greens85

Perfect, many thanks MrMarcus... Didn't expect such a simple solution! Many thanks once again

Hi All, In the interest of tightening my site security I have recently altered the way in which certain images are viewed within my application. I was originally using the following: if(!empty($row['CRB_img'])) { echo "<a href=\"../Teachers/CRBs/$row[CRB_img]\" rel=\"lightbox\"> <img src=\"images/view_crb_icon.png\" title=\"View CRB\" /></a>"; } But I have now altered it to use file_get_contents() which I have got working, but now instead of opening the image in a lightbox on the same page, it opens it in a different page. What I want to do is use file_get_contents but have it open in a lightbox on the orginal page. Original Page: my_profile.php New Page: CRB_image_permission.php my_profile.php contains the link to the view the CRB and CRB_image_permission.php is where the get_file_contents is. The code for CRB_image_permission is: <?php session_start(); ob_start(); include("teacher_includes/session_check.php"); include("../includes/database_connection.php"); $qry = "SELECT * FROM teachers WHERE username = '$username'"; $rst = mysql_query($qry) or die (mysql_error()); $row = mysql_fetch_array($rst); $teacherid = $row['teacher_id']; $CRB_Number = mysql_real_escape_string(htmlspecialchars($_GET['crb_number'])); $file_extension = pathinfo($CRB_Number); $file_extension = $file_extension['extension']; $query = "SELECT * FROM crb_information WHERE teacher_id = '$teacherid' AND CRB_img = '$CRB_Number'"; $result = mysql_query($query) or die (mysql_error()); $row = mysql_fetch_array($result); $count_rows = mysql_num_rows($result); if($count_rows == 1) { switch ($file_extension) { case "jpg": header('Content-Type: image/jpg'); echo $img = file_get_contents('../Teachers/CRBs/'.$CRB_Number); break; case "jpeg": header('Content-Type: image/jpeg'); echo $img = file_get_contents('../Teachers/CRBs/'.$CRB_Number); break; case "pjpeg": header('Content-Type: image/pjpeg'); echo $img = file_get_contents('../Teachers/CRBs/'.$CRB_Number); break; case "gif": header('Content-Type: image/gif'); echo $img = file_get_contents('../Teachers/CRBs/'.$CRB_Number); default: echo "default"; } } else { $_SESSION['permission_error'] = "<font color=\"red\">You do not have permission to view that CRB</font><br /><br />"; header("Location:my_profile.php"); exit(); } ?> Bit stumped on this one, can anyone advise. Many thanks. [EDIT] Sorry should have probably also shown how I now link to the new page: <?php if(!empty($row['CRB_img'])) { echo "<a href=\"CRB_image_permission.php?crb_number=$row[CRB_img]\"> <img src=\"images/view_crb_icon.png\" title=\"View CRB\" /></a>"; } ?>

Can I just confirm with an admin that I don't have to disclose the sites URL to get it approved? I have as per the guidance proved ownership through reporting the thread and adding in the link to the text file.

Hi All, I am coming to the end of the development on one of my sites and would like help testing for vulnerabilities. I have ran the site through Acunetix web scanner which has helped me rid the site of some issues. However this has only tackled XSS issues as it is the free version. Would anyone be kind enough to help me test this? I haven't posted the url as I don't really want it in the public domain just yet however if you can help me test then I will send you the URL in a PM. [EDIT] I have proved I am the site owner to admin via reporting my message with the link in the body of the comment. Many thanks. Greens85

Thanks for that... Ok, so I've managed to produce some sql output using your method. My SQL output now looks like this; SELECT * FROM indivdual_teachers WHERE teacher_id IN (SELECT candidate_id FROM availability_calendar WHERE (DAY = 19 AND MONTH = 04 AND YEAR = 2012 AND availability = "Available")) AND role = 'Teaching Staff' AND region = 'London' AND id IN (SELECT teacher_id FROM teacher_agencies WHERE agency = 'Education World') However going back to my original problem, I am still no clearer on how I can add a statement along the lines of; AND id IN (SELECT teacher_id FROM test_cv_tags WHERE skills = 'golf') OR id IN (SELECT teacher_id FROM test_cv_tags WHERE skills = 'swimming') OR id IN (SELECT teacher_id FROM test_cv_tags WHERE skills = 'chess') That will return results based on those keywords but also take the rest of the query into account. I presume it's got to be along the lines of $where[] = array('AND', 'id', 'IN', '(SELECT teacher_id FROM test_cv_tags WHERE skills = '$value')'); ?

