Posts by cereal

Consider also the PDO library, it supports more databases: MySQLi is limited to MySQL and his forks, while PDO can query MySQL, Oracle, SQlite, PostgreSQL, MSSQL and others.

That way you can change database without worrying about rewriting all the code with the specific extensions.

You can use preg_match(), an example:

<?php

$string = "Decrypt the following random string: O2tsOGJeLj0saj07ODM1IQ==";

preg_match('/:\s(.*)/', $string, $match);

print_r($match[1]);

The pattern /:\s(.*)/ searches the string after :, but you could also use explode():

$res = explode(':', $string);
echo trim($res[1]);

Docs:

• http://php.net/preg_match
• http://php.net/explode
• http://php.net/trim

Interesting thread. In Yahoo mail when you set the password you are not allowed to use the characters included in the username, no matter if you're using only one of those characters and this check is case insensitive. But they still want at least an uppercase character. In my opinion this solution is self-defeating because an attacker will know what characters can omit from the bruteforce.

For example, if the username is deceptikon we can exclude 18 characters: decptikon and DECPTIKON, if the minimum password length is 8, then it translates to:

((44^8) * 100) / (62^8)

Where 62 is a-zA-Z0-9. It means that, by excluding the known characters, the combinations to check can be reduced to 6.43% of the total, which is a huge difference. Not only this, but increasing the lenght, the range will continue to drop: with a length of 12, the combinations to check will be only 1.63% of the total (62^12), it will be always a big number of combinations, but why they exclude those characters, I don't see the logic of this decision. Or my observations are wrong?

EDIT
Ok, I'm probably wrong, because actually there's a condition: if you choose more than one character equal to the username, then the password cannot be used. So is much more complicated, but you still know that you can exclude all those combinations that include at least 2 of the username characters, if you apply this to a dictionary you can limit a …

Change line 12 to:

if ($redirect === true) {

And change the single quotes with double quotes on line 13:

header("Location:$redirect_page");

Docs: http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing

can we not create Tables using PHP code?

Yes, it is possible, but you need a persistent connection otherwise create this table with another engine, you could use the memory engine for example, it should work fine because is deleted when the server is reloaded or when you drop the table.

Also, you should move to MySQLi or PDO, the MySQL library is going to be removed from PHP.

I'm glad it's fine, bye! :)

@Mohamed don't worry about her, she's a spammer.

Regarding your problem, try to change this:

$result_selecttemptable = mysql_query( $query_selecttemptable,$dbhandle);
$row_selecttemptable = mysql_fetch_array($result_selecttemptable, $dbhandle);
while($row_selecttemptable = mysql_fetch_array($result_selecttemptable, $dbhandle)){
      echo $row_selecttemptable
      or die mysql_error("Error");
  }

To:

$result_selecttemptable = mysql_query($query_selecttemptable,$dbhandle) or die(mysql_error());

while($row_selecttemptable = mysql_fetch_array($result_selecttemptable))
{
    echo $row_selecttemptable['ArtistName'];
}

Same here on:

• Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
• Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:26.0) Gecko/20100101 Firefox/26.0

I've seen this in many threads in the last few days.

The big problem here is that cells_num, grid_num and cell_weight do not have a suffix, as the others, that would simplify a lot the game. Anyway, if these groups are of fixed length you can split them and then rearrange as you like. An example:

<?php

include 'array.php';

function ohoh($a, $needle)
{
    $result = array();
    $i = 0;
    foreach($a as $key => $value)
    {
        foreach($value as $kv => $vv)
        {
            preg_match("(.*title|.*content)", $kv, $res);
            if(count($res))
            {
                $result[$i][$res[0]] = $vv;
                if(strstr($res[0], 'content')) $i++;
            }

            preg_match('/(grid_num|cells_num|cell_weight)/', $kv, $rs);
            if(count($rs) > 0) $result[$kv] = $vv;
        }
    }

    return $result;
}

function fire($a, $keys)
{
    $length = count($a) / count($keys);
    $arrays = array_chunk($a, $length);
    $result = array();

