garyed

Wow, I didn't know it could be that easy. Now I'm starting to worry about the form action field . I used to use echo $_SERVER['PHP_SELF'] but started just leaving the action field blank. I guess that's another place a hacker can get to.

Thanks, I'm just trying to ad some protection to the databases for right now until I learn how to do prepared statements . I haven't been able to comprehend them yet. After reading about sql injection I got a little nervous knowing my databases were totally unprotected until now. So for now I used mysql_real_escape_string() on any input that is used in any mysql_query, even dropdown menu inputs. I don't know how anyone could alter a drop down menu input but i heard it is possible.

Does that mean mysql_real_escape_string() will not be secure or just that it will not prevent someone from entering a non number? I was thinking of using javascript to check for valid numbers & pop up a warning before the form is entered. The page will not work correctly without javascript enabled so my only concern is some malicious hacker turning off javascript and doing some damage to the database.

I'm trying to understand this stuff. It's funny how easy it is once you understand it but getting to that point isn't always easy. For now what I've done is just use mysql_real_escape_string on every possible input on every mysql_query command.

I have a few questions regarding mainly sql injection. I have three basic queries on my database : $table1="first_table"; $input1=$_POST['input1 ']; $input2=$_POST['input2 ']; $result= msql_query ("select * from $table1 where id='$input1' "); $result_array=mysql_fectch_array($result); $answer=$result_array[$input2]; I run the same query on about 12 different tables and I have about 50 to a hundred different inputs all together. I'm not worried about if the user inputs incorrect data as much as I am any harmful sql injection. I've done a little research on mysql_real_escape_string and I saw this idea but I'm not sure how to implement it: Any ideas welcome $input_data = array_map('mysql_real_escape_string', $_POST);

Thanks for the ideas, I hadn't thought about getting hit by a bot but that makes a lot of sense because I use the same counter file on another page of my site & never have any problems. It just produces a different .txt file so i can see how many users go to my home page & then follow through to another page on my site. I'm on a shared server & don't know how to check the access log or to be honest, what it even is.

I have this php counter file that is included in my website index page to check how many hits I get & put it into a separate file. It works fine for about a week or so and then it looks like the number gets multiplied by 10. Below is the code and the resulting file it produces. Any ideas why this is happening? $tailer=`tail -n 1 counter.txt `; /* gets a string of only the last line of the file */ $today= date("D-m/d/Y"); /* gets todays date */ $my_array=explode(" ",$tailer); /* puts the string into an array */ $old_day= $my_array[0]; /* original date from the last line of the file */ $old_hits=$my_array[2]; /* original amount of hits from last line */ $new_hits=$old_hits +1; /* add one to the hit counter */ $my_new_array=array("$old_day","hits","$new_hits"); /* makes the new array */ $newstr=implode(" ",$my_new_array); /* puts array back into a string */ $filename="counter.txt"; /* If the date is the same then the adjusted line will overwrite the last line */ if ($today == $old_day) { $lines = file($filename); /* get the contents of the file into an array */ $all_lines = implode('',$lines); /* puts the array into a string */ $fp=fopen($filename,"w"); /* opens file for writing */ $entry=str_replace("$tailer","$newstr",$all_lines); /* the command to search & replace */ $fw=fwrite($fp,$entry); /* writes to the file */ fclose($fp); /* closes the file */ } else { /* Or else the date changed so it needs to start a new line */ $newline="\n"; $new_day_array=array("$today","hits","1"); $new_day=implode(" ",$new_day_array); /* Puts the new day and first hit on a line */ $fp=fopen($filename,"a"); $fw=fwrite($fp,$newline); /* needed to change line when date changes */ $fw=fwrite($fp,$new_day); fclose($fp); } Here is the resulting file it produces:

I found a way to do it in a few steps. First you have to get rid of the primary key & then its easy. The table name is "first2" and the field name is "id". I used these commands: alter table first2 modify id INT NOT Null; alter table first2 drop primary key; update first2 set id = id+1 where id > 32; update first2 set id = 33 where id =102; It raised all the numbers from 33 up 1 so I could change 102 which was the new record that I added to 33. Now I can sort them to display in the order I want.

I understand how to do that but I'm just amazed there isn't a simple command line that will do what I want to do instead of numbering every record. What if you had 10,000 records and you you just wanted to add one record to be sorted a certain way? It doesn't make sense that there isn't a better way. Isn't there a command that would move every id number up +1 at a certain point?

I have a table with an id incremented from 1 to 100. I want to add a new record and have its id number to be 33 and move all the numbers from 33 up one. How can I do that without manually editing every record from 33 up?

That's an interesting way to do it. I used the code that I posted to test before I changed the code on the actual site. It's got multiple dropdowns with tons of choices that are all populated from a mysql database. Thanks again to everyone for all the help.

Yes it does. I'm assume it's not the correct way to do it but it works perfectly now.

I also see now that I didn't need to use hidden inputs. I could have just called the functions for each variable i wanted to keep when I opened page2.php.