Thanks for taking time to comment it... A couple of things; foreach($arrVals as $vals){ // loop through each of the contents of the $arrVals array, assiging the content to $vals I presume here $arrVals will be each of my $_GET var... as it stands it's something like; foreach($_GET as $key=>$value){ if(strpos($key, 'availability_') == 0 and $value=='Available'){ $day = (int)str_replace('availability_', '', $key); $availability .= ' AND teacher_id IN (SELECT candidate_id FROM availability_calendar WHERE (DAY = '.$day.' AND MONTH = '.$month.' AND YEAR = '.$year.' AND availability = "Available")) '; } } // Staff Type if($_GET['staff_required'] == 'Non Teaching Staff') { $search_str[] = "role !=\"\""; } elseif($_GET['staff_required'] == 'Teaching Staff') { $search_str[] = "role=\"\""; } else { } Obviously there is a $_GET for each of my form elements. $where[] = array('WHERE', 'teacher_id', 'IN', '(SELECT candidate_id FROM availability_calendar WHERE (DAY = 19 AND MONTH = 04 AND YEAR = 2012 AND availability = "Available"))'); //assign first part of WHERE clause $where[] = array('OR', 'religion', '=', '\'North East\''); //and another Here I am a little confused, you have: (SELECT candidate_id FROM availability_calendar WHERE (DAY = 19 AND MONTH = 04 AND YEAR = 2012 AND availability = "Available") '\'North East\' These appear to be hard coded but obviously they are variables and can change depending on what was submitted as part of the form. (SELECT candidate_id FROM availability_calendar WHERE (DAY = 19 AND MONTH = 04 AND YEAR = 2012 AND availability = "Available")

Hi Muddy_Funster, Many thanks for your reply. I guess in answer to your question, the only reason I won't have done it in that way is because I simply don't have the knowledge of PHP. I just put it together in a way I understood and one where I could get it to work. I have looked at your example and to be honest, not really fully understanding it just yet. That said, if I did get it working in that manner.. I still wouldn't understand how to integrate the OR parts... In between my post and your response I did managed to change the AND's to OR's however it seems like it is just picking anything where the skills match and ignoring the rest of the query. e.g. SELECT * FROM indivdual_teachers WHERE 1=1 AND role="" AND region = 'North West' AND id IN (SELECT teacher_id FROM teacher_agencies WHERE agency = 'Academic Appointments') AND id IN (SELECT teacher_id FROM teacher_specialisms WHERE specalism = 'Early Years') AND id IN (SELECT teacher_id FROM teacher_additional_subjects WHERE subject = 'Drama') AND avg_behaviour_management >= 4 AND avg_teaching_ability >= 5 AND avg_preperation_planning >= 5 AND avg_professionalism >= 5 AND id IN (SELECT teacher_id FROM test_cv_tags WHERE skills = 'golf') OR id IN (SELECT teacher_id FROM test_cv_tags WHERE skills = 'swimming') OR id IN (SELECT teacher_id FROM test_cv_tags WHERE skills = 'chess') AND public_profile = 'Yes' ORDER BY avg_overall DESC In this example, if they have a skills of swimming they will be returned in the results despite the fact that their region isn't North West and they don't specialise in Early Years or Drama.