    $i = 0;
    foreach($arrays as $array)
    {
        $result[]['tabs'] = ohoh($array, $keys[$i]);
        $i++;
    }

    return $result;
}

$keys = array('rEXMp', '3T2IV');

echo "<pre>";
print_r(fire($a, $keys));
echo "</pre>";

Will print:

Array
(
    [0] => Array
        (
            [tabs] => Array
                (
                    [0] => Array
                        (
                            [tab-title] => tab-1
                            [tab-content] => tab-1 content
                        )

                    [1] => Array
                        (
                            [tab-title] => tab-2
                            [tab-content] => tab-2 content
                        )

                    [2] => Array
                        (
                            [tab-title] => tab-3
                            [tab-content] => tab-3 content
                        )

                    [cells_num] => 1
                    [grid_num] => 0
                    [cell_weight] => 100%
                )

        )

    [1] => Array
        (
            [tabs] => Array
                (
                    [0] => Array
                        (
                            [tab-title] => tab-4
                            [tab-content] => tab-4 content
                        )

                    [1] => Array
                        (
                            [tab-title] => tab-5
                            [tab-content] => tab-5 content
                        )

                    [2] => Array
                        (
                            [tab-title] => tab-6
                            [tab-content] => tab-6 content
                        )

                    [cells_num] => 1
                    [grid_num] => 1
                    [cell_weight] => …

A small correction: you cannot compare booleans with integers, otherwise you get unexpected results. An example:

$a['foo'] = FALSE;
echo (int)$a['foo'] !== FALSE ? 'true':'false';

The problem here is given by (int). The comparison will translate to 0 !== FALSE which returns true instead of false, the same happens if the value is NULL.

There is a little typo at line 6, the closing parenthesis is after the double quote, so it is outside the query expression. Change it with this:

$wpdb->get_row("SELECT name FROM country WHERE parent IN (SELECT parent FROM country WHERE name == '$page_name')");

Start from the database, for example MySQL: when you enter something, if the table has a primary key and this is numeric and increments automatically, i.e.:

id int(10) primary key autoincrement not null

then you can use last_insert_id() to get the last data entered in the table. The above is a MySQL function, but you can get the same result with the libraries provided by PHP, or you can simply query after you do an insert:

select last_insert_id();

Now, if you want to display data related to a specific user, for a specific user then create a authorization procedure to create a session, for example a login form. When the script validates the request, start a session in which you save the ID of the user:

$_SESSION['userID'] = $row['id'];

And redirect the user to the restricted area, here you can use the header():

header('Location: /profile');

So if we want to create a simple form:

<form method="post" action="/login.php">
    username <input type="text" name="username" /><br />
    password <input type="password" name="password" /> <br />
    <input type="submit" name="submit" value="login" />
</form>

And the login.php page:

<?php

    session_start();

    if($_POST && array_key_exists('username', $_POST) && array_key_exists('password', $_POST))
    {
        $sql = new PDO('mysql:host=localhost;dbname=test', 'username', 'password');
        $sql->prepare("select id from users where username = ? AND password = ? limit 1");
        $sql->execute(array($_POST['username'], sha1($_POST['password'])));

        if($sql->rowCount() > 0)
        {
            $result = $sql->fetch(PDO::FETCH_ASSOC);
            $_SESSION['userID'] = $result['id'];

            header("Location: /profile.php");
        }
        else
        {
            # back to the login form
            header("Location: $_SERVER[HTTP_REFERER]");
        }
    }
    else
    {
        echo 'Not allowed';
    }

The …

The problem is given by the double quotes inside the date function, you're breaking the quotes of the echoed string, if you escape them then it will print the line without executing the code.

So, you can get the output by setting a variable and include it in the string:

$date = date("Y/m/d");
echo "<div class='date'>$date</div>";
echo '<div class=\'date\'>$date</div>';

Check the output of the above example. Do you see the differences between single and double quotes? Here's the documentation:

• http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing

An alternative syntax:

echo "<div class='date'>" . date("Y/m/d") . "</div>";

The variable values, in this case, must be strings, so surround them with quotes:

$dbhost = "sql.domain.tld";
$dbuser = "username";
$dbpass = "password";

The port value can be submitted as integer, so you can omit the quotes. Anyhow, by adding mysql_error() you should be able to see the error.

