sonnieboy

public function AddFiles($name = 'item') { // If the files array has been set if(isset($_FILES[$name]['name']) && !empty($_FILES[$name]['name'])) { // Remove empties $_FILES[$name]['name'] = array_filter($_FILES[$name]['name']); $_FILES[$name]['type'] = array_filter($_FILES[$name]['type']); $_FILES[$name]['size'] = array_filter($_FILES[$name]['size']); $_FILES[$name]['tmp_name'] = array_filter($_FILES[$name]['tmp_name']); // we need to differentiate our type array names $use_name = ($name == 'item')? 'Addend':$name; // To start at Addendum1, create an $a value of 1 $a = 1; if(!empty($_FILES[$name]['tmp_name'])) { foreach($_FILES[$name]['name'] as $i => $value ) { $file_name = ms_escape_string($_FILES[$name]['name'][$i]); $file_size = $_FILES[$name]['size'][$i]; $file_tmp = $_FILES[$name]['tmp_name'][$i]; $file_type = $_FILES[$name]['type'][$i]; if(move_uploaded_file($_FILES[$name]['tmp_name'][$i], $this->target.$file_name)) { // Format the key values for addendum if($name == 'item') $arr[$use_name.$a] = $file_name; // Format the key values for others else $arr[$use_name] = $file_name; $sql = $this->FilterRequest($arr); // Auto increment the $a value $a++; } } } } if(isset($sql) && (isset($i) && $i == (count($_FILES[$name]['tmp_name'])-1))) $this->data[$name] = $sql; return $this; } First of all,why did you bring mac_gyver into this? My commented was intended for YOU, not him. Read his comments, read requinix comments. They are pointing out what they thought are issues with my app getting hacked. They are pointing me in the right direction. I don't have problems with those constructive criticisms. You remind me of a guy I used to work with who has a tendency act like he knows everything and everybody else knows nothing but never offers real solutions to issues. Anyway, requinix, if you don't mind, is this the code where I need to restrict file types that can be uploaded? You suggestion makes a lot of sense. Thinking about it now, it may not necessarily mean that the app is being hacked into. It may be that they are just uploading all kinds of file types because no restrictions are in place.

Of course if as suggested by others you are being hacked by your poorly written queries I just love it when some people think it makes them feel more important by putting others down.