Hi, I'm not sure if this should be posted in the PHP forum or the mySQL forum as it's a bit of both to be honest. Basically I am generating what I think is a fairly complex SQL statement (although I'm by no means a mySQL master so it might not be that complex) through the use of PHP. The PHP that is generating the statement looks like so: // Availability $availability = 'SELECT * FROM indivdual_teachers WHERE 1=1'; foreach($_GET as $key=>$value){ if(strpos($key, 'availability_') == 0 and $value=='Available'){ $day = (int)str_replace('availability_', '', $key); $availability .= ' AND teacher_id IN (SELECT candidate_id FROM availability_calendar WHERE (DAY = '.$day.' AND MONTH = '.$month.' AND YEAR = '.$year.' AND availability = "Available")) '; } } // Staff Yype if($_GET['staff_required'] == 'Non Teaching Staff') { $search_str[] = "role !=\"\""; } elseif($_GET['staff_required'] == 'Teaching Staff') { $search_str[] = "role=\"\""; } else { } // Lives in... if(!empty($_GET['location'])) { $location = mysql_real_escape_string($_GET['location']); $search_str[] = "address2 LIKE '%$location%' OR city LIKE '%$location%'"; } elseif(!empty($_GET['region'])) { $region = mysql_real_escape_string($_GET['region']); $search_str[] = "region = '$region'"; } else { // They don't want to search on lives in... so do nothing } // Registered with... if(!empty($_GET['LA'])) { $local_authority = mysql_real_escape_string($_GET['LA']); $search_str[] = "id IN (SELECT teacher_id FROM teacher_LEAs WHERE LEA = '$local_authority')"; } elseif (!empty($_GET['Agency'])) { $agency = mysql_real_escape_string($_GET['Agency']); $search_str[] = "id IN (SELECT teacher_id FROM teacher_agencies WHERE agency = '$agency')"; } else { // They don't want to search on registered with... so do nothing } $total = $_GET["keywords"]; $keyarr = explode(',',$total); // In order to process this array values here is the code foreach($keyarr as $key=>$value) { // becareful to check the value for empty line $value = trim($value); if (!empty($value)) { $search_str[] = "id IN (SELECT teacher_id FROM test_cv_tags WHERE skills = '$value')"; } } // Subject/Specalism if(!empty($_GET['subject'])) { $subject = mysql_real_escape_string($_GET['subject']); $search_str[] = "id IN (SELECT teacher_id FROM teacher_specialisms WHERE specalism = '$subject')"; } if(!empty($_GET['additional_subject'])) { $additional_subject = mysql_real_escape_string($_GET['additional_subject']); $search_str[] = "id IN (SELECT teacher_id FROM teacher_additional_subjects WHERE subject = '$additional_subject')"; } // Ranking if(!empty($_GET['overall'])) { $overall = mysql_real_escape_string($_GET['overall']); $search_str[] = "avg_overall >= $overall "; } else { if(!empty($_GET['behaviour'])) { $behaviour = mysql_real_escape_string($_GET['behaviour']); $search_str[] = "avg_behaviour_management >= $behaviour "; } if(!empty($_GET['ability'])) { $ability = mysql_real_escape_string($_GET['ability']); $search_str[] = "avg_teaching_ability >= $ability "; } if(!empty($_GET['planning'])) { $planning = mysql_real_escape_string($_GET['planning']); $search_str[] = "avg_preperation_planning >= $planning "; } if(!empty($_GET['professional'])) { $professionalism = mysql_real_escape_string($_GET['professional']); $search_str[] = "avg_professionalism >= $professionalism "; } } This is all brought together like so; if(!empty($search_str)){ $sql = "$availability AND ".join(" AND ", $search_str)." AND public_profile = 'Yes' ORDER BY avg_overall DESC"; echo $sql; } else { $sql = "$availability AND public_profile = 'Yes' ORDER BY avg_overall DESC"; echo $sql; } When I complete my form and echo the completed query it looks something like this; SELECT * FROM indivdual_teachers WHERE 1=1 AND teacher_id IN (SELECT candidate_id FROM availability_calendar WHERE (DAY = 19 AND MONTH = 04 AND YEAR = 2012 AND availability = "Available")) AND role="" AND region = 'North East' AND id IN (SELECT teacher_id FROM teacher_agencies WHERE agency = 'Education World') AND id IN (SELECT teacher_id FROM test_cv_tags WHERE skills = 'french') [color=red]AND[/color] id IN (SELECT teacher_id FROM test_cv_tags WHERE skills = 'golf') [color=red]AND[/color] id IN (SELECT teacher_id FROM test_cv_tags WHERE skills = 'spanish') AND id IN (SELECT teacher_id FROM teacher_specialisms WHERE specalism = 'Accounting') AND id IN (SELECT teacher_id FROM teacher_additional_subjects WHERE subject = 'Art') AND avg_behaviour_management >= 5 AND avg_teaching_ability >= 5 AND avg_preperation_planning >= 5 AND avg_professionalism >= 5 AND public_profile = 'Yes' ORDER BY avg_overall DESC The problem I have is that the part I have highlighted in red should actually be an OR statement in order for the query to work as intended. I realise why it is an AND statement, simply because it is using this (highlighted in green). I can't simply change the green AND to an OR because that would cause the rest of my query to misfunction; $sql = "$availability AND ".join(" [color=green]AND[/color] ", $search_str)." AND public_profile = 'Yes' ORDER BY avg_overall DESC"; However I have been unable to resolve the issue. Would someone be kind enough to offer me some advice/guidance here? Many thanks.