Since you're rewriting the code I suggest you to switch to PDO or MySQLi libraries, because the one you're currently using is going to be removed from PHP, so check:

• http://php.net/pdo
• http://www.php.net/mysqli

Yes, in the arrays you start to count from zero, you can see all the structure by using print_r():

print_r($file);

The second xml file is not correct, here's the fixed version:

<?xml version="1.0" ?>
<sys>
    <major>
        <id>1</id>
        <point>Tower</point>
    </major>
    <major>
        <id>2</id>
        <point>Castle</point>
    </major>
</sys>

Now, you basically get an object array, so:

echo $file->major[0]->id . ' ' . $file->major[0]->point;

And if you loop it:

foreach($file as $key => $value)
{
    if($value->id == 1) echo $value->point;
}

You get the same results.

Ok, I got it, it happens because you have to encode & in the query string, try with:

echo rawurlencode("http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]");

It should work fine.

You're welcome!

Yes, because the update query would return only the affected rows. So, the complete version would be:

$stmt = $mysqli->prepare("UPDATE brick FROM goodship WHERE name = ?");
$stmt->bind_param('s', $_SESSION['id']);
$stmt->execute();

if($stmt->affected_rows() > 0)
{
    # continue
}

Where the s in the bind_param method stands for string, if the id is a digit, then change it to: i for integer, d for double.

• http://www.php.net/manual/en/mysqli-stmt.bind-param.php
• http://www.php.net/manual/en/mysqli-stmt.affected-rows.php

Bye!

You're using an array, so you have to surround it with parentheses, otherwise you have to escape the single quotes:

mysqli_query($con,"UPDATE goodship SET brick=brick+1 WHERE id = {$_COOKIE['id']}");

In addition, use prepared statements, otherwise a user can push in arbitrary code:

• http://www.php.net/manual/en/mysqli.prepare.php

There are some variables that are not set, for example at line 10:

$upload_path = $uploaddir;

Where is the value of $uploaddir?

At line 3, instead:

$userfile = $_POST['user_profile_image'];

You're expecting a value from POST, but in the form this input field is file type:

<input type="file" name="user_profile_image">

So, it will be handled by the $_FILES array, check these examples:

• http://www.php.net/manual/en/features.file-upload.post-method.php

At line 12:

$filename = $_FILES['userfile']['name'];

But the form will send user_profile_image.

At line 16, you have another missing variable $allowed_filetypes which should be an array like this:

$allowed_filetypes = array('jpg', 'jpeg');

Read the above link with the examples and try to rewrite your script.

The only method to be sure, is to remove the code. When there is an embedded script, in case of a jpeg file, this is written in the FF FE bytes block, which is the area used by the softwares to save comments, metadata and other stuff:

• http://en.wikipedia.org/wiki/JPEG#Syntax_and_structure
• http://dev.exiv2.org/projects/exiv2/wiki/The_Metadata_in_JPEG_files

An easy method is to use commands like jpetran:

jpeptran -copy none original.jpg > new.jpg

Otherwise, you could read the file, byte per byte and remove all the contents from FF FE to the next marker.

A part this, place the original file inside a directory that is not accessible to the user. Serve a resized image, the resizing process most of the times will remove the comment block, but pay attention to this:

convert -thumbnail …

Try with $row[0] and $row[1], the fetch row method returns a numeric array, use fetch_assoc() if you want to use the column names:

• http://www.php.net/manual/en/mysqli-result.fetch-assoc.php

You can use file_get_contents() to get the link contents, and curl to upload the file and receive the response. Here's a rough example:

<?php

$fast = json_decode(file_get_contents('http://www.multiup.org/api/get-fastest-server'));

if($fast->error !== 'success') die('Error!');

