Jakebert

This is how I generate my first form. $results is where I keep the category headers (e.g. President, Vice-President) and $results2 is where the options are for those categories (e.g. Mitt Romney, Barack Obama, Joe Biden, Nameless Faceman, etc.) <?php while($results2 = mysqli_fetch_assoc($sql2)) { ?> <input type="radio" name="<?php echo $results['name'];?>" value="<?php $results2['value'];?>" /> <?php echo $results2['value']; echo "<br />"; ?> My question is: how can I create a process_vote.php form if I don't know how many fields I'm going to get in $POST? based on the link he clicked, he could get one category with just two options, or six categories with 6 options each. Is it easier to send the form back to the same file, or make another file?

I'm trying to grab the current time of the user's computer and compare it to two date times in the database. The dates in the database are stored in this format: "2012-06-24 00:00:00". This is the code I have: //today's date $date = new DateTime(); // since that comes back in UNIX format, change it so it matches the DB format $now = date_format($date, 'Y-m-d H:i:s'); while ($output = mysqli_fetch_assoc($info)) { //let's check the open and close dates if (($now>$output['open_date']) || ($now<$output['close_date'])) {echo "There are no ballots for you at this time.";} else { echo $output['display_name']; echo "<br />"; echo $output['open_date']; echo "<br />"; } } } There's got to be a problem with the comparison line... I just can't tell what it is. Also where can I move the "there are not ballots for you at this time" so that it doesn't echo for every ballot?

You are correct! Thanks for finding that for me!

This is a silly question about functions. Why does this code: <?php //connect to the database $host = "localhost"; $DBuser = "root"; $DBpassword = ""; $database = "ksu"; $connection = new mysqli($host, $DBuser, $DBpassword, $database); if ($connection->connect_error) { die('Connection Error (' . $connection->connect_errno . ') ' . $mysqli->connect_error); } function getUserGroups($id) { $query = $connection->query("SELECT group_id FROM group_membership WHERE user_id = " . $id); // this is line 20, where the error gets thrown $results = mysqli_fetch_assoc($query); return $results; } ?> Throw this error: Notice: Undefined variable: connection in C:\wamp\www\KSU\connect.php on line 20 There must be a really obvious answer I'm missing.

Sorry to be so dense but since the second and third queries are based on the results of their predecessors, how would multiquery work?

Is there a less complicated/neater way to do this: <?php // the first query selects the group_ids that the user belongs to from the cross reference table $groups = $connection->query("SELECT group_id FROM group_membership WHERE user_id = '$user'"); while ($info = mysqli_fetch_assoc($groups)) { // 2nd query: What ballots are members of those groups eligible for? (from the groups/ballots cross reference table) $ballots = $connection->query("SELECT ballot_id FROM group_ballots WHERE group_id = " . $info['group_id']); while ($finfo = mysqli_fetch_object($ballots)) { // 3rd query: get the info of the ballots from query 2 $search = $connection->query("SELECT * FROM ballots WHERE id = " . $finfo->ballot_id); $output = mysqli_fetch_assoc($search); echo $output['display_name']; echo "<br />"; echo $output['open_date']; } }?> I'd also like to be able to echo out a "nothing found" message if any of those comes up with 0 results. Maybe my table design could be neater?

Oh, I get what you mean. Well, yes, that part is easy and I imagine would be fairly simple to control. I guess what I'm asking is: are there any obvious or easy ways to break into a database or do a MySQL injection if all you have is a website with no textboxes? (since they only get radio buttons). As long as I make the database admin username and password complicated, is there any way for someone with some technical experience (e.g. annoying first-year computer science students) to break in?

Well I'm the only person registering people (i.e. I get the list of potential voters and add them all manually), so yeah, I think we can make it that everyone only votes once. I actually think it would be unethical for me to be able to see who voted what (I run the elections)- is there a way to get the total results but keep me from seeing the individual votes?

I figured this should go here: feel free to move it if it's in the wrong place. I wanted to discuss potential security issues and features that should be in an online voting platform (to be used for student council elections and such). Apart from hashing passwords, how would one go about reducing the possibility of fraud (either via MySQL injection, or some other nefarious device)? I'm afraid I'm not very experienced with security. I know some of the paid softwares give every voter a special ID for each ballot they fill out, and that the numbers aren't actually stored in a database, but I have NO clue how to do that. Does anyone have any experience with this?

