massacremichael

The TAKE function doesn't work, when using your above code, replacing the 'SAVE' with 'TAKE'. When I replace each SAVE with the TAKE the TAKE function doesnt work // ----------------- TAKE if(isset($_POST[take_amm])){ if($_POST[take_amm]>0 && $_POST[take_amm]<1000000000){ if($bank_amount>=$_POST[take_amm]){ $take_amm = clean($_POST[take_amm]); $sql80 = "UPDATE users SET points=points+$take_amm WHERE user_name = '$user_name'"; $res80 = mysql_query($sql80,$conn); $sql70 = "UPDATE users SET bank_amount = bank_amount-$take_amm WHERE user_name = '$user_name'"; $res70 = mysql_query($sql70,$conn); $sql980 = "INSERT into dailies (user_name,title) VALUES ('$user_name','bankinterest')"; $res980 = mysql_query($sql980,$conn); header("Location: bank.php?"); exit; }else{ $errorinfo = "<br><font color='#FF0000'>You dont have that many icePoints in your bank</font></b><br>"; } }else{ $errorinfo = "<br><font color='#FF0000'>Invalid Ammount</font></b><br>"; } YOUR CODE BELOW if(isset($_POST['take_amm'])){ $take_amm = (int)$_POST['take_amm']; if($take_amm>0 && $take_amm<1000000000){ $sql89 = "SELECT points FROM users WHERE user_name = '$user_name'"; $res89 = mysql_query($sql89,$conn); $userap = mysql_result($res89,0,'points'); if($userap>=$take_amm){ $sql80 = "UPDATE users SET points=points-$take_amm, bank_amount = bank_amount+$take_amm WHERE user_name = '$user_name'"; $res80 = mysql_query($sql80,$conn); $sql980 = "INSERT into dailies (user_name,title) VALUES ('$user_name','bankinterest')"; $res980 = mysql_query($sql980,$conn); header("Location: bank.php?"); exit; }else{ $errorinfo = "<br><font color='#FF0000'>You dont have that many icePoints</font></b><br>"; } } } I think what I want is to take the current coding I had & replace it with numerical drop downs from 0,1,2,3,4,5,6,7,8,9 with 9 spots for each

Thanks a ton MCHL. So in theory it would be safe to open up the bank again on my site for users? Without having to worry about injections? Or would it be safer to go ahead & make the 'type in box' for depositing/saving a numerical drop down field?

& that prevents mysql injections? Because it doesnt look like it would give a 0-9 drop down box with up to 8 spaces for depositing/Taking up to 99,999,999 Points or does it just prevent injections?

Anyone?

ctype_digit($take_amm); ctype_digit($save_amm); I need my bank, to have, instead of manually typing in how many points to deposit, to have a drop down box for up to 9 digits for depositing & saving points... How can I go about this? My programmer is out of town for 2 weeks & we were experiencing mysql injections. Any advice? Use "ctrl+f" to find the "save_amm" section. Thanks! // ----------------- SAVE if(isset($_POST[save_amm])){ if($_POST[save_amm]>0 && $_POST[save_amm]<1000000000){ $sql89 = "SELECT * from users WHERE user_name = '$user_name'"; $res89 = mysql_query($sql89,$conn); $userap = mysql_result($res89,0,'points'); if($userap>=$_POST[save_amm]){ $save_amm = clean($_POST[save_amm]); $sql80 = "UPDATE users SET points=points-$save_amm WHERE user_name = '$user_name'"; $res80 = mysql_query($sql80,$conn); $sql70 = "UPDATE users SET bank_amount = bank_amount+$save_amm WHERE user_name = '$user_name'"; $res70 = mysql_query($sql70,$conn); $sql980 = "INSERT into dailies (user_name,title) VALUES ('$user_name','bankinterest')"; $res980 = mysql_query($sql980,$conn); header("Location: bank.php?"); exit; }else{ $errorinfo = "<br><font color='#FF0000'>You dont have that many icePoints</font></b><br>"; } }else{ $errorinfo = "<br><font color='#FF0000'>Invalid Ammount</font></b><br>"; } } // ----------------- TAKE if(isset($_POST[take_amm])){ if($_POST[take_amm]>0 && $_POST[take_amm]<1000000000){ if($bank_amount>=$_POST[take_amm]){ $take_amm = clean($_POST[take_amm]); $sql80 = "UPDATE users SET points=points+$take_amm WHERE user_name = '$user_name'"; $res80 = mysql_query($sql80,$conn); $sql70 = "UPDATE users SET bank_amount = bank_amount-$take_amm WHERE user_name = '$user_name'"; $res70 = mysql_query($sql70,$conn); $sql980 = "INSERT into dailies (user_name,title) VALUES ('$user_name','bankinterest')"; $res980 = mysql_query($sql980,$conn); header("Location: bank.php?"); exit; }else{ $errorinfo = "<br><font color='#FF0000'>You dont have that many icePoints in your bank</font></b><br>"; } }else{ $errorinfo = "<br><font color='#FF0000'>Invalid Ammount</font></b><br>"; } http://icepets.com/bank_55_4433_ed