$url = file_get_contents('http://upload.wikimedia.org/wikipedia/commons/a/ac/SubtractiveColorMixing.png');
$tmpfile = tempnam("/tmp", "FOO");
$filearray = array('files[]'=>'@'.$tmpfile);

$handle = fopen($tmpfile, "w");
fwrite($handle, $url);
fclose($handle);

$file = array('files[]'=>'@'.$tmpfile);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$fast->server);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $filearray);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$result = curl_exec($ch);
curl_close ($ch);

$return = json_decode($result, true);

print_r($return);
echo $return[0]['url'] . PHP_EOL;

This will return an array, from this you can access to the download page:

echo $return[0]['url'];

An example of output:

Array
(
    [0] => Array
        (
            [name] => FOONS4eNq
            [hash] => 565aea34369244f52ab108c12f98300f
            [size] => 7276
            [type] => application/octet-stream
            [sid] => 
            [hashUpload] => 
            [md5] => .
            [sha] => .
            [user] => 
            [url] => http://www.multiup.org/download/565aea34369244f52ab108c12f98300f/FOONS4eNq
            [delete_url] => http://squeeze.multiup.org/upload/?file=FOONS4eNq
            [delete_type] => DELETE
        )

)

But this will not return the links of the mirrors, to get those you need an account and you have to use their Grabber utility:

• http://www.multiup.org/en/grabber

I don't know if this works along with their API. If yes, then the response should return those links and from there you can use adf.ly and linkbucks APIs, I cannot test because I don't have an account in those services. Try to create it and if you have problems post your code here.

Docs:

• http://php.net/curl
• http://www.php.net/curl_setopt

It seems there's an extra space near the end of the filename, run the trim function against the $file variable: $file = trim($file); before populating the $sql variable.

You're welcome, I'm glad it works all fine.

can rename the phpmyadmin-4.0.4-all-languages without problem???

You can rename it without any problems.

in cpanel we have a option for protected directory to put user and password

Do it. Most scanners will try to find /phpmyadmin-* or strings like /pma, /mysql, /db or /database so if you can add an extra layer it won't hurt.

Ok, sorry for previous suggestions about the Authentication method, I was a bit asleep and I confused the options :D

So, if you don't use the config mode, do not fill username and password fields.

For now use cookie or http modes. In both cases, you do not need to fill anything else in those forms, there are some extra options, but you can skip them for now. With these modes you will get a form to insert the database credentials.

The signon method is used to unify the login, for example: you have a login script to access the admin pages, through this method you can start a session that gives you access also to PHPMyAdmin (PMA). Check examples/signon.php to see a demo script, this expects that your login credentials matches with the MySQL account, but you could encrypt them into a table and extract them when you start the session... anyway, this is a bit tricky and if you don't have special requirements go straight to the cookie or http methods.

Good! Click on New Server then as:

• Verbose name of this server: choose something of your choice, in my previous example, the name were local1 and local2, this is related only to PHPMyAdmin;
• Server hostname: is the same hostname you use in your scripts to connect to the database, so it can be something like an IP, it can be localhost or a domain name as db001.oneandone.com;
• Server port: the default listening port for MySQL servers is 3306, so you can leave it blank, if you have another setting then fill the field;
• Server socket: this is a file in the filesystem, it's used when the database is in the same box of the web server, in practice the socket overrides the network layer and gives much speed between the server and the web application, I don't know if you can use it with your current hosting plan, I don't have experience with 1and1;
• Use SSL: as the previous it depends on your configuration, if your plan provides SSL connection to the database then use it, otherwise leave it empty;
• Connection type: is used to switch between TCP (given by hostname:port) and socket connections, you'll probably need TCP;
• PHP extension to use: if your current version of PHP supports MySQLi then select it, the requirements are MySQL 4.3.1 and PHP 5.*, if you have doubts create a file with phpinfo() inside to check your PHP configuration;

After you've done with this form, go to the Authentication tab …

Ok, alternative solutions:

• install on local, and create the config file, then upload it to the server;
• manually create config.inc.php, I've created two generic connections.