public function AddFiles($name = 'item') { // If the files array has been set if(isset($_FILES[$name]['name']) && !empty($_FILES[$name]['name'])) { // Remove empties $_FILES[$name]['name'] = array_filter($_FILES[$name]['name']); $_FILES[$name]['type'] = array_filter($_FILES[$name]['type']); $_FILES[$name]['size'] = array_filter($_FILES[$name]['size']); $_FILES[$name]['tmp_name'] = array_filter($_FILES[$name]['tmp_name']); // we need to differentiate our type array names $use_name = ($name == 'item')? 'Addend':$name; // To start at Addendum1, create an $a value of 1 $a = 1; if(!empty($_FILES[$name]['tmp_name'])) { foreach($_FILES[$name]['name'] as $i => $value ) { $file_name = ms_escape_string($_FILES[$name]['name'][$i]); $file_size = $_FILES[$name]['size'][$i]; $file_tmp = $_FILES[$name]['tmp_name'][$i]; $file_type = $_FILES[$name]['type'][$i]; if(move_uploaded_file($_FILES[$name]['tmp_name'][$i], $this->target.$file_name)) { // Format the key values for addendum if($name == 'item') $arr[$use_name.$a] = $file_name; // Format the key values for others else $arr[$use_name] = $file_name; $sql = $this->FilterRequest($arr); // Auto increment the $a value $a++; } } } } if(isset($sql) && (isset($i) && $i == (count($_FILES[$name]['tmp_name'])-1))) $this->data[$name] = $sql; return $this; } public function SaveFolder($target = '../uploads/') { $this->target = $target; // Makes the folder if not already made. if(!is_dir($this->target)) mkdir($this->target,0755,true); return $this; } public function where($array = array()) { $this->where_vals = NULL; if(is_array($array) && !empty($array)) { foreach($array as $key => $value) { $this->where_vals[] = $key." = '".ms_escape_string($value)."'"; } } return $this; } public function UpdateQuery() { $this->data = array_filter($this->data); if(empty($this->data)) { $this->statement = false; return $this; } if(isset($this->data) && !empty($this->data)) { foreach($this->data as $name => $arr) { $update[] = implode(",",$arr['update']); } } $vars = (isset($update) && is_array($update))? implode(",",$update):""; // Check that both columns and values are set $this->statement = (isset($update) && !empty($update))? "update bids set ".implode(",",$update):false; if(isset($this->where_vals) && !empty($this->where_vals)) { $this->statement .= " where ".implode(" and ",$this->where_vals); } return $this; } public function SelectQuery($select = "*",$table = 'bids') { $stmt = (is_array($select) && !empty($select))? implode(",",$select):$select; $this->statement = "select ".$stmt." from ".$table; return $this; } public function InsertQuery($table = 'bids') { $this->data = array_filter($this->data); if(empty($this->data)) { $this->statement = false; return $this; } $this->statement = "insert into ".$table; if(isset($this->data) && !empty($this->data)) { foreach($this->data as $name => $arr) { $insert['cols'][] = implode(",",$arr['cols']); $insert['vals'][] = implode(",",$arr['vals']); } } $this->statement .= '('; $this->statement .= (isset($insert['cols']) && is_array($insert['cols']))? implode(",",$insert['cols']):""; $this->statement .= ") VALUES ("; $this->statement .= (isset($insert['vals']) && is_array($insert['vals']))? implode(",",$insert['vals']):""; $this->statement .= ")"; return $this; } } Greetings experts, I have an app that hackers are constantly hacking by inserting junk data and uploading files to our server. I think this code below is the source of the hacking. There is a whole lot more code but I think this is the relevant code. I will be more than happy to post more. Any assistance in helping me shore this up to stand the test of hacking will be greatly appreciated.

Just one question. The second code is the working version, although I wanted to make some changes to it to remove all the spouseDetails info but this forum is a bit difficult to navigate. First, it does not allow you to post your code where you want it. It pushes all codes up. Maybe I am the problem, I have not figured out to post code here and display it at top or bottom. Second issue is there is no way to go back and make changes to your own thread. I was attempting to show the code that works for just one checkbox, grid1Details and how to make it work for more than one checkboxes.