Hi all, I'm not sure if this is a PHP question or javascript, so if it needs to be moved can an admin please do so... Anyway, basically I have the following code: <a href = "javascript:void(0)" onclick = "document.getElementById('light').style.display='block';document.getElementById('fade').style.display='block'">View Availability</a> This pops up a divs with a black alpha background, so that it appears the new content is displaying over the top of the current content. This all works fine, however the content I am displaying in the top level div is (or should be) dynamic. In order for the content to be useful I need to grab the id. Normally I would simply do this: <a href = "[b]url.php?uniqueidentifier=<?php echo $row['id'];?>[/b]" onclick = "document.getElementById('light').style.display='block';document.getElementById('fade').style.display='block'">View Availability</a> However what happens in this instance is that the page loads with the javascript and the id in the url but it then disappears... Has anyone got any ideas on how I might be able to get around this? Many thanks, Greens85

Hi All, I guess there must be someway to do this with regex, but I'm not too hot on regex. What I want to do is check a text area for the presence of a phone number, and if it is there remove it. Ideally I don't want to remove all number as there might be a need for them to use a number, for example... I am 25 years old would be fine, but entering their number wouldn't be. Is there anyway of tacking this with regex, or is it going to be tricky? Many thanks, Greens85

Hi all, Think I might have made some progress with this with the following if statement: if($daily == $current_timestamp) { echo "I need to be alerted"; } else { echo "I don't need to be alerted"; } Hard to test when I'm working with days in advance though

Hi all, I am trying to produce a script that will send out an email but the user can basically choose how often they get this email... I want to give them the option of daily, weekly and monthly. I have the logic down on paper and in plain English it seems to make sense but I am having a hard time converting this to code: My logic is: 1. find out how often they want to get the email (we will call this frequency, as thats what my database field is called) 2. drag out last updated timestamp (this is called last_updated and is a unix timestamp) 3. some form of compare i.e. if frequency is weekly and $today is 7 days after last reminded alert them as I say this makes sense in plain English but I'm having a hard time converting it... this is what I have come up with so far: <?php // Connect include("../connect.php"); $query = "SELECT * FROM resumes_bak WHERE jobseekerid = '2610'"; $result = mysql_query($query) or die (mysql_error()); while ($row = mysql_fetch_array($result)) { $current_timestamp = time(); echo "Current Timestamp: ".$current_timestamp; echo "<br /><br />"; $frequency = $row['frequency']; echo "Frequency is: ".$frequency; echo "<br /><br />"; $lastReminded = $row['last_reminded']; echo "Last reminded: ".$lastReminded; echo "<br /><br />"; $daily = strtotime('+1 day', $lastReminded); echo "One day forward: ".$daily; echo "<br />"; $weekly = strtotime('+1 week', $lastReminded); echo "One week forward: ".$weekly; echo "<br />"; $monthly = strtotime('+1 month', $lastReminded); echo "One month forward: ".$monthly; echo "<br /><br />"; if($frequency = 'daily' && /* I THINK I NEED ADDITIONAL CLAUSES IN HERE TO DO THE COMPARISON */ ) { echo "I am daily"; } elseif ($frequency = 'weekly') { echo "I am weekly"; } else { echo "I am monthly"; } } ?> Can anybody help me on my way here, I seem to have hit a wall! Many thanks, Greens85