Perfect. Thanks a ton everyone . I like this community haha

} $newslist .= "<a href='news.php?view=$selectmin&vmax=$selectmax' style='font-weight:".$fweight.";'>".$new_word." (".$newslisttotal.")</a>;" } Thats not right :/. Ugh sorry guys I'm really new at all this haha. I am the marketing guy not the programmer . What did I do wrong now on that line

<?php $sitearea = "Ice Cold News"; include('content.php'); //Get the menu on the left $sql42 = "SELECT * from news order by posted desc"; $res42 = mysql_query($sql42,$conn); if($userLoggedIn=="yes"){ $sql4 = "UPDATE users SET news = 'n' WHERE id = '$user_id'"; $res4 = mysql_query($sql4,$conn); } if(mysql_num_rows($res42)==0){ $msg .= "<strong>There is no news</strong>"; } else{ $newslist = ""; $newslistnum = 0; while($arr = mysql_fetch_array($res42)){ $arr_id = $arr['id']; $arr_posted = $arr['posted']; $new_now = $arr_posted; $new_today = date("Ymd",$new_now); $true_yesterday = date("Ymd",$TIMESTAMP-(60*60*24)); $true_today = date("Ymd",$TIMESTAMP); if($true_today==$new_today){ $new_word = "Today"; } else if($true_yesterday==$new_today){ $new_word = "Yesterday"; } else{ $new_word = date("jS M Y",$new_now); } if($newslistnum<20){ if($last_word!=$new_word){ $newslistnum++; $selectmin = mktime(0,0,0,date("n",$new_now),date("j",$new_now),date("Y",$new_now)); $selectmax = $selectmin+(60*60*24); $sql2 = "SELECT * from news WHERE posted >= $selectmin && posted < $selectmax"; $res2 = mysql_query($sql2,$conn); $newslisttotal = mysql_num_rows($res2); if($selectmin==$HTTP_GET_VARS[view] && $selectmax==$HTTP_GET_VARS[vmax]){ $fweight = "bold"; $newstitle = "News for $new_word"; } else{ $fweight = "normal"; } $newslist .= "<a href='news.php?view=$selectmin&vmax=$selectmax' style='font-weight:".$fweight.";'>".$new_word." (".$newslisttotal.")</a> } } $last_word = $new_word; } } // Get Archive Menu if($HTTP_GET_VARS[type]=="archive"){ $newslist = ""; $sql43 = "SELECT * from news order by posted desc"; $res43 = mysql_query($sql43,$conn); while($arr = mysql_fetch_array($res43)){ $new_now = $arr['posted']; $newslisttitle = "Select Archive"; $thismonye = date("nY",$new_now); if($thismonye!=$pre_monye){ $mon = date("n",$new_now); $day = 1; $year = date("Y",$new_now); $mon2 = $mon+1; if($mon2==13){ $mon2 = 1; $year2 = $year+1; } $vmin = mktime(0,0,0,$mon,1,$year); $vmax = mktime(0,0,0,$mon2,1,$year); $newslist .= "<a href='news.php?type=archive&view=".$vmin."&vmax=".$vmax."'>".date("F Y",$new_now) . "</a><br />"; } $pre_monye = $thismonye; } } //Display the News if($HTTP_GET_VARS[type]=="archive"){ $selectmin = $HTTP_GET_VARS[view]; $selectmax = $HTTP_GET_VARS[vmax]; $newstitle = "News for " . date("F Y",$new_now); } else{ $selectmin = $HTTP_GET_VARS[view]; $selectmax = $selectmin+(60*60*24); if(strlen($newstitle)==0){ $newstitle = "News for " . date("jS F Y",$selectmin); } } if(!isset($HTTP_GET_VARS[view])){ $selectmin = 0; $selectmax = $TIMESTAMP; $maxPost = "yes"; $maxNum = 10; $currNum = 0; $newstitle = "10 Most Recent News Posts"; } $sql9 = "SELECT * from news WHERE posted > $selectmin AND posted < $selectmax order by posted desc"; $res9 = mysql_query($sql9,$conn); while($arr2 = mysql_fetch_array($res9)){ $arr2_poster = $arr2['poster']; $arr2_subject = $arr2['subject']; $arr2_content = $arr2['content']; $arr_content2 = str_replace(" ","<br />",$arr_content2); $arr2_posted = $arr2['posted']; if($maxPost!