<script type="text/javascript"> function validate() { var checkbox = document.getElementById("<%=grid1Details.ClientID %>"); var txtsourcename = $("[id*='txtsourcename']")[0]; var txtsourceaddress = $("[id*='txtsourceaddress']")[0]; var txtsourceincome = $("[id*='txtsourceincome']")[0]; //spouse check checkbox = document.getElementById("<%=spouseDetails.ClientID%>"); var txtspousename = $("[id*='txtspousename']")[0]; var txtspouseaddress = $("[id*='txtspouseaddress']")[0]; var txtspouseincome = $("[id*='txtspouseincome']")[0]; if (checkbox.checked) { if ($(txtsourcename).val().length != 0 && $(txtsourceaddress).val().length != 0 && $(txtsourceincome).val().length != 0) { jAlert("Please enter values on all textboxes or check the checkbox next to each textbox."); return false; } else { return true; } } else { if ($(txtsourcename).val().length != 0 && $(txtsourceaddress).val().length != 0 && $(txtsourceincome).val().length != 0) { return true; } else { jAlert("Please enter values on all textboxes or check the checkbox next to each textbox."); return false; } } //spouseDetails if (checkbox.checked) { if ($(txtspousename).val().length != 0 && $(txtspouseaddress).val().length != 0 && $(txtspouseincome).val().length != 0) { jAlert("Please enter values on all textboxes or check the checkbox next to each textbox."); return false; } else { return true; } } else { if ($(txtspousename).val().length != 0 && $(txtspouseaddress).val().length != 0 && $(txtspouseincome).val().length != 0) { return true; } else { jAlert("Please enter values on all textboxes or check the checkbox next to each textbox."); return false; } } } </script> //click button: <td> <asp:Button ID="btnNext" CssClass="btnNext" runat="server" Text=" Review Form " OnClientClick="BtnClick(); return validate()" OnClick="btnNext_Click" /></td> <script type="text/javascript"> function validate() { var checkbox = document.getElementById("<%=grid1Details.ClientID %>"); var txtsourcename = $("[id*='txtsourcename']")[0]; var txtsourceaddress = $("[id*='txtsourceaddress']")[0]; var txtsourceincome = $("[id*='txtsourceincome']")[0]; //spouse check checkbox = document.getElementById("<%=spouseDetails.ClientID%>"); var txtspousename = $("[id*='txtspousename']")[0]; var txtspouseaddress = $("[id*='txtspouseaddress']")[0]; var txtspouseincome = $("[id*='txtspouseincome']")[0]; if (checkbox.checked) { if ($(txtsourcename).val().length != 0 && $(txtsourceaddress).val().length != 0 && $(txtsourceincome).val().length != 0) { jAlert("Please enter values on all textboxes or check the checkbox next to each textbox."); return false; } else { return true; } } else { if ($(txtsourcename).val().length != 0 && $(txtsourceaddress).val().length != 0 && $(txtsourceincome).val().length != 0) { return true; } else { jAlert("Please enter values on all textboxes or check the checkbox next to each textbox."); return false; } } } </script> The following script allows user to either fill out the textboxes in any particular gridview control with a checkbox called grid1Details. If the user chooses not to fill out the textboxes, then the user must check the grid1Details checkbox in other to submit the form. In other words, it is EITHER /OR. This works great. The issue I have now is that I have several gridview controls, each with its own checkbox control. In the next script, I am trying to add spouseDetails checkbox but it is not working. Each time, I check the grid1Details control and hit the submit button, it doesn't validate the spouseDetails checkbox. Any ideas what I am doing wrong? Thanks a lot in advance

Pastor is the Pastor of a Ministry if I understand you correctly. So, that table is where pastor and ministry information is stored. Then there is another table stores pastor/ministry related information. So, to add information to this table, user is required to select the pastor from dropdown. Once that pastor is selected, his/her ministry is automatically selected too based on the pastor of that ministry.

The user wants the value of ministryname to have its own textbox, not to part of pastorname value.

Thanks a lot Barand. I actually thought about that option but then then how do I insert the value of pastorname into the database? In .NET, we would insert the textItem, in this case pastorname. What's the equivalence in php?

<?php $conn=mysqli_connect("localhost","myuuser","mypass","mydb"); // Check connection if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } $select_query="Select pastorname, ministryname from xphias_clients"; $select_query = mysqli_query( $conn,$select_query); echo "<select name='pastorsname' id='pastorsname' class='form-control'>"; while ($rc= mysqli_fetch_array($select_query) ) { echo "<option value='" .$rc['pastorname'] . "'>" . $rc['pastorname'] . "</option>"; } echo "</select>"; ?></td> <td><INPUT TYPE="TEXT" class="form-control" NAME="ministriesname" id='ministriesname' SIZE="16"></td> //JS <script type="text/javascript"> $(document).ready(function(){ $('#pastorsname').change(function(){ var ministriesname = $(this).val(); $('#ministriesname').val(ministriesname); }); }); </script> Greetings again. I need your expert advise once one. I have a dropdown populated dynamically from the database. Then I have an input text box. What we would like to do is select a value from the dropdown list and then the value associated with the dropdown list value gets automatically populated in the textbox. The issue here is that the value I need to be populated in a textbox is not part of the dropdown list. For instance, the database fieldname of the value that automatically populates a dropdown is called pastorname. However, the database fieldname of the value we would like to get automatically populate a textbox when associated value is selected from the dropdown, is not part of the dropdown. Any ideas how to handle this? Here is the current code. Many thanks for your assistance.