Here's the template:

<?php
/*
 *  Generated configuration file
 *  Generated by: phpMyAdmin 4.1.0 setup script
 *  Date: Sat, 14 Dec 2013 22:12:01 +0100
 */

/* Servers configuration */
$i = 0;

/* Server: local1 [1] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'local1';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'root';

/* Server: local2 [2] */
$i++;
$cfg['Servers'][$i]['verbose'] = 'local2';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['port'] = '';
$cfg['Servers'][$i]['socket'] = '';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'root';

/* End of servers configuration */

$cfg['blowfish_secret'] = 'place a very random string here'; # change this
$cfg['DefaultLang'] = 'en';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
?>

Set your connections, upload it to /phpMyAdmin-4.0.4-all-languages/ and then remove setup and config directories. For more options check the PHPMyAdmin documentation linked in one of the previous posts.

it folder when you say directory??? right???

Yes :) Folder is the name of the graphical representation (the icon) of the directory. You can try with 777, but this is not the best setting, so: check if with 777 the error message disappears, then setup PHPMyAdmin, check if it works fine and then try to set config permissions back to 644.

Hope it works, I don't have other ideas.

I would go reverse: a table for students, another for professors, a single language table and then a language_skills table for students and another for professors. For example:

create table students(
    id int unsigned not null auto_increment primary key,
    fname varchar(100),
    ...
)

create table student_language_skills(
    student_id int unsigned not null primary key,
    language_id tinyint unsigned not null,
    writing tinyint not null default 0,
    reading tinyint not null default 0,
    speaking tinyint not null default 0,
    listening tinyint not null default 0,
    ...
)

create table languages(
    id tinyint unsigned not null auto_increment primary key,
    name varchar(100) not null,
    ...
)

create table professors(
    id int unsigned not null auto_increment primary key,
    fname varchar(100),
    ...
)

create table professor_language_skills(
    professor_id int unsigned not null primary key,
    language_id tinyint unsigned not null,
    writing tinyint not null default 0,
    reading tinyint not null default 0,
    speaking tinyint not null default 0,
    listening tinyint not null default 0,
    ...
)

An example:

• http://sqlfiddle.com/#!2/62072/8

Then you could also use UNION to create a single result set.

i contacted 1and1 support they told me it is not possible

Ok, it means the database server accepts connections only from allowed IP, as your server IP, so it won't work from your PC.

Regarding 755 and 644 these are system permissions, 644 equals to read + write for the user that runs Apache (usually named www-data) and ownes the files in the server, if this does not work try with 755 that equals to read + write + execute.

If you're using Filezilla or another FTP client, right click the config folder and choose File Permissions, from there you can set the correct setting. Otherwise check the help center, I've found this:

• http://faq.1and1.co.uk/web_space__access/webspace_explorer/4.html

It may be useful.

Also, you could try with insert ... select ... on duplicate key, an example query:

insert into table1 (user, score) values(1,2);

insert into table2 (user, total_score) select user, score from table1 where id = last_insert_id() on duplicate key update total_score = total_score + score;

The conditions are:

• you cannot use group by on the select segment
• you need an auto increment key in table1 to get the last_insert_id()

• you cannot perform multiple inserts into table1 like this:

  insert into table1 (user, score) values(1,7), (1,3), (1,4);

because last_insert_id() will refer only to the first of these and the second query will continue to add 7.

An example: http://sqlfiddle.com/#!2/7e6e58/1

Ref. http://dev.mysql.com/doc/refman/5.5/en/insert-select.html

Can you avoid running phpmyadmin from accessible docroot? It may be better to run from cPanel/Plesk only.

Chris in addition to diafol's suggestion, if you can connect to the database from your localhost installation (XAAMP or WAMP), then install PHPMyAdmin in your computer, so you can manage it without exposing your web space.

Follow these steps:

• delete config.inc.php file;
• under www.myadomainname.com/phpMyAdmin-4.0.4-all-languages/ create the directory config;
• change permissions of this new directory to 644 or, if it does not work, to 755;
• then reload the setup page, the red message will disappear, after that just click on Add new server to insert the credentials to your databases.

