yaMz

Only the server & ftp can read php files. Also to answer your security needs: SSL

It helps to use the [ code ] snips <form method ="post" action="cartnisya.php"> <table border="0"align="right"> <td>Username:</td> <td><input type="Text" name="Username"></td> <td>&nbsp </td> <td>&nbsp </td> <td>Password:</td> <td><input type="Password" name="Password"></td> <td>&nbsp </td> <td colspan="2" align="center"><input type="Submit" name=submit" value="Submit"></td> </table> <img src="Vinnex1.jpg"> </form> it will then go the php code: CODE: <?php $db = mysql_connect("localhost", "root",""); mysql_select_db("vinnex",$db); $Username = $_POST['Username']; echo $Username; // is this necessary in a processing file? $result = mysql_query("Select TransNo From transaction", $db); $myrow = mysql_fetch_array($result); if ($myrow==null) //null is script friendly :] { $TransNo='1000'; $sql = mysql_query("Select * From customer where Username='$Username'", $db); $myrow1 = mysql_fetch_array($sql); $Username = $myrow1['Username']; $Firstname = $myrow1['Firstname']; $Lastname = $myrow1['Lastname']; $name = "$Firstname $Lastname"; //first last $Date = date('m/d/y'); $sql1 = "INSERT INTO temptransaction (TransNo, Username, Firstname, Date) VALUES ('$TransNo', '$Username', '$Firstname', '$Date')"; $result = mysql_query($sql1); //or die(mysql_error()); // you are inserting data into table: temptransaction, pulled from customer } else { $sql = mysql_query("Select MAX(TransNo) AS maxTransNo From transaction", $db); // added as statement $myrow1 = mysql_fetch_array($sql); $orderno = $myrow1['maxTransNo']+1; $sql = mysql_query("Select * From customer where Username='$Username'", $db); $myrow1 = mysql_fetch_array($sql); $Username = $myrow1['Username']; $Firstname = $myrow1['Firstname']; $Lastname = $myrow1['Lastname']; $name = "$Firstname $Lastname"; //first last $Date = date('m/d/y'); // fixed spacing in insert statement primary cause $sql1 = "INSERT INTO temptransaction (TransNo, Username, Firstname, Date) VALUES ('$TransNo', '$Username', '$Firstname', '$Date')"; $result = mysql_query($sql1) or die(mysql_error()); } header("Location: /orderproduct.html"); //added header redirect ?> <!--// Removed meta refresh... this method should be considered deprecated in html coding xD //--> <html> </html> The table for your users is "Username" not username correct?

Since you are using $_GET, the information can be altered by input. Small Example: Someone sends query directly from their browser: http://yoursite.com/script.php?id=1<?phpinfo();?> <?php echo "<input type='hidden' name='id' value='{$_GET[id]}'>"; ?> will now output: <input type='hidden' name='id' value='{<?phpinfo();?>}'> This would allow them to view your php.ini settings. This would only be the beginning. <?php include ("admin_menu.php"); // if ID is to only return numbers, it'd be simpler to: $id = preg_replace("[^0-9]", "", $_GET['id']); //and $news = mysql_real_escape_string(strip_tags($_GET['news']));

Nudge http://php.net/manual/en/control-structures.foreach.php

I am trying to implement what I call private uploads. Basically, users can check a box to indicate they want their file "private" If so, the upload location is then (exampled as): _domain_/private-folder/$randomfolder Upon uploading their file, the random folder is created, their file moved to the directory, the upload information stored to the database, .htaccess file is created like so: info to add to new .htaccess: Code: [select] <files "*.*"> Deny from All </files> <files "*.*"> Allow from $domains </files> the string $domains is the domains they enter each seperated by a new line in a form textarea. The problem - how can I make sure this is safe. i.e. I want the string to be obviously proofed with php so that no matter what they input, only domains will be outputted. I need the perfect regular expression set to ensure .htaccess for their folder will only contain domains and end on that note.

http://sourceforge.net/projects/phpexcelreader/

Bah.

This is very unsafe code practice: <?php $id = $_GET['id']; //allows injection $news = $_GET['news']; //allows injection //consider mysql_real_escape_string() and strip_tags() ?>

Hmm, well if your host allows it you could always run a background daemon. I don't have any experience in this sort of programming, so I can't really help you. Maybe someone else can, if not: [google] http://bipinb.com/making-php-program-as-daemon.htm

<?php function getglobal() { global $my_global; //variable $foobar is not defined. Therefore commmenting below line out //echo "The value of \$foobar is '$foobar' <br />"; echo "The value of \$my_global is '$my_global' <br />"; } $my_global = 20; getglobal(); ?> The above will output: The value of $my_global is '20'

I'm confused as to what you are updating, however AJAX is the solution for you. Google: HttpXmlRequest

Better yet, <noscript><?php echo "Server Time: ".date(format); ?></noscript> Edit, I have to admit I haven't been fair to you. You mentioned google analytics, which made me think duh -> ip -> trace - > timezone. $region = geoip_region_by_name($_SERVER['REMOTE_ADDR']); $zone = geoip_time_zone_by_country_and_region($region['country_code'],$region['region']); However this method is not as accurate as you'd like, with javascript->ajax->php more accurate, and being the most accurate: asking the user.

<noscript>Please enable Javascript</noscript>

Cron jobs.

I needed a cigarette.

Eh, nevermind.

You could use javascript to easily get the users time, and store it as $_SESSION['time']. As long as you don't have a problem with users being able to change their time... or if their time is incorrect then their true location wouldn't match your function's location for them.

How then would I allow their file to be executed from only their domain, and not viewable otherwise. i.e. file: _domain/encoded_directory/myfile.js

The existence doesn't bother me. Anyways I'm a bit rusty - If you will, what specific set of expressions should I run on the string to ensure they wont add .htaccess lines of their own? A non-by-passable expression set is what I'm finding difficult to create.

This code will return this information only to the user whom is logged in and has their username set in $_SESSION global. From what I understand , you want this information to be viewed by anyone ,displaying the info from the database. Simply : <?php session_start(); mysql_connect("localhost","root") or die(mysql_error()); mysql_select_db("hireacoder") or die(mysql_error()); if ( isset($_GET['id']) ){ $user = mysql_real_escape_string(strip_tags($_GET['id'])); } else { // do something else i.e. // $user = NULL; // header("Location: /users.php"); // exit; } $sql = mysql_query("SELECT * FROM users WHERE id='$user'"); $row = mysql_fetch_assoc($sql); echo $row['username']; echo'<br>'; echo $row['fname']; echo'<br>'; echo $row['lname']; echo'<a href="users.php">Users</a>'; ?>

I am trying to implement what I call private uploads. Basically, users can check a box to indicate they want their file "private" If so, the upload location is then (exampled as): _domain_/private-folder/$randomfolder Upon uploading their file, the random folder is created, their file moved to the directory, the upload information stored to the database, .htaccess file is created like so: info to add to new .htaccess: <files "*.*"> Deny from All </files> <files "*.*"> Allow from $domains </files> the string $domains is the domains they enter each seperated by a new line in a form textarea. The problem - how can I make sure this is safe. i.e. I want the string to be obviously proofed with php so that no matter what they input, only domains will be outputted. I don't need code written for me (maybe), I'm just unsure of the necessary methods I should use.