3raser

I just fixed a few things (such as there being a posts.titles when that column didn't even exist). I'm starting to think the join command isn't built for what I'm trying to accomplish. In no way can I use a key here. :/

Can you clarify a bit more? Updated query: $query = mysql_query("SELECT threads.title,threads.date,posts.date,posts.id FROM threads,posts WHERE threads.username = '$username' AND posts.username = '$username' ORDER BY threads.date,posts.date LIMIT 20") or die(mysql_error());

I've been reading guides that talk about selecting data from multiple tables. I've got a pretty good idea of how these work, but I've been trying something sort of unorthodox in terms of what the tutorial goes over. What I'm attempting: I want to select twenty of the most recent posts and threads created by the user from one query. I then want to get that data together, and sort all of them by date. I also have a question regarding when I actually echo out the content: Do I have to include the 'tablename.columnname', or can I just do 'columnname'. Code: <?php $query = mysql_query("SELECT threads.title,threads.date,posts.title,posts.date FROM threads,posts WHERE threads.username = '$username' AND threads.posts = '$username' ORDER BY threads.date,posts.date LIMIT 20") or die(mysql_error()); while($row = mysql_fetch_assoc($query)) { ?> <tr> <td></td> <td><a href="#">Test</a></td> <td><a href="#">General</a></td> <td><?php $row['title']; ?></td> <td><a href="#">Show</a></td> </tr> <?php } ?>

Thanks, that clears quite a bit up. I read more on the preg_replace documentary and I noticed the use of groups. Yet for some reason the following doesn't work: function add_quotes($string, $username) { if(acc_status($username) == 3) { //convert QUOTE BBcode to actual HTML format $string = preg_replace('/\[quote\=(.+?)](.+?)\[\/quote\]/s', "$1 said $2", $code_treated); } return $string; } $string = I wanted to test the groups, but for some reason I can't get them the replace properly. It just replaces the entire $string with a blank message. EDIT: Never mind! I made simple errors in the code above. Solved!

Hia. I want to ask a quick question: Should I be using preg_match or preg_match_all for the following function? Since PHP doesn't support the global & multi-line flag in expressions, my code fails (the if statement) and it returns nope.avi. I know preg_match_all can use globals, but the third argument is a bit confusing. function add_quotes($string, $username) { if(acc_status($username) == 3) { if(preg_match('/\[quote=\w+\]/', $string) && preg_match('/\[\/quote\]/', $string)) { } else { $string.= '<br/><br/><br/><span style="color:red">NOPE.AVI</span>'; } } return $string; }

Ah hah, I got it working. \[quote=[a-zA-Z0-9]+\]

I'm not looking for just quote=b. :/ I'm looking for [tt]

Thank you.

I've decided that knowing a good portion of Regex is a necessity. Sadly, starting out always seems to be the hardest. In the following expression, I attempt to match anything that starts with

I've decided that the best way to go about this is using regex. This is now solved.

I wish to add a quote BBCode to my forums. I'm not asking for code, but I'm asking how I would go about doing this. This is basically the format: [quote=usernamehere] quoted content [/quote] Do you all have any tips going about this? I'm unsure about how I can make my function extract the username and quoted content.

I should have clarified a bit more: $row['type'] is the forum type. 4 means it's a moderator forum, and 5 means it's an administrator forum. The rest are just other forums but still available for everyone to see. And my query: //get forums $query_two = mysql_query("SELECT `id`,`icon`,`title`,`description`,`type` FROM `forums` WHERE `parent` = '{$row['id']}' ORDER BY `id` ASC");

Link to my code: http://pastebin.com/KUuZ5DqX For some reason, my users can see the administrator and moderator forums. I honestly can't seem to locate the reason for this. The really weird thing about it is that they can't see the forum icons (like a_mod.png and mod.png) that go with that forum. They see the default icon. Any tips on why this is happening? Thanks.

Is it possible to manually edit a SESSION (not cookie) from client side? Sort of how a user can easily edit a cookie's value.

Lately I've been telling myself to start touching up my security when it comes to passwords, so here I am with another question on PHPFreaks. I've read several salting guides, but I still have a few lingering questions. One of which is: once a salt has been created (see my function below), do I store it in a column named "salt" for each user in the "users" table? It seems like if a hacker got a hold of the database information, they could just ignore the salt and go straight to deciphering a user's hashed password. Just curious about that... Now, onto my simple function I decided to write to give this a try: function generateSalt($username) { //length of salt $char_max = 21; $char_list = array('A', 'B', 'C', 'D', 'G', 'Z', rand(0,200), 9, 8, 6, rand(3,55), rand(7, 1444)); //random numbers and letters will be appended to this variable $gen_chars = ''; for($x = 0; $x < 10; $x++) { $gen_chars .= $char_list[rand(0, count($char_list))]; } //random addition to salt $gen_chars = hash(sha256, $gen_chars); //shorten then hash -- max 5 chars $shorten_user = substr(sha1(strpos($username, 0, 3)), 0, 5); //salt var $salt = $gen_chars.$shorten_user.date('M-d-Y h:m:s'); $salt = substr(hash(sha256, $salt), 0, $char_max); return $salt; } Any feedback regarding this function? I've read that MD5 isn't really reliable, and people should be using SHA256, so I decided to go with that. I also tried to make each user's salt really random and unique. But how does this affect the user's password or make it any securer if I can't combine the salt and password? I know for a fact that I'm missing a piece of information or doing something wrong, so if anyone could help me out: that'd be very appreciated.