Once you have finished remove the setup directory, otherwise anyone can browse there and change the settings.

In both cases it means that the application does not filter the data received from the clients, and so an attacher can enter additional statements to the query, for example, you receive a GET request on this link:

• http://localhost/article.php?id=17&action=delete

and the script does not filter:

$id = $_GET['id'];

$query = "delete from articles where id = $id";

now, imagine if the attacker enters something like this:

?id=17 and id between 1 and 1000&action=delete

It will delete 1000 articles. To mitigate these problems you should use prepared statements and sanitize all data received by the clients. If you're using the MySQL library consider to switch to PDO:

• http://php.net/manual/en/book.pdo.php

For more information about that kind of attack check this article:

• https://www.owasp.org/index.php/Blind_SQL_Injection

For the table use:

default charset = utf8 collate utf8_general_ci

then change the charset of the form sending the data:

<form accept-charset="utf8" action="" method="post">

and it should work fine. If this is not enough then change the configuration of Apache by adding:

AddDefaultCharset UTF-8

More information: http://httpd.apache.org/docs/2.2/mod/core.html#adddefaultcharset

EDIT
Wondering: the problem is related only to PHPMyAdmin? Could be your browser encoding.

That page (kosnica.html) needs to be processable by the PHP engine, so you can:

• change the extension to .php
• otherwise modify Apache to process .html files as php scripts

As suggested you should use tables to save data, otherwise when the browser window is closed the data is lost, at the end of this post there's a link to the PDO library.

To simply send data from a page to another you can use session. In the page in which you calculate the total, start the session and save the data:

<?php

    session_start();

    # other code here
    # . . .


    # set the sessions
    $_SESSION['total_in_cart'] = array_sum($sum);
    $_SESSION['items_in_cart'] = count($sum);

When you go to kosnica.php, again start the session and retrieve what you have saved in the previous page:

<?php

    session_start();

    echo '<p>Items in cart('.$_SESSION['items_in_cart'].')</p>';
    echo '<p>The total is '.$_SESSION['total_in_cart'].'</p>';

This is a simple example, if you check the documentation I linked to you in my previous post you will find few examples about the session.

In addition, you should read:

• http://www.php.net/manual/en/function.session-start.php
• http://www.php.net/manual/en/book.pdo.php

Good work!

You can use insteadof to declare the first trait, then go with as, example:

trait TheErrorOfYourWays{
   public function booboo(){
       echo 'You had a booboo :(';
   }
}
trait SpectacularStuff1 {
    use TheErrorOfYourWays; 
}

trait SpectacularStuff2 {
    use TheErrorOfYourWays;
}

trait SpectacularStuff3 {
    use TheErrorOfYourWays;
}

class DoSomethingSpectacular {
        use SpectacularStuff1, SpectacularStuff2, SpectacularStuff3 {
            SpectacularStuff1::booboo insteadof SpectacularStuff2, SpectacularStuff3;
            SpectacularStuff2::booboo as booboo2;
            SpectacularStuff3::booboo as booboo3;
        }
    }

$do = new DoSomethingSpectacular;
$do->booboo();
$do->booboo2();
$do->booboo3();

Live sandbox: http://sandbox.onlinephpfunctions.com/code/8893d9672a02cf0ceefafe792d3159ce3bf2935e

You can create an array of prices, for example:

$prices = array(
    'sol' => 60,
    'prasok' => 200,
    'vegeta' => 100
);

And then, use a loop to check if the keys of this array matches with the $_GET/$_POST array:

$sum = array();
$getkeys = array_keys($_GET);

foreach($prices as $key => $value)
{
    if(in_array($key, $getkeys)) $sum[] = $value;
}

At the end use array_sum to add the values saved in the $sum array:

echo array_sum($sum);

This works also as white list, since only the values in the array of prices are considered, and everything else sent by the form is discarded.

