update the user on the status of the job. It would be somewhat complicated to do this, but not impossible.

In the second set of code, under the dashed line, It looks like your value for city is still the value of venue, is that what you mean to do? Also, when you take the OR venue.... out of the query, are you also removing the second parameter "GetSQLValueString("%" . $colname2_venue . "%", "text")"?

It's difficult to diagnose a 500 server error without having access to it and the code. Basically, all it means is that the server has met an error it doesn't know how to handle. What are you doing right before you get the error?

I should also mention that you will probably want to use mysql_real_escape_string before performing any DB query to prevent possible SQL injection attacks. Note that you may experience conflicts if you have magic_quotes turned on in your PHP configuration file, which automatically escapes certain characters. It has been recommended by the PHP devs not to rely on magic_quotes, which is officially deprecated as of PHP 5.3.

change "select * from scouts" to "select * from scouts where username = '".$_SESSION['userName']."'"

I haven't used the Paypal shopping cart recently, but I'd assume that you can use a javascript function to submit the one form when the other is submitted. You would need to look into submitting forms with javascript. You could use document.formname.submit();

Hi Luke, Can you please post the HTML and PHP code for your website's form? I suspect it might have to do with the name your are giving to each field. Is the input name being duplicated for each field? Also, please post the code snippet that is inserting into the second database. Do you have a live website where I can see this in action?

Yes, Search Engine Optimization is certainly needed to improve the traffic and conversions on a website. If you aren't convinced by the above posts, you can try a little experiment that could have dramatic effects on your placings in the search engines: just optimize your title tags. Right now, this is one of the biggest factors in ranking well on google. Optimize your titles and then see where your website is placing in the search engines for your keywords.

I haven't been on in a few days. Have you gotten this to work yet? If not, please post the current code snippet you are using to get it out of the database.

There are two easy options. 1, just do all of the work in subscribe.php, both subscribing and unsubscribing. 2, pass the variables in the url uinsg key=>value parameters, and then pull them out using the $_GET array. i.e.: header ("Location: unsubscribe.php?email=".$email_address."value2=".$value2);

There are a few issues I see with this implementation. 1)The meta refresh at the top of the page. If you want to redirect the user to thankyoupage.html, verify that both the captcha is valid AND the user filled out the form correctly, and then use the PHP call header("Location:http://www.myurl.com/thankyoupage.html");. So you'll want to use an $error variable that you set to true if there was an error filling out the form, and then check that value before sending the email. If there was an error, don't try to send the mail. Note that if you are using the function header(), it has to be done before you send any output to the browser. 2)You call htmlentities on $name, $email, and $message but then you look for the < and > characters, which won't be able to exist after calling htmlentities on them. 3)Your email validation won't actually verify the email is correct, it could be the symbol @ and pass muster, but that's okay if you're happy with it. 4)You require www. to determine if the website address is valid, but some domains actually don't work, for one reason or another, with www. Probably very few, and it's usually because of a server side error, but an issue to think about.

The problem is that after you verify the captcha in the PHP code and redirect to GoDaddy's cgi script used to send the email, the cgi script does not get the values posted by the form. Only the first place you post the form to will get the values of the form. http://phpmailer.worxware.com/ has a good piece of software called PHP-Mailer FE that makes it easy to email posted forms. There are some examples in the 'examples' folder that you can learn from. You would want to verify the captcha and send the email all before redirecting anywhere.

Hi insejn, You could use 'www.website.com/index.php?page=home' and then check $_GET['page'] to determine what web site content to display. Use this: if( $_GET['page']=='home' || !isset($_GET['page') ) { echo "..the content for this page"; } elseif ( $_GET['page'] == 'products' ) { echo "product page"; } A switch statement would work nicely here.

I'd like to recommend not echo'ing the source tags, only echo the values you need in the code. There are a few reasons for this. 1) a good IDE has syntax highlighting for the html code. 2) a good IDE can help you find errors in your HTML code, such as unclosed tags, and can't do this if you are echoing the tags. 3) It is a lot easier for the developer to read the HTML code in the server side source, even without syntax highlighting, when the HTML code is separated from the PHP. 4) It makes it a lot easier to change up the layout of the page later on. If you put a whole bunch of \t and \n formatting tags into your code, it is probably going to become an eyesore to read and debug. For example: <? foreach($array as $key=>$val) { echo '<tr><td>The value of '.$key.' is: </td><td>'.$val.'</td></tr>'; } /* becomes easier to read: */ foreach($array as $key=>$val) { ?> <tr><td>The value of <?php echo $key; ?> is: </td><td><?php echo $val; ?></td></tr>; <? } ?>

I haven't used GoDaddy in a while, but they probably have support for encrypted PHP programs so you wouldn't need to install your own software. Try contacting their customer service department.

http://php.net/manual/en/language.oop5.reflection.php got me started, haven't needed anything else.

The simple way to remove align=left from the feed is as follows: $feed = str_replace('align=left','',$feed); $feed would be the string containing the content of the feed. Do you have a question on actually pulling the feed into the $feed variable from the other web site, or do you have that covered?

Why not just insert the username or id into the URL after doing a SQL query to find out what the id or username is of the page you are linking to? Would that solve your question?

Use the $_POST array if you are submitting your form with post, otherwise use $_GET if($_POST['name'] == 'google.com'){ // do something }

The problem is that when the form is submitted you are posting the field with name product[bGS-110003-400]. What PHP sees looks like an array and you end up with a multidimensional array with 'product' as the first key and 'BGS-110003-400' as the second. So what you'll want to do to get that value is use it as a multidimensional array. You would use $_POST['product']['BGS-110003-400'] to access the posted value for this particlar field. Many things in web site design often operate a little differently from what you would expect (case in point: CSS). Make sure you don't use any funny characters in your array names as well.