You can actually insert PHP variables into MySQL queries by placing single quotes around them like this: <?php $sql = mysql_query ("SELECT COUNT (*) FROM login_test WHERE username = '$username' AND password = '$password'"); $rows = mysql_fetch_array($sql);?> The code above will look through your table and see how many rows exist with the username and password entered. If the the number is one (i.e. the login was correct), then you can log them in: <?php if ($rows[0]) == 1) { print ("Welcome back, friend!"); } else { print("You aren't logged in!"); } ?> Hope that answers your question!

Hi everyone, I'm having a lot of trouble writing this particular page, which is the voting page. Essentially, I want everyone to vote once, but they can change their votes. The page is set up like this currently. I've tried to include comments so that it makes sense. I'm having particular trouble with the javascript controlling the changing of votes. I'd also appreciate any general coding suggestions so that this code isn't as much of a monstrosity. I know this is a killer - I hope I'm not wasting anyone's time! <?php //when they vote using the form further down the page, this triggers // If they voted yes if (isset($_POST['aye'])){ //check that they haven't voted yes before $numrows = get_rows("votes WHERE `bid`=".$bid . " AND `uid`=" . $user . " AND `vote`=1"); //if they've voted yes before if($numrows > 0) { echo "<script type='text/javascript'> alert('You can only vote for bill once'); window.location='home.php'</script>"; } else { //check to see if they've voted at all $votedbefore = get_rows("votes WHERE `bid` = '$bid' AND `uid` = '$user'"); //if they've voted the other way before if ($votedbefore > 0) { echo "<script language=\"Javascript\" type=\"text/javascript\"> var r=confirm('Change your vote?'); if (r==false){ document.location.href='vote.php';}"; echo "else {"; } //now, change the DB information to match their vote $votes = $oldayes + 1; $edit = mysql_query("UPDATE bills SET ayes = '$votes' WHERE status = 'at vote'"); $record = mysql_query("INSERT INTO votes (bid, uid, vote) VALUES ('$bid', '$user', 1);"); echo "</script><script language=\"Javascript\" type=\"text/javascript\"> alert(\"Your vote has been recorded\");document.location.href='home.php'; </script>}"; } } // do the whole damn thing over again if they clicked the no button if (isset($_POST['nay'])){ $numrows = get_rows("votes WHERE `bid`=".$bid . " AND `uid`=" . $user . " AND `vote`=0"); if($numrows > 0) { echo "<script type='text/javascript'> alert('You can only vote for bill once'); window.location='home.php'</script>"; } else { $votes = $oldnays + 1; $edit = mysql_query("UPDATE bills SET nays = '$votes' WHERE status = 'at vote'"); $record = mysql_query("INSERT INTO votes (bid, uid, vote) VALUES ('$bid', '$user', 0);"); echo "<script language=\"Javascript\" type=\"text/javascript\"> alert(\"Your vote has been recorded\");document.location.href='home.php'; </script>"; } } // first we need to make sure that the user is logged in if (isset($_SESSION['uid'])) { //display that info echo "<strong>" . $row['title'] . "</strong><br/>"; echo $row['subtitle']; echo "<br/>Tabled by: " . $row2['first'] . " " . $row2['last']; echo "<br/><br/>"; echo $row['body']; echo "<table><tr><td style= 'color:green'>AYES: <b>" . $oldayes . "</b></style></td>"; echo "<td style= 'color:red'>NAYS: <b>" . $oldnays . "</b></style></td></tr></table>"; ?> <form action="vote.php" method="post"> <input type="submit" name="aye" value="AYE" /> <input type="submit" name="nay" value="NAY" /> </form> <?php } else // they aren't logged in { echo "<script language=\"Javascript\" type=\"text/javascript\"> alert(\"You are not logged in!\");document.location.href='index.php'; </script>"; } ?>

Hi everyone, I'm trying to design a mock parliament: there is a bill up for vote, everyone may vote once (either AYE or NAY), but they can switch their vote. I tried it with a table VOTES with columns for BILLID (the id of the bill up for vote), USERID (the user voting) and VOTE (what they voted). The actual number of votes for each bill is stored in table BILLS. In the PHP processing the form, i have to check everything twice, i.e. did they click yes or no? if they clicked yes have they clicked yes before? have they voted no before? if they voted yes before display an error, if they voted no before remove 1 from nay and add one to ay, and then update table VOTES. And then all over again if they voted no. it looks like spaghetti. Can anyone think of an easier/more compact way to do this?