="yes"){ $showPost = "yes"; } else{ if($maxNum>$currNum){ $showPost = "yes"; } else{ $showPost = "no"; } } if($showPost=="yes"){ $newsinfo .= "<div class='tableheader' style='width:400px;'> » $arr2_subject </div> <div class='tablecontent' style='width:400px;'> <div style='width:100%;font-size:10px;text-align:right;'> Posted by <a href='profile.php?user=$arr2_poster'>$arr2_poster</a> ".date("d/m/y @ H:i",$arr2_posted)." </div> <br /> $arr2_content <br /> <br /> </div><br />"; } $currNum++; } if(strlen($newslisttitle)==0){ $newslisttitle = "Latest News"; } $newsbutton = "View News Archive"; $newslink = "type=archive"; if($HTTP_GET_VARS[type]=="archive"){ $newsbutton = "View Recent News"; $newslink = ""; } $msg .= " <h2><img src='http://www.icepets.com/images/buttons/News.bmp'></h2> ".' <br /> <table style="width:650px;"><tr><td valign="top" style="text-align:center;"><br /><br /> <div class="tableheader" style="width:150px;">'.$newslisttitle.'</div> <div class="tablecontent" style="width:150px;"> '.$newslist.' </div><br /> <form action="news.php?'.$newslink.'" method="post"> <input src="http://www.icepets.com/images/buttons/newsarch.bmp" name="archive" alt="Archive" type="image" /> </form> <form action="http://www.twitter.com/icepets" method="post"> <input src="http://www.icepets.com/images/buttons/ask.bmp" name="Tweet" alt="Twitter" type="image" /> </form> <form action="http://www.icepets.com/forums/viewtopic.php?f=16&t=503method="post"> <input src="http://www.icepets.com/images/buttons/kindwords.bmp" name="KindWords" alt="Kind Words" type="image" /> </form> </td><td valign="top"> <strong><em>» '.$newstitle.'</em></strong> <div style="border-top:1px solid #CCCCCC;"><br /></div> '.$newsinfo.' </td></tr></table>'; include('template.php'); ?>

// Get Archive Menu if($HTTP_GET_VARS[type]=="archive"){ $newslist = ""; $sql43 = "SELECT * from news order by posted desc"; $res43 = mysql_query($sql43,$conn); while($arr = mysql_fetch_array($res43)){ $new_now = $arr['posted']; $newslisttitle = "Select Archive"; $thismonye = date("nY",$new_now); I was modifying my news page of my website & somehow I got a Parse error on my line 64 which is the above code snibbet that starts with " if($HTTP... Now I didn't make any modifications to , say the HTTP_GET_VARS (Which I know is an old code) but somehow a semi colon or something got deleted. I didnt make the script but I cant figure it out! Here's the full page... http://icepets.com/sockforryan Thanks lemme know what the problem could be =/ http://www.icepets.com/news.php? - thats the page in modification