Thank you very much. Stupid me.

<?php error_reporting(E_ERROR | E_WARNING | E_PARSE); // Initialize connection to database $conn=mysqli_connect("localhost","myuser","mypass","mydb"); // Check connection if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } function render_error($settings = array("title"=>"Failed","body"=>"Sorry, your submission failed. Please go back and fill out all required information.")) { ?> <h2><?php echo (isset($settings['title']))? $settings['title']:"Error"; ?></h2> <p><?php echo (isset($settings['body']))? $settings['body']:"An unknown error occurred."; ?></p> <?php } $sql = "UPDATE xphias SET pastorname=?, ministriesname=?, sermon_name=?, scripture=?, video_name=?, sermon_notes=?, sermon_date=? WHERE sermon_id=?"; $stmt = $conn->prepare($sql); // We have one datetime parameter, one integer parameter and 6 string data types // So that's 6 consecutive string params and then 1 datetime parameter and one integer param. $stmt->bind_param('sssssssd', $pastorname, $ministriesname, $sermon_name, $scripture, $video_name, $sermon_notes, $sermon_date, $sermon_id); $stmt->execute(); if ($stmt->errno) { echo "FAILURE!!! " . $stmt->error; } else echo "Updated {$stmt->affected_rows} rows"; $stmt->close(); ?> Greetings again, I am trying to use the following code to update some database fields. When I run the code, I get successful update message but no record is updated. I am not getting any errors. Any ideas what I could be doing wrong?

Your solution worked perfectly,however. Thank you so very much sir

<td><INPUT TYPE="TEXT" NAME="pastorsname[]" SIZE="14"></td> <td><INPUT TYPE="TEXT" NAME="ministriesname[]" SIZE="14"></td> <td><INPUT TYPE="TEXT" NAME="xstartdate[]" SIZE="10"></td> <td><INPUT TYPE="TEXT" NAME="clientname[]" SIZE="14"></td> <td><INPUT TYPE="TEXT" NAME="url[]" SIZE="14"></td> but you are suggesting to have them like below? <td><INPUT TYPE="TEXT" NAME="record[1][pastorsname]" SIZE="14"></td> <td><INPUT TYPE="TEXT" NAME="record[2][ministriesname]" SIZE="14"></td> <td><INPUT TYPE="TEXT" NAME="record[3][xstartdate]" SIZE="10"></td> <td><INPUT TYPE="TEXT" NAME="record[4][clientname]" SIZE="14"></td> <td><INPUT TYPE="TEXT" NAME="record[5][url]" SIZE="14"></td> Thank you very much psycho for such detailed explanations. Initially, I didn't have the assignments. I added them because I was looking for a way to format the date field. Just to clarify, this is my current markup:

<?php $dbhost = "localhost"; $dbname = "mydb"; $dbusername = "xxxx"; $dbpassword = "mypass"; if ($_SERVER['REQUEST_METHOD'] == 'POST') { $pdo = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbusername, $dbpassword); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $stmt = $pdo->prepare("INSERT INTO xphias (pastorsname, ministriesname, xstartdate,clientname, url) VALUES (?,?,?,?,?)"); for ($i = 0; $i < count($_POST['pastorsname']); $i++) { $stmt->execute(array( $pastorname = $_POST['pastorsname'][$i], $ministryname = $_POST['ministriesname'][$i], $startdate = "'".date('Y-m-d H:i:s', strtotime(str_replace('-', '/', $_POST['xstartdate'][$i])))."'", $clientsname = $_POST['clientname'][$i], $video_url = $_POST['url'][$i], )); } echo "Success!"; } ?> Greetings again, The following code is fairly working except that date field is inserting 0000-00-00 Any ideas why? Please see attached code. Thanks in advance

This has worked. Thank you very much, I just have to add error checking and successful submission message,