BRILLIANT! database field was too short. it boggles my mind how you guessed that. You sir, are a gentleman and a scholar.

this is the strangest thing. <?php $sql = "SELECT password FROM users WHERE username='$user'"; $query = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error()); $rows = mysql_fetch_array($query); $correctHash = $rows['password']; echo $correctHash . "<br />"; $salt = substr($correctHash,0, 64); echo $salt. "<br />"; $testHash = $salt . hash("sha256", $salt. $pass); echo $testHash. "<br />"; if ($testHash == $correctHash) ?> And the results of the echoes are: 7c3396065c8e7758f8afdeb57c53349e // $correcthash (password in the DB) 7c3396065c8e7758f8afdeb57c53349e // $salt 7c3396065c8e7758f8afdeb57c53349e1d509fa8ebe0323350b548f76ba0cbf7db8b912deeb0249b4d32a4368b400914 // $testhash (password the user entered) which means that the SALT and the password in the DB are the same..... what in the name of Valhalla?! Here's how I made the password in the DB. <?php $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); // get 256 random bits in hex $hash = hash("sha256", $salt . $password); // prepend the salt, then hash $final = $salt . $hash; ?>

Aha! That worked. Can anyone figure out why this keeps throwing the "incorrect login" info? This is how I'm hashing the password on registration: <?php $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); // get 256 random bits in hex $hash = hash("sha256", $salt . $password); // prepend the salt, then hash $final = $salt . $hash;?> And this is how I'm hashing it in the login: <?php if($user && $pass) { $sql = "SELECT password FROM users WHERE username='$user'"; $query = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error()); $row = mysql_fetch_array($query); $correctHash = $row['password']; $salt = substr($correctHash,0, 64); $validHash = substr($correctHash, 64, 64); $testHash = hash("sha256", $salt. $pass); if ($testHash == $validHash) { $query="SELECT id,username FROM users WHERE username='$user'"; $row = mysql_fetch_assoc($query); $_SESSION['id'] = $row['id']; $_SESSION['username'] = $row['username']; echo "<script type='text/javascript'>window.location='home.php'</script>"; } else { echo "<script type='text/javascript'> alert('Username and password combination is incorrect'); window.location='index.php'</script>"; } } else { echo "<script type='text/javascript'> alert('Please enter a username AND a password'); window.location='index.php'</script>"; } }?> I'm sure I've mixed up one of the salts or something... gr.

Sorry about the double reply! For some reason i can't edit posts anymore sql = "SELECT password FROM users WHERE username='$user'"; $correctHash = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error()); That returns "Resource id #5". ummmm. yeah. that's definitely not the stored value.

Ha! Well, you were right either way! While we're on the topic of hashing passwords and SQL queries, can anyone tell me if this is the correct way to verify a password (i.e. login) using the same hash as above? I think i'm misusing substr(), or at least that's what it tells me. <?php if($user && $pass) //if they have entered both a username and a password { $sql = "SELECT password FROM users WHERE username='$user'"; //the password is stored as a hash with a salt $correctHash = mysql_query($sql) or die(mysql_error()); $salt = substr($correctHash,0, 64); $validHash = substr($correctHash, 64, 64); $testHash = hash("sha256", $salt. $pass); if ($testHash == $validHash) { $sql="SELECT id,username FROM users WHERE username='$user'"; if(mysql_num_rows($query) == 1) ?>

hmmm. well, when i took the single quotes off the field names the error went away, so hooray!