Thanks everyone for the input, It seems like everything i tried didn't work & I'm sure it was because I couldn't understand how to use Curl correctly or the database thing so I figured out a simple way that works for my situation. Since I'm using session variables all I had to do was use hidden inputs on the second page for the variables from the first page. I got some help here earlier with a session function that I use on both pages. It's not very pretty but here it is: Page1.php <?php session_start(); function get_value($var) { if ($_POST[$var]!="" || (!empty($_SESSION[$var]) && $_POST[$var] === '')) { $_SESSION[$var]=$_POST[$var]; } if (isset($_SESSION[$var])){ return $_SESSION[$var];}else{ return $_POST[$var];} } ?> <br> <form method="POST" action="page2.php"> Wall type : <select name="wall" > <option>----</option> <option value="green" <?php if(get_value('wall') == "green") { echo 'selected="selected"'; } ?> >green </option> <option value="blue" <?php if(get_value('wall') == "blue") { echo 'selected="selected"'; } ?> >blue </option> </select> <input type="submit" value="Submit"> </form> Page2.php <?php session_start(); function get_value($var) { if ($_POST[$var]!="" || (!empty($_SESSION[$var]) && $_POST[$var] === '')) { $_SESSION[$var]=$_POST[$var]; } if (isset($_SESSION[$var])){ return $_SESSION[$var];}else{ return $_POST[$var];} } ?> <br> <form method="POST" action=""> Door : <select name="door" > <option>----</option> <option value="white" <?php if(get_value('door') == "white") { echo 'selected="selected"'; } ?> >white </option> <option value="red" <?php if(get_value('door') == "red") { echo 'selected="selected"'; } ?> >red </option> </select> <input type="hidden" value="<?php get_value('wall'); ?>" > <input type="submit" value="Submit"> </form> Thanks again for all the help

This might sound stupid but I was wondering when two are more people are using the site posting the same form at the same time & post data from the form goes to another php page, can that cause the data to get crossed? Also when using Curl to post data to another php page are the possibilities any different?

What I'm trying to do is this: I've written a calculation program that the user chooses some dropdown menu items & a few other inputs in a form from the page. When the form is submitted it takes them to another page where all the data from the first page is posted into variables on the second page & used for further calculations with other inputs. I'm using session variables on both pages. When they leave the first page the only way I know to get the session variables to the first page is to use a form on the second page that posts back to the first page. If they leave the second page without submitting the form then all the data on the first page will be lost. The reason I'm using separate pages is to keep the pages from getting too cluttered since there is so much data that the user inputs. So what I'm trying to do is figure a way that when the user submits the form on the first page the variables get posted onto that page & then takes the user to the second page where the same variables will be posted too.

Is there any other ways besides using CURL? If so I'd appreciate any other ideas so I can try to see what way works best for my situation.

Doing some reading up on CURL, if I understand it right. The first page would just do a standard SUBMIT on the form & POST to the second page. Then I would use CURL on the second page so when it loaded, it would open the first page & post the data back into the first page. Does that sound right?

Is it possible to post the input of a form to the existing php page & at the same time post it to a new php page you want the user to go to when they submit the form?

I have a typical php file(logger.php) with username,password...etc that uses mysql_connect() to open my database. I include the file in my php pages & It works fine but my question is how often do I need to use it under these conditions. I have a four page session where the first page posts to the second then the second to the third & then the third to the fourth in consecutive order to complete correctly. Each page uses the same database & some of the pages also include other files that use the same database. Right now I'm including the logger.php file in all the pages to be safe. I'm not using mysql_close() anywhere so I'm wondering if I only need to use the logger.php file on the first page & if I'm slowing things down by using it on all the pages.

I want to thank everyone for the help which has not only solved my problem but given me a lot of ideas to learn from. I may try some different options as a learning experience to see if i can get a better understanding. I did use a return value of the function & echoed the function instead of using echo in the function. It works either way but is that considered better technique or does it really matter? <?php session_start(); function get_value($var) { if ($_POST[$var]!="" || (!empty($_SESSION[$var]) && $_POST[$var] === '')) { $_SESSION[$var]=$_POST[$var]; } if (isset($_SESSION[$var])){ return $_SESSION[$var];}else{ return $_POST[$var];} } ?> <form method="POST" action=""> <table> <tbody> <tr> <td style="text-align: right;"> Windows: </td> <td><input name="windows" style="background-color:#FFFFCC;width:60px;" maxlength="10" value="<?php echo get_value('windows'); ?>"type="text"> </td> </tr> <tr><td> <input type="submit" value="Calculate"></td></tr> </tbody></table> </form>

Thanks for the reply, I've never used sessions before so I need to learn a good bit more before I'll be able to understand how to implement the things you suggested. I was hoping I was missing a simple line or phrase to solve my problem but it sounds a lot more involved.

Thanks for the help, The reason I'm using sessions is because I have about 50 inputs on the page & the biggest complaint I have is that people have to leave the page some times to change other factors on another page, return back to the page & then all their data is lost. The way I've got it now If they want to delete any of their inputs they have to change the number to "0" but just deleting the input & leaving nothing doesn't work. I'm obviously not very good at this stuff so some of what you are saying is probably over my head. I really need to see some sort of coded explanation of how to do this.