Yes, on line 13 remove the last quote, so change this:

echo "Error#: " 60"

to:

echo "Error#: " 60

Yes, there are different caches, check the documentation for more information:

• http://dev.mysql.com/doc/refman/5.5/en/query-cache.html
• http://dev.mysql.com/doc/refman/5.5/en/query-cache-status-and-maintenance.html
• http://dev.mysql.com/doc/refman/5.5/en/buffering-caching.html

And there are some limitations, as the subqueries cannot be cached:

• http://dev.mysql.com/doc/refman/5.5/en/query-cache-operation.html

But if you use MariaDB, which is a fork of MySQL, you can cache even those queries:

• https://mariadb.com/kb/en/subquery-cache/

You missed a dot near $url:

'".$url"'

change it to:

'".$url."'

But you can rewrite it in a cleaner way:

$sql = "UPDATE serv SET title = '$title', description = '$description', url = '$url' WHERE id = $id";

Then reverse it:

foreach($list as $key)
{
    echo in_array($key, $db2) ? "<input type='checkbox' checked value='$key' />$key" : "<input type='checkbox' value='$key' /> $key";
}

This does not make sense:

$to = $_POST['emaile'];
$toArr = array();
$toArr = explode ( ',', $to );
$pulapka = array_values($toArr);
$message->setBcc($toArr);
$message->setBcc($pulapka);

Because only the last setBCC() is considered by SwiftMail, the others are discarded. Also you can rewrite it this way:

$to = array_map('trim', explode(',', $_POST['emaile']));
$message->setBcc($to);

Otherwise you have to loop each one with the addBCC() method:

foreach($to as $email)
{
    $message->addBCC($email);
}

If you have 2 different source from which you get the recipients, and both are strings, then you have to generate the arrays and merge them:

$toArr = array_unique(array_merge($to, $pulapka));

So the $pulapka array must be prepared as the $to:

$pulapka = array_map('trim', explode(',', $_POST['pulapka']));

The above would become:

$to = array_map('trim', explode(',', $_POST['emaile']));
$pulapka = array_map('trim', explode(',', $_POST['pulapka']));

$toArr = array_unique(array_merge($to, $pulapka));
$message->setBcc($toArr);

Regarding FROM if you want to include a name, as Allegro.pl, then you must use an associative array, i.e. key => value:

$message->setFrom(array('no-reply@admin.allegro.pl' => 'Allegro.pl'));

And it should work all fine.

Standing at your last code this error should not happen, unless you're feeding Allegro.pl through $pulapka array. You may want to merge the arrays? To add single emails, use addBCC(), from the documentation:

Multiple calls to setBcc() will not add new recipients -- each call overrides the previous calls. If you want to iteratively add Bcc: recipients, use the addBcc() method.

Can you show the form?

These are the links to the documentation for explode and for print_r:

• http://php.net/manual/en/function.explode.php
• http://php.net/manual/en/function.print-r.php

The last one is used to check the contents of an array:

print_r($toArr);

Use it only to debug your application. Since there are spaces run also my second suggestion, the trim function which will remove the spaces at the beginning and at the end of a string:

• http://php.net/manual/en/function.trim.php

The function array_map is used to loop the elements of an array and apply a function, in this case trim, to each of them, since this is not a multidimensional array it should work fine:

• http://us3.php.net/array_map

This:

$pulapka = -> setBcc($toArr);

is not correct, change it to:

$message->setBcc($toArr);

If you still have problems, show the updated code.

EDIT

I see you have written a lot, in the meaning time, line 45 is still wrong:

$message->setFrom("no-reply@admin.allegro.pl", "Allegro.pl");

Convert it to an array, otherwise you have to remove the second parameter:

$message->setFrom(array("no-reply@admin.allegro.pl" => "Allegro.pl"));

At line 6 change the variable to $message:

$message = Swift_Message::newInstance();

Ref: http://swiftmailer.org/docs/messages.html

One of the emails is not a valid, but I think this is related to your example here. At line 16 you must use an array to set the name of the sender:

$message->setFrom(array('email@here.tld', 'Name'));

I do not understand this part:

Of course I paste email in the textbox with all necessary letters like inside the array.