Hi gang! Here's what I'm trying to do: <?php // the user has just signed up, as their password is stored in $password //we hash that $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); // get 256 random bits in hex $hash = hash("sha256", $salt . $password); // prepend the salt, then hash $final = $salt . $hash; // and then insert their info into the DB $sql = "INSERT into users ('first', 'last', 'username, 'password', 'email') VALUES ('$first','$last','$username','$final','$email');"; $query = mysql_query($sql) or die(mysql_error()); ?> the error that is coming up is: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''first', 'last', 'username, 'password', 'email') VALUES ('FirstName','LastName','Username','67de' at line 1 Anyone have any inkling as to what the problem could be? Appreciate it! (suggestions on coding structure/hashing are also appreciated)

Here's my problem, I hope someone can help me see the error! When I go to edit a student, the information comes up in the form fine. When I try to submit the form I get three PHP Notices: A PHP Error was encountered Severity: Warning Message: Missing argument 1 for Students::edit() Filename: admin/students.php Line Number: 72 A PHP Error was encountered Severity: Notice Message: Undefined variable: sid Filename: admin/students.php Line Number: 94 A PHP Error was encountered Severity: Notice Message: Undefined variable: sid Filename: admin/students.php Line Number: 97 Those are all in the controller. Here is the relevant code (sorry that there's so much ) This is the index page (controller): function manage() { $data = $this->students->students(); // List the students $this->table->set_heading('ID', 'First', 'Last', 'Age', 'Gender', 'Level'); //Setting headings for the table foreach($data as $value => $key) { //Build action links $actions = anchor("admin/students/edit/".$key['sid']."/", "Edit") . anchor("admin/students/delete/".$key['sid']."/", "Delete"); //Adding row to table $this->table->add_row($key['sid'], $key['fname'], $key['lname'], $key['age'], $key['gender'], $key['level'], $actions); } $this->auth->view('students/manage'); // Load the view } Here's the edit controller (in students): function edit($sid) { $this->form_validation->set_rules('fname', 'First Name', 'trim|required'); $this->form_validation->set_rules('lname', 'Last Name', 'trim|required'); $this->form_validation->set_rules('age', 'Age', 'trim|required|numeric'); $this->form_validation->set_rules('gender', 'Gender', 'required'); $this->form_validation->set_rules('level', 'Level', 'trim|required'); if($this->form_validation->run() == FALSE) { $data = $this->students->fetch($sid); $this->auth->view('students/edit', $data[0]); } else { $data['fname'] = set_value('fname'); $data['lname'] = set_value('lname'); $data['age'] = set_value('age'); $data['gender'] = set_value('gender'); $data['level'] = set_value('level'); if ($this->students->edit($sid, $data)==1) {$this->auth->view('students/edit_success');} if($this->students->edit($sid,$data)==0) {echo 'There was an error with the update process. Sorry!';} and the data model: function fetch($sid) { $query = $this->db->get_where('students', array('sid' => $sid)); return $query->result_array(); } function edit($sid, $data) { $this->db->where('sid', $sid); $this->db->update('students', $data); return $this->db->affected_rows(); } and FINALLY the edit view: <fieldset> <legend>Personal Information</legend> <?php echo form_open('admin/students/edit'); ?> First Name: <?php echo form_input('fname', set_value('fname', $fname)); ?> Last Name: <?php echo form_input('lname', set_value('lname', $lname)); ?> <?php echo form_error('fname'); echo form_error('lname'); ?> <br /><br />Age: <?php echo form_input('age', set_value('age', $age)); ?> <?php echo form_error('age'); ?> <br /> <br /> Gender: <?php echo form_radio('gender', set_value('male', 'Male')); ?> Male <?php echo form_radio('gender', set_value('female', 'Female')); ?> Female <?php echo form_error('gender'); ?> </fieldset> <fieldset> <legend>Swimming Information</legend> Level: <?php echo form_input('level', set_value('level', $level)); echo form_error('level'); ?> </fieldset> <?php echo form_submit('submit', 'Edit Student'); echo form_close(); ?> Thank you for the help!

I was with you up to the third table... Is there somewhere I could learn about that?