Ah, silly me... The query actually looks fine, SELECT count(*) FROM jobs WHERE category LIKE '%Business Manager/Bursar Jobs%' AND category LIKE '%Cover Supervisor Jobs%' AND category in ('Business Manager/Bursar Jobs','Cover Supervisor Jobs') AND subcounty LIKE '%London%' AND subcounty in ('London') so maybe I am just trying it against the wrong records. Now I can see this, I should be able to figure it out... Many thanks for your help.

Hi, Many thanks for your reply... I get this output: Resource id #7 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /path/to/file/alertTest.php on line 114 So I'm not actually seeing the sql result unfortunatley... I have been experimenting since my post and came up with this: $result = mysql_query("SELECT count(*) FROM jobs WHERE category IN ($strs)"); which actually works but when i try and add a second element i.e. $result = mysql_query("SELECT count(*) FROM jobs WHERE category IN ($strs) AND subcounty IN ($strs)"); It fails!

Hi All, I inherited some code as part of a bought website, I am trying to convert it to make it better and add functionality... however I am having a hard time trying to figure out what is going on in one particular section of code. In short there is basically a block of PHP which is producing a SQL statement, but the SQL always returns 0 results. I can't figure out why this is because I can't figure out what the PHP is producing. Would someone with my knowledge than me be kind enough to take a look and advise me where possible? This is the part doing the generating: // IF THE CATEGORY FIELD IS NOT EMPTY if (!empty($row['category'])) { // EXPLODE THE ARRAY ON , $strArr = explode(",",$row['category']); // FOR EACH ONE for($i=0; $i<sizeof($strArr); $i++) { $str = trim($strArr[$i]); $strs .= "'".trim($strArr[$i])."',"; $sch[] = "category LIKE '%$str%'"; } echo "Categories in the array are: ". $strs; echo "<br /><br />"; $strs = substr($strs,0,-1); $sch[] = "category in ($strs)"; } // IF THE SUBCOUNTY FIELD IS NOT EMPTY if(!empty($row['subcounty'])) { // EXPLODE THE ARRAY ON , $strArr = explode(",",$row['subcounty']); // FOR EACH ONE for($i=0; $i<sizeof($strArr); $i++) { $str = trim($strArr[$i]); $strs2 .= "'".trim($strArr[$i])."',"; $sch[] = "subcounty LIKE '%$str%'"; } echo "SubCounties in the array are: ". $strs2; echo "<br /><br />"; $strs2 = substr($strs2,0,-1); $sch[] = "subcounty in ($strs2)"; } // IF THE TITLE FIELD IS NOT EMPTY if(!empty($row['title'])) { // JOIN SEARCH TERM TO THE ARRAY $sch[] = "(position LIKE '%$row[title]%' || description LIKE '%$row[title]%')"; echo "The title is: ".$row['title']; echo "<br /><br />"; } And this is the SQL part that always returns blank: // COUNT THE AMOUNT OF RESULTS THEN SELECT THE JOBS FROM THE DATABASE $result = mysql_query("SELECT count(*) FROM jobs ". (($sch)?"WHERE ".join(" AND ", $sch):"").""); $total = mysql_result($result, 0); $r9 = mysql_query("SELECT * FROM jobs ".(($sch)?"WHERE ".join(" and ", $sch):"")." ORDER BY jobid DESC"); echo "The count is: " . $total; echo "<br /><br />"; Any help would be appreciated, Many thanks, Greens85