A few months ago, and a good amount of time before that, I had people telling me to use isset() instead of performing to see if the variable is empty, such as: !$_GET[''] I know the differences in the function and what they do, but when could isset() be used in a situation where it's better/more efficient then: !$_GET[''] I do use isset(), though.

I turned error reporting on, but no errors are outputted/returned. But I do do var_dump for both my PDO dbc object and the query_handle: object(PDO)#2 (0) { } object(PDOStatement)#3 (1) { ["queryString"]=> string(53) "INSERT INTO users VALUES (id, ?, ?, ?, ?, ?, ?, ?, ?)" }

Thanks for the replies guys. I did alter my code like so: public function processQuery2($query, array $binds, $fetch) { $query_handle = $this->dbc->prepare($query); $query_handle->execute($binds); if($fetch == true) { return $query_handle->fetchAll(); } } Yet, no success. :/

I've been playing around with PDO lately, and I've been trying to get use to the basic functions as I've mentioned in some of my other posts/questions. Recently I switched to the ? bind/token (can't remember it's called), so I reformatted my processQuery. I've also tried to add in a fetching option in the method, but I can't seem to get anything to work. I've looked up several internet tutorials but it seems like I'm doing everything the same. Yet, the query doesn't seem to run. :/ $database->processQuery2("INSERT INTO test (test, testa) VALUES (?, ?)", array('noob', 'newb2'), false); Now for my method: public function processQuery2($query, array $binds, $fetch) { $query_handle = $this->dbc->prepare($query); if(count($binds) > 0) { $i = 1; $value = array(); foreach($binds as $bind) { $query_handle->bindParam($i, $value[$i]); $value[$i] = $bind; $i++; } } $query_handle->execute(); //if($fetch == true) //{ //return $query_handle->fetchAll(); //} } Any reasons to why it's not working? No errors are outputted, either.

*facepalm* Thank you, Thorpe.

Hmm, I understand what you're saying. But do you have any suggestions how I can allow the user access class access to the database without creating two different instances of the database class? Such as on index.php, it creates a database object - how would the class also work with that object/instance of the database class without creating another one of its own? I hope I've worded that in an understandable manner. :/

I have a user class that is very dependent on the database class, which is why the user class extends the database. I tried creating a protected method in the parent class called getDBCObject, which returned the database object/variable/handle that I want the user to have access to. I tried the method below, but it doesn't work: <?php /* * @DATABASE * ~~~~~~~~~~~~ * @FILE DESCRIPTION: Handles all database related processes * @LAST MODIFIED: April 4, 2012 */ class database { protected $dbc; function __construct($db_host, $db_name, $db_user, $db_password) { try { $this->dbc = new PDO("mysql:host=$db_host;dbname=$db_name", $db_user, $db_password); } catch(PDOException $e) { echo '<b>An error occured while trying to create a database connection: </b>'. $e->getMessage(); } } /* * @METHOD getDBCObject * @DESC Gives the $dbc object/variable to its child classes */ protected function getDBCObject() { return $this->dbc; } } ?> My user class: <?php /* * @DATABASE * ~~~~~~~~~~~~ * @FILE DESCRIPTION: User related proccess * @LAST MODIFIED: April 5, 2012 */ class user extends database { protected $dbc; public function __construct() { if(parent::getDBCObject() == null) { echo '<br/>A database class/connection is required before creating the user class.'; } } public function isLoggedIn() { if($_COOKIE['user']) { //soon to come } else { return false; } } } ?> Any feedback on how I can let the user class use the $dbc variable in the database class?

Not sure what your asking there. I said you should be using prepare and bind for your queries if they are not static. Even if they are static queries you could still use prepare if you wanted. Unless your query is static or does not depend on user input in any way, then you should be using prepare/execute and bound parameters as in your processQuery function.

Thanks for this reply. A few questions, though. How come I shouldn't be using the prepare method when it comes to non-static queries? Isn't the point of the prepare statement to filter/clean it? How come that shouldn't be used with the prepare and bind methods? ============================= Also, about my processQuery method. I don't what the problem is when trying to add multiple binds. Any help on this? I tried modifying my code to this: $database->processQuery("INSERT INTO test (id, message) VALUES (null, :message, :title)", array(':message', ':title'), array('rofldslgkdfsklgj', 'tis a title')); public function processQuery($query, array $binds, array $assign) { $query_handle = $this->dbc->prepare($query); $i = 0; foreach($binds as $bind) { $query_handle->bindParam($bind, $value[$i]); $value[$i] = $assign[$i]; $i++; } $query_handle->execute(); } No error is outputted, so... :/

I'm really starting to get use to PDO and some of its a basic methods and features. I made a small method in my database class that would run a query like so: public function processQuery($query, array $binds, array $assign) { $query_handle = $this->dbc->prepare($query); $i = 0; foreach($binds as $bind) { $query_handle->bindParam($bind, $value); $value = $assign[$i]; $i++; } $query_handle->execute(); } Which would then be ran on any of my webpages like so: $database->processQuery("INSERT INTO test (id, message) VALUES (null, :message)", array(':message'), array('rofldslgkdfsklgj')); It works. But my question is, should I be using this instead: public function insert($query) { $this->dbc->exec($query); } Which would then be called like so: $database->insert("INSERT INTO test (id, message) VALUES ('lol', 'roflaaaaaaaaaaaa')"); ========= My question is: Which would should I use/which is more efficient? Or is it just preference?