Hi, I'm having a brain block figuring out how I'm going to arrange my database for an app I've been developing for a while (with several failed attempts). Here's the low-down: - Students take classes - Instructors teach classes - Students have report cards - Instructors write report cards I've tried having the following tables: students instructors classes report cards but the problem I end up with is when students sign up for more than one class. I can't figure out if students should belong to classes or the other way round. Can anyone think of an ideal design for this structure? Thanks!

OK, here's the problemo: Controller: <?php class Student extends Controller { function index() { $site['main_content'] = 'student_admin_view'; $this->load->library('pagination'); $this->load->library('table'); $this->load->model('students_model'); //$this->table->set_heading('Id', 'The Title', 'The Content'); $config['base_url'] = 'http://localhost:8888/ci/index.php/student/index'; $config['per_page'] = 10; $config['num_links'] = 20; $config['full_tag_open'] = '<div id="pagination">'; $config['full_tag_close'] = '</div>'; $config['total_rows'] = $this->students_model->getRows(); $this->pagination->initialize($config); $data['records'] = $this->students_model->paginate($config); $this->load->view('student_admin_view', $data); Model: <?php class Students_model extends Model { function getAll() { $q = $this->db->get('students'); // same thing as SELECT * FROM students if($q->num_rows() > 0) { foreach ($q->result() as $row) { $data[] = $row; } return $data; } } function add_student($data) { $this->db->insert('students', $data); return; } function update_student() { $this->db->where('id', number); $this->db->update('students', $data); } function delete_row() { $this->db->where('id', $this->uri->segment(3)); $this->db->delete('students'); } function getRows() { $this->db->get('students')->num_rows(); return; } function paginate($config) { $this->db->get('students', $config['per_page'], $this->uri->segment(3)); return; } } Annnnd view: <html...blah blagh blah> <h2>Read</h2> <div id = "container"> <?php echo $this->table->generate($records); ?> <?php echo $this->pagination->create_links(); ?> Here's what appears on index/student Anyone know why this is happening?

Hmm...OK, I see what you're saying. Here's my issue now. Forget about instructors for now, let's focus on students. So I have a Student class <?php // PHP 5 //USER class class User { public $fname; public $lname; public $bday; public $gender; } // STUDENT class class Student extends User { public $sid; public $level; // define methods public function __construct($fname,$lname,$gender,$bday,$level) { $this->fname=$fname; $this->lname=$lname; $this->gender=$gender; $this->bday=$bday; $this->level=$level; } I also have a "front" page (the one the user sees) called add_student.php Is this necessary? Should I just have a manage_student.php and have all the actions as methods? Here's what I have now. <?php // PHP 5 // Test include 'database.inc'; include 'bizlog.php'; if(isset($_POST['submit'])) { $fname = $_POST['fname']; $lname = $_POST['lname']; $bday = $_POST['bday']; $gender = $_POST['gender']; $level = $_POST['level']; $new_student = new Student($fname,$lname,$gender,$bday,$level); echo $new_student->fname; echo $new_student->lname; } else { echo '<form action = "" method = "post">'; echo 'First Name: <input type = "text" name = "fname" value = "'.$fname.'"/>'; echo '<br />'; echo 'Last Name: <input type = "text" name = "lname" value = "'.$lname.'"/>'; echo '<br />'; echo 'Birthday: <input type = "text" name = "bday" />'; echo '<br />'; echo 'Male: <input type = "radio" name = "gender" value = "male"/>'; echo 'Female: <input type = "radio" name = "gender" value = "female"/>'; echo '<br />'; echo 'Level: <input type = "text" name = "level" />'; echo '<input type="submit" name = "submit" /> </form>'; } ?> Then I have a third page that connects to the database, but I'll leave that headache for later. I'm not sure what should go into a class and what should stay on the "view" page.

It's 1AM, and I am tired. Someone tell me if I'm on the right track. Supervisors have shifts. Shifts have classes. Classes have students and an instructor. Students have levels, report cards, and parent contacts. Instructors have qualifications and write report cards & PCs. Supervisors can edit instructors, assign them to classes, ditto students. Does that mean that I need a class for Supervisors, shifts, classes, students, instructors, levels, report cards, parent contact, qualification, report card writer, PC writer, instructor manager, student manager, DEATH I am confuzzled.