freelance84

I have now changed my logout.php to the following: <?php session_start(); unset($_SESSION['ID']); unset($_SESSION['username']); unset($_SESSION['type']); unset($_SESSION['forename']); unset($_SESSION['surname']); session_destroy(); header("location:index.php") ?> However on one of my pages I can still simply press back after pressing logout to go back into the page. The page in question looks like the following: <?php session_start(); if (isset($_SESSION['username'])) { $u_ID = $_SESSION['ID']; $u_name = $_SESSION['username']; $u_type = $_SESSION['type']; $u_forename = $_SESSION['forename']; $u_surname = $_SESSION['surname']; if($u_type == 2) { ............... content of the page } else echo "Sorry something has gone wrong with your user type, please contact site admin. Thank you."; } else echo "You are not logged in. Please <a href=index.html>click here</a> to log in."; ?>

Should I be unsetting the SESSION variables before I use session_destroy(); or after. Or does it not really matter?

ahh thanks. I looked on that page you mentioned but i missed the unset(). Briliant i'll try and implement it 2mo, getting on a bit now.

The following snippet of code is from my authenticate page: if($u_pass == $row[2]) { session_start(); $_SESSION['ID'] = $row[0]; $_SESSION['username'] = $row[1]; $_SESSION['type'] = $row[3]; $_SESSION['forename'] = $row[4]; $_SESSION['surname'] = $row[5]; if ($row[3] == '1') {header("location:adw-home.php");} elseif ($row[3] == '2') {header("location:nrt-home.php");} elseif ($row[3] == '3') {header("location:rst-home.php");} } The above could seems to would and directs the user to their home page depending on type. The following is my logout code: <?php session_start(); session_destroy(); header("location:index.php") ?> The site doesn't create any cookies so is the above logout all I need to log a user out? Sometimes when though when i'm testing the site in easyphp 3.0, when i log-in go through a few pages then log out, if i just press back in the browser it just goes back into the previous page. But sometimes it does what it's meant to and says "you are not logged in" I'm guessing this is just something querky with easyphp and not closing the browser or something?

That's one big table! OK then I'll go along those lines and create one table for user input along with ID's. Thanks for the help PFMaBiSmAd

But each users table would have 16 fields and anything upto 40/50 rows. If I put all the users into one table this could potentially result in each user having 250rows each in the table. If the site gained 5000users that would be 1,250,000 rows. I could create one table per user thus each table could contain upto 250rows each. Therefore each table would be more manageable and when a username was deleted their table would be deleted also?

ah right, thank you The reason I am using server side at the moment is simply because the book i am learning from uses serverside. After I have really got a firm understanding of the PHP involved I will move on to try and use client side javascript. Could you expand perhaps a little on the tables? This is how I had planned to create the structure for database. members table (contains username/password...etc) each member then has ability to create up to 5 tables which will be prefaced with their username and an underscore then the name they choose. e.g: user, smithy856 smith856_gym705 If the member has 5 tables already they must 1st remove one before they can create another. Are you saying it might be best to only allow one table per username?

Yup they all worked fine. I've decided to go back to the regular way of insertion for now and come back to this later. I have no idea why this doesn't work.

Does anyone have any ideas? really quite stuck here. When I change the $table to the actual table name it will go past this line.

This is the entire prepared statement section that throws a wobbler

ah ok, thanks i'll look at the mysqli_prepare

The following line thoughs up an error: $query = 'PREPARE statement FROM "INSERT INTO $table VALUES(?,?,?,?,?,?,?)"'; $result = mysql_query($query); if(!$result) die(mysql_error()); The error returned is: For some reason it seems to be taking the database name and joining it the with variable name. How do I get the variable and not the variable name into the statement? I've tried using single quotes, double quotes and back ticks: Single quotes returns a parse error Double quotes returns: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '$table" VALUES(?,?,?,?,?,?,?)"' at line 1 Back ticks returns: Table 'predef.$table' doesn't exist

This is the example from the book: <?php require 'login.php'; $db_server = mysql_connect($db_hostname, $db_username, $db_password); if (!$db_server) die("Unable to connect to MySQL: " . mysql_error()); mysql_select_db($db_database) or die("Unable to select database: " . mysql_error()); $query = 'PREPARE statement FROM "INSERT INTO classics VALUES(?,?,?,?,?)"'; mysql_query($query); $query = 'SET @author = "Emily Brontë",' . '@title = "Wuthering Heights",' . '@category = "Classic Fiction",' . '@year = "1847",' . '@isbn = "9780553212587"'; mysql_query($query); $query = 'EXECUTE statement USING @author,@title,@category,@year,@isbn'; mysql_query($query); $query = 'DEALLOCATE PREPARE statement'; mysql_query($query); ?>

or would it be best to use: function get_post($var) { return mysql_real_escape_string($_POST[$var]); } ... to get the POST items, then use placeholders to place them into the database?

Pretty new to PHP myself but shouldn't "mysql_close();" be after all your MySQL commands? In your script you close the connection then try to use "$f1=mysql_result($result,$i,"first");"

OK, The book I am learning from offers two alternatives to safe user input for MySQL. First: function sanitizeString($var) { if (get_magic_quotes_gpc()) $string = stripslashes($string); return mysql_real_escape_string($_POST[$var]); } Second: Using Placeholders. As I am just starting out in PHP, would would an expert be kind enough to tell which is best. The book I'm learning from suggests that the latter is "virtually bulletproof" so would I be best using this one?

ah cool. cheers

I'm not sure exactly what you meant. But can you use: http://www.w3schools.com/sql/sql_update.asp

thank you. I don't know how i missed that one! yup, will put code between the code tags. Didn't know about them. Thanks for the pointers on my functions too. I'm using Crimson Editor to create all my php. I didn't know IDE's could point out errors like this. Which are peoples favourite IDE's?

//entering new student into class table if (isset($_POST['surname']) && isset($_POST['forename1'])) { $surname = get_post('surname'); $surname = sanitizeString($surname); $forename1 = get_post('forename1'); $forename1 = sanitizeString($forename1); $forename2 = get_post('forename2'); $forename2 = sanitizeString($forename2); $forename3 = get_post('forename3'); $forename3 = sanitizeString($forename3); $title = get_post('title'); $title = sanitizeString('$title'); $gender = get_post('gender'); $gender = sanitizeString($gender); $chosenFname= get_post('chosenFname'); $chosenFname= sanitizeString($chosenFname); $query = "INSERT INTO $tableName (surname,forename1,forename2,forename3,title,gender,chosenFname) VAULES('$surname','$forename1','$forename2',$forename3','$title','$gender','$chosenFname'); $result = mysql_query($query); if(!$result) die (mysql_error()); } Can anyone see a parse error in the above? I'm lost as to what is going on. When I stick this into my PHP it causes a parse error but says it a few lines down from the last bracket. These are the functions it calls in at the start: <?php //functions function sanitizeString($var) { $var = stripslashes($var); $var = htmlentities($var); $var = strip_tags($var); return ($var); } function get_post($var) { return mysql_real_escape_string($_POST[$var]); } ?>

thank you. I think i've been staring at my screen too long today, I tried that but it didn't work before, now it does

I have managed to get a variable into the URL: ...nts.php?table=tester1 But how do I get the value of table out of it?

http://www.htmlgoodies.com/primers/jsp/article.php/3594621 this is a pretty good one

ah ok. cheers

ahhh, add and remove html with javascript! the key is in what you search for as always. Thanks a bundle, i'll see if i can do it with that page.