Muddy_Funster

You know, comparing your initial post to your last one: I got to ask, are you the same person? one hand doesn't know what kind of data you would need to store, and the other claims to be an oracle programer. one hand doesn't have any idea where to start, while the other is programing in javascript, HTML and Ajax... Yeah, sorry, you did confuse things further. Why not work with asking specific questions and take it from there.

Search the forum, there are a lot of examples and snipits for that kind of thing.

ok, this is getting weird. Could you attach your actual .php files from your server for both index.php and upload.php so I can have a look at the raw code? Also, I asume that upload.php is in the same directory on the same server as index.php is?

ok 1st one - use the @ symbol like we covered earlier if (@$_POST['commentbtn']){ 2nd one - you didn't change the code like a I suggested, change the code for the code block at line 131 to $perpage = 10; if(@$_GET['s']){ $start = $_GET['s']; } else{ $start = 0; } 3rd one - another @ symbol here if (@$username){

you just copied and pasted the original code, there are no signs of any of the changes that you should have done, please post up your updated code and make sure that all code you post goes inside php tags - makes it much easier to read.

sorry, there is an extra space in the <FORM ACTION= that I posted it reads action="upload. php" should obviously be as you had it action="upload.php" without the space.

after replacing the upload.php what message are getting instead of your "All Fields...." P.S. ctrl+F5 force refreshes - saves caching probles like you had with firefox.

yeah, well if you want to call a function of your own making you need to declare it first. You might know that's what you want htmltext() to do, but PHP won't untill you tell it. That's not formated well enough to just drop it into a function, It wouldn't be of eny benifit. What you would be as well doing is cuting this section of code and then pasting it over the line that is calling the htmltext()

index.php : <body> <div> <?php if (isset($_SESSION['error'])) { echo"<span id=\"error\"><p>{$_SESSION['error']}</p></span>"; unset($_SESSION['error']); } ?> <form action="upload. php" method="post" enctype="multipart/form-data"> <p> <label>First Name</label> <input type="text" name="fname" /> <br /> <label>Last Name</label> <input type="text" name="lname" /> <br /> <label>Upload Image</label> <input type="file" name="image" /> <br /> <input type="hidden" name="MAX_FILE_SIZE" value="100000" /> <input type="submit" id="submit" value="Upload" /> </p> </form> </div> </body> and upload.php : <?php // Start a session for error reporting session_start(); // Call our connection file require("includes/conn.php"); // Check to see if the type of file uploaded is a valid image type function is_valid_type($file) { // This is an array that holds all the valid image MIME types $valid_types = array("image/jpg", "image/jpeg", "image/bmp", "image/gif"); if (in_array($file['type'], $valid_types)) return 1; return 0; } // Just a short function that prints out the contents of an array in a manner that's easy to read // I used this function during debugging but it serves no purpose at run time for this example function showContents($array) { echo "<pre>"; print_r($array); echo "</pre>"; } // Set some constants // This variable is the path to the image folder where all the images are going to be stored // Note that there is a trailing forward slash $TARGET_PATH = "images/"; // Get our POSTed variables $fname = $_POST['fname']; $lname = $_POST['lname']; $image = $_FILES['image']; // Build our target path full string. This is where the file will be moved do // i.e. images/picture.jpg $TARGET_PATH .= $image['name']; // Make sure all the fields from the form have inputs if ( (trim(stripslashes($fname)) == "") || (trim(stripslashes($lname)) == "") || (trim(stripslashes($image['name'])) == "") ) { $_SESSION['error'] = "All fields are required"; header("Location: index.php"); exit; } // Sanitize our inputs $fname = mysql_real_escape_string($fname); $lname = mysql_real_escape_string($lname); $image['name'] = mysql_real_escape_string($image['name']); // Check to make sure that our file is actually an image // You check the file type instead of the extension because the extension can easily be faked if (!is_valid_type($image)) { $_SESSION['error'] = "You must upload a jpeg, gif, or bmp"; header("Location: index.php"); exit; } // Here we check to see if a file with that name already exists // You could get past filename problems by appending a timestamp to the filename and then continuing if (file_exists($TARGET_PATH)) { $_SESSION['error'] = "A file with that name already exists"; header("Location: index.php"); exit; } // Lets attempt to move the file from its temporary directory to its new home if (move_uploaded_file($image['tmp_name'], $TARGET_PATH)) { // NOTE: This is where a lot of people make mistakes. // We are *not* putting the image into the database; we are putting a reference to the file's location on the server $sql = "insert into people (fname, lname, filename) values ('$fname', '$lname', '" . $image['name'] . "')"; $result = mysql_query($sql) or die ("Could not insert data into DB: " . mysql_error()); header("Location: images.php"); exit; } else { // A common cause of file moving failures is because of bad permissions on the directory attempting to be written to // Make sure you chmod the directory to be writeable $_SESSION['error'] = "Could not upload file. Check read/write persmissions on the directory"; header("Location: index.php"); exit; } ?> use that code to replace your existing one and let me know what happens.

yeah, I have never heard of a PHP function called htmltext(). What are you trying to do to $description?

any time you make changes to your code, even if you still get the same result, could you please post the revised code up so we can see how it fits with the rest of the stuff, php tags should be put around any code that you post - this makes it much easier to read (and is also part of the forum rules)

ok, there's a couple more things we need to look at: 1) this code is wrong echo "Your video has been added. <a href='videos.php=$id'>Click here to view it.</a>"; I think you wanted it to be echo "Your video has been added. <a href='videos.php?id=$id'>Click here to view it.</a>"; 2) you are using a different format for object link link than the youtube link had: object is using "'http://www.youtube.com/watch?v=" link is using " http://www.youtube.com/watch?v= " are you linking the object wrong?

which page goes blank? the one that displays the link or the one after you click on the link?