Can you explain better? Can you show how you're trying to catch the emails from the textbox? If you separate them by a comma you can use the explode() function, an example:

$mails = explode(',', $_POST['emails']);
$mails = array_map('trim', $mails); # to remove extra spaces

Add 1 after FORWARD, that will put the rule in the first place of the chain, otherwise the firewall applies the first matching rule.

The number given after the chain name indicates the position before an existing Rule. So, for example, if you want to insert a Rule before the third rule you specify the number 3. Afterward, the existing Rule will then be in the fourth position in the chain.

More information: https://fedoraproject.org/wiki/How_to_edit_iptables_rules

The die (aka exit) construct requires parenthesis when you send a status, so this is wrong:

die 'error here';

The correct version is:

die('error here');

Reference: http://php.net/manual/en/function.exit.php

Ok, checking the source (at line ~2804 of sql/item_sum.cc in MySQL 5.5) now I understand:

/*****************************************************************************
GROUP_CONCAT function

SQL SYNTAX:
GROUP_CONCAT([DISTINCT] expr,... [ORDER BY col [ASC|DESC],...]
[SEPARATOR str_const])

concat of values from "group by" operation

BUGS
Blobs doesn't work with DISTINCT or ORDER BY
*****************************************************************************/

The group by is mandatory when using group_concat() because the latter is a function of the former. Looking at the manual with fresh eyes, I realize, it was pretty obvious. (Point and laugh!)

In fact I start to get the empty results sets as expected, however I still don't get the Impossible WHERE..., but this is unrelated. I leave an example for the log:

select f.name, group_concat(quality) quality, sum(fs.quantity) quantity, sum(fp.price*fs.quantity) price from (select * from fruits where name = 'apple') as f, fruitstock as fs, fruitprices as fp where f.id = fs.fruit_id and f.id = fp.fruit_id and f.id in(4) group by name;
Empty set (0.00 sec)

Live example: http://sqlfiddle.com/#!2/53ed8f/7

Ref: http://dev.mysql.com/doc/refman/5.6/en/group-by-functions.html#function_group-concat

Thanks for your time! ;D

Hello,

so I was trying few relations between tables and I noted an unexpected behaviour when using group_concat(). Let say I have three tables: fruits, fruitstock and fruitprices. These are the structures:

create table fruits (
    id tinyint unsigned not null auto_increment primary key,
    name varchar(50) not null,
    quality varchar(50) not null
    ) engine = myisam default charset = utf8;

create table fruitstock (
    id tinyint unsigned auto_increment primary key not null,
    fruit_id tinyint unsigned not null,
    quantity tinyint unsigned not null default 0
    ) engine = myisam default charset = utf8;

create table fruitprices (
    id tinyint unsigned not null auto_increment primary key,
    fruit_id tinyint unsigned not null,
    price int unsigned not null default 0
    ) engine = myisam default charset = utf8;

And this is the data used to populate the tables:

insert into fruits (name, quality) values('apple', 'granny smith'), ('apple', 'fuji'), ('apple', 'red delicious'), ('apple', 'pink lady'), ('apple', 'jonagold'), ('apricot', 'sungiant'), ('avocado', 'hass'), ('avocado', 'gem'), ('cherry', 'autumnalis'), ('cherry', 'kanzan'), ('cheery', 'pandora');

insert into fruitstock (fruit_id, quantity) values(1, 10), (2, 23), (3, 7), (4, 100), (5, 50), (6, 0), (7, 20), (8, 1), (9, 15), (10, 21);

insert into fruitprices (fruit_id, price) values(1, 100), (2, 98), (3, 110), (5, 20), (8, 120), (10, 140), (11, 200);

Where fruit_id is used as foreing key in the last two tables. Now if I try a query to show the price of the apples in stock I run:

select f.name, group_concat(quality) quality, sum(fs.quantity) quantity, sum(fp.price*fs.quantity) price …

Consider to use HTML Purifier in your application: http://htmlpurifier.org/

It will give you the ability to whitelist the tags that you want to allow and, most important, it will validate the attributes, removing the javascript included.