hmm...change this code $date = date("F d, Y"); // October 09, 2010 mysql_query("INSERT INTO videos VALUES ('', 'user_id', 'user_name', '$title', '$description', '$keywords', '$category', '$videoid', '0', '0', '$date')"); $query = mysql_query("SELECT * FROM videos WHERE user_id='id' AND title='$title' AND videoid='$videoid'"); $numrows = mysql_num_rows($query); if ($numrows == 1){ $row = mysql_fetch_assoc($query); $id = $row['id']; to this code $date = date("F d, Y"); // October 09, 2010 mysql_query("INSERT INTO videos VALUES ('', 'user_id', 'user_name', '$title', '$description', '$keywords', '$category', '$videoid', '0', '0', '$date')"); $query = mysql_query("SELECT videoid FROM videos WHERE user_id='id' AND title='$title' AND videoid='$videoid'"); $numrows = mysql_num_rows($query); if ($numrows == 1){ $row = mysql_fetch_assoc($query); $id = $row['videoid']; and let me know what you get back.

first up, change your code to this: <?php if (isset($_SESSION['error'])) { echo "<span id='error'><p>{$_SESSION['error']}</p></span>"; unset($_SESSION['error']); } ?> second - you are applying mysql_real_escape_string() to your variables and then attempting to validate them against an empty string (which it now isn't). Either move your content check above your "sanitisation" or check it by doing the following if ( trim(stripslashes($fname)) == "" || trim(stripslashes($lname)) == "" || trim(stripslashes($image['name'])) == "" )

the database should only be storing the path to the video - you will need to check the server to see if the video files are actualy there in the folder that you are trying to acces with the PHP script. If they are then the path that is in the link is malformed. Again, please post any error messages in their original state, it makes life much easier.

ok, there are a few niggles with your code, but we'll leve those aside just now. In your video page script change you line if($getid){ to if(@$_GET['id']){$getid = $_GET['id']; and change $perpage = 10; $start = $_GET['s']; if (!$start) $start = 0; to $perpage = 10; if(@$_GET['s']){ $start = $_GET['s']; } else{ $start = 0; } let us know how that goes.

NO. Please post as much code as is relevent, people have, will and do read through it just to help people. That said @ecabrera do also read the forum rules before posting: ALWAYS post code within the relevent tags! What is your actual problem? If there is an error code please post it with the question, if there is not please fully explain what the code is doing versus what you think/expect the code should do. Do this and we will help you. As it stands all I see is that you have some nitices about undeclaired identifiers which is comon when you are checking for if($variable){} and can be avoided by using if(@$variable){}.

Security goes over and above form validation, although that it a major part of it. SALT is more or less the defacto for encrypting input. You really should use this. Other suggestions that can/should be done are: 1) Being clever with your queries - only select the information that you need, you should never ever need to actualy pull a password back out of your database. 2) Being clever with your connections - if security is more important than performance you can have your database connections opend only when they are needed and closed when they are done. You can also maintain a read only connection for the most part and have it switch to a read/write connection only for specific queries. 3) Use an approprite database user regardless - Never open a page to the public that is running a connection with credentials for the root account or any other account that has full controll of the database. Make a limited user for only the tables and permissions that your page needs to run. 4) last on my list - though most deffinately not least do not send any form data to the database without proper 'sanitisation'. learn mysql_real_escape_string() and search the forum here for other examples of how to properly check the input of any type of form field. There's probably a lot more, but that's all I can think of off the top of my head.

Could you post your full and actual table structure for all three tables please?

what did you change the update SQL to? it should look something like this: $q2 = "UPDATE schedule SET days_til_due='$dtd' WHERE auditUI={$row['auditUI']}"; assuming that auditUI is your Primary Key Field

1. you don't use LIMIT in an update - you need to use WHERE - if LIMIT 1 works at all it just meens that you will only update what it thinks is the first record each and every pass through. You need to realise that you are running a totaly unrelated query doing it the way that you are, the update does not know what record PHP is using from the initial SELECT. 2. you have $dtd wraped in quotes, making it a string value - if you have the field set as int in the database it's going to get upset with you.

Try also NOT using SELECT * and make a deffinate effort NOT to run queries within loops! something like else { //gets all the members from the database $getusers = ''; if(isset($_GET['filter'])){ $getusers = mysql_query("SELECT username, prof_pic FROM `users` ORDER BY username ASC WHERE left(username, 1) == \"a\"") or die(mysql_error()); } else { $getusers = mysql_query("SELECT username, prof_pic FROM `users` ORDER BY username ASC") or die(mysql_error()); } //loops there name and profile image out while($user = mysql_fetch_array($getusers)) { $username = $user['username']; $dir = "prof_pics"; $pic="$dir/".$user['prof_pic']; $img="<img src=\"$pic\" width=\"88\" height=\"88\" align=\"center\"><br>"; echo "<div id='memcontainer'> <div id='mempic'>$img</div> <div id='memname'><a href='members.php?user=$user[username]'>$user[username]</a></div><br> <div class='addfriend'><a style='text-decoration:none' href='friendrequest.php?user=$user[username]'><font color='red'>Add as Friend</a></div> </div><br> "; } } echo "<center>"; ?> Another thing, your using div ID's when you should be using div classes.

That's a rather bold statement -- but for millions of rows, it probably doesn't matter. I know...that's why I used "probably" ant for the record it is baised purely on personal experience using MSSQL, Oracle and MySQL on a variety of different hardware setups, so don't take it as being anything close to official, accurate or anything else that could get me a law suit .

SELECT group_Id FROM table WHERE ((user_Id = #value1) AND (user_Id = #value2) AND( user_Id = #value3)) ORDER BY group_Id ASC No, index any column that you will be using alot in a WHERE statement.