Posts by cwarn23

just go to your ftp and right click on your folder where you want to upload the file and click on CHMOD and change the permissions or manually write the text field 777 for all the permissions

Also note that some hosts only allow a total of 555 permissions in which case that will not be possible. And also make sure when using the move_uploaded_file that the specified target directory allready exists.

Well to help answer the questions of why the action= will go to test.php?action=test only when method=post is that when method=get, the parameters in the form overwrite the parameters specified in the action=. However, when using method=post, there are no parameters that can possibly overwrite the action= since it is posting them. So basically it is a browser problem and not a server problem.

In my opinion the first 9 lines are written poorly and should be replaced with the following:

// Orginal file is $final_file
$ext = end(explode('.', $final_file));
if(strtolower($ext) == 'jpg' || strtolower($ext) == 'jpeg'){
$ext_new = 'jpeg';
} elseif (strtolower($ext) == 'gif'){
$ext_new = 'gif';
} else {
die ('Invalid Extension.');
}

Perhaps it was the casing of the gif extension that messed it up.

why do you think the other code doesn't work?

The reason is that you cannot pass url variables through the action= but I am not sure if it is the same with the post method though.

If you are talking about retrieving data from a dictionary webpage where you need to enter into a box one word at a time and storing earch word and meaning in a database then that should be really simple. If the keyword is shown in the url bar then you can use the file_get_contents() function or if the form uses method=post then you will need to use curl. Just post the webpage you would like this to be done on and I shall write you the script.

Try this:

<html>
<body>
<form action="test.php" method="get">
<input type="hidden" name="action" value="test">
<input type="submit" value="Test"/>
</form>
</body>
</html>

I have just completed the xss detection and have tested the sql injection tester. I have attached the script to this post and does anybody recommend any changes to this script such as additional features?

You mean like this ?

preg_match_all('/\<form(.*)(user|password)(.*)\<\/form\>/is',file_get_contents('http://xss-login.appjet.net/'),$forms);

Cool, your modification works. I guess I will need to pay more attention to the eliminator in future. I'll try and see what else is preventing the XSS detection.

AVG - lol
I prefer AVAST or even Nortons. Their the better options.

I just re-checked my code to see why that is and it seems for forms with XSS injection the feature needed adding (very simular to the SQL injection feature) however I have a problem with a preg_match_all statement I use. The following is the preg match all statement and it just returns empty arrays even though theoratically it should match the form. Could anybody help me debug the following code to return the form if the form contains the word 'user' or the word 'password'.

<?
preg_match_all('/\<form(.*)(user|password)(.*)\<\/form\>/i',file_get_contents('http://xss-login.appjet.net/'),$forms);

//display the result
echo '<xmp>';
print_r($forms);
echo '</xmp>';
?>

I have tried many variations of this code with no luck.
Thanks for the help.

Try this:

$realUser_q = mysql_query("SELECT Username FROM my_db WHERE Username = $user ") or die(mysql_error());
$realUser=mysql_fetch_array($realUser_q);
//above sets the $realUser[] Array
//example usage: $realUser['mysql_column_name']
echo $realUser['Username'];

Hope that helps answer the question.

Hello Mr I am a developer
I have put this info because when somebody gets such error he should know every possibility whenever he searches for it, these threads are always usefull while coding for all time so in my opinion this is not dead and i don't write that you will say thanks or abuse it.
do u understand.
just don't show that u r somebody ok.

Although in theory that may sound good and all but from experience as a daniweb user, I find that replies to threads older than a year since started seems to effect the priority system of which threads are ordered in the forums. Because if everybody replies to the threads 3 years old then the threads a few months old will be removed from the forums first since the older onces were bumped up the list. Pitty there isn't any rule for the maximum age of a thread you can reply to unless your the creator of the thread. But I guess it's a thing we will need to live with since there are so many new users.

Well as I said, when browsing the php file in the web browser, if you go to view->source, does it show in the source the proper locations of the pictures? Try to copy and past those locations into the url bar appropriatley. That is the most likley problem that the address to each picture is incorrect due to something like a moved folder.

Probably just the images html code being set the the wrong path. Try posting some code in relation to the image(s) that won't load and the locations of the images then it will be a lot easier to provide some additional answers to how the code should be. And also are these images database driven or stored in a file system?

Hi, I've just written a script based on the previous post and the function that checks each webpage for php security flaws is as follows:

function generate($genurl) {
    $data=file_get_contents($genurl);
    $urlvars=explode('?',$genurl);
    $newurl=$urlvars[0].'?';
    $error1='None';
    //error1
    if (isset($urlvars[1])) {
        $urlvar=explode('&',$urlvars[1]);
        unset($varb);
        foreach ($urlvar AS $var) {
            $newurl.=preg_replace('/([^=]+)=(.*)/',"$1=; echo \"<script>aaabbbcccdddeeabcefffggg</script>\";",$var).'&';
            $varb=1;
            }
        unset($var);
        if ($varb==1) {
            $newurl=substr_replace($newurl,'',-1);
            if (url_exists($newurl)) {
                $secondarydata=file_get_contents($newurl);
                if (preg_match('/\<script\>aaabbbcccdddeeabcefffggg\<\/script\>/is',$secondarydata)) {
                    $error1='Page open to url injections by injecting code into the page via url.<br>The test url was: '.$newurl;
                    }
                unset($secondarydata);
                }
            }
        unset($varb);
        }
    unset($newurl);
    //error2
    preg_match_all('/\<form[^\>]+([^m][^e][^t][^h][^o][^d][^\=]([^\']|[^\"]|[^])([^p][^o][^s][^t]))(.*)\<\/form\>/i',$data,$forms);
    $error2='None';
    foreach($forms[0] AS $form) {
        preg_match_all('/(input|textarea)[^\>]+name\=(\"|\'|)/i',$form,$field);
        $fields=preg_replace('/(input|textarea)[^\>]+name\=(\"|\'|)(.*)/i',"$2",$field);
        unset($field);
        $newurls=explode('?',$genurl);
        $newurl=$newurls[0];
        unset($newurls);
        $newurl.='?';
        foreach ($fields AS $field) {
            $newurl.=$field.'='.urlencode('<script>aaabbbcccdddeeabcefffggg</script>').'&';
            $varb==1;
            }
        unset($field);
        if ($varb==1) {
            $newurl=substr_replace($newurl,'',-1);
            if (url_exists($newurl)) {
                $secondarydata=file_get_contents($newurl);
                if (preg_match('/\<script\>aaabbbcccdddeeabcefffggg\<\/script\>/is',$secondarydata)) {
                    if ($error2=='None') { $error2='Forms may inject code into your page.<br>The page was: '.$genurl; }
                    }
                unset($secondarydata);
                }
            }
        }
    unset($newurl);
    unset($form);
    unset($forms);
    unset($varb);
    //error3
    $error3='None';
    preg_match_all('/\<form(.*)(user|password)(.*)\<\/form\>/i',$data,$forms);
    foreach ($forms[0] AS $form) {
        if (preg_match('/\<form([^\>]+)method\=(\"|\'|)post/i',$form)) {
            preg_match_all('/(input|textarea)[^\>]+name\=(\"|\'|)/i',$form,$field);
            $fields=preg_replace('/(input|textarea)[^\>]+name\=(\"|\'|)(.*)/i',"$2",$field);
            unset($field);
            $newurls=explode('?',$genurl);
            $newurl=$newurls[0];
            unset($newurls);
            $newurl.='?';
            foreach ($fields AS $field) {
                $newurl.=$field.'='.urlencode('\' OR \'1\'=\'1\'').'&';
                $varb==1;
                }
            unset($field);
            if ($varb==1) {
                $newurl=substr_replace($newurl,'',-1);
                if (url_exists($newurl)) {
                    $secondarydata=file_get_contents($newurl);
                    //change if statement to if access granted
                    if (!preg_match('/(Log|Sign)([ _])?in/i',$result) && !preg_match('/(Log|Sign)([ _])?out/i',$data) && $result!==$data && !preg_match('/Register/i',$result)) {
                        if ($error3=='None') { $error2='SQL injections are possible on this page.<br>The page was: '.$genurl; }
                        }
                    unset($secondarydata);
                    }
                }
            } else {
            preg_match_all('/(input|textarea)[^\>]+name\=(\"|\'|)/i',$form,$field);
            $fields=preg_replace('/(input|textarea)[^\>]+name\=(\"|\'|)(.*)/i',"$2",$field);
            unset($field);
            $postvars='';
            foreach ($fields AS $field) {
                $postvars.=$field.'=\' OR \'1\'=\'1\'&';
                $varb==1;
                }
            unset($field);
            if ($varb==1) {
                $postvars=substr_replace($postvars,'',-1);
                $ch = curl_init();
                // set the target url
                curl_setopt($ch, CURLOPT_URL,$genurl);
                // howmany parameter to …

Well welcome to daniweb as I see it's your first post. And I shall explain on why the second box may not work and some of the php basics related to that. When writing php scripts, you need to surround the php code with the <? and ?> tags. That lets php know the beginning and end of a section of php in basic terms. So your second example should look more like the following:

<? echo  "html code"; ?>

Also when using these two php tags, you can use it on large chunks of code like the following

<? echo "html code";
for ($i=0; $i<10; $i++) {
echo '<br>loop line: '.$i;
} ?>

There the basics on the code tag and you may also want to note that there have been a number of dabates that using single quotes ' are faster. It makes sense because the double quotes " have a extra little syntax added to them with extra abilities that can usually be avoided.
I hope that explains the theory behind why your second script wouldn't work and some extra php info that may be useful since I couldn't see any direct question on this thread.

Although the answer to your second question may vary depending on if you want to do cross-site processing, to post a form to another domain, just set the action field in the form like the following:

<form action='http://www.you_post_to_domain.com/index.php' method='post'>

Hope that helps answer your question.

I haven't used Google Docs before but I signed in and it took me all of 5 minutes to create a test spreadsheet and to set the sharing option so anyone can view it. This has to be the simplest way to get a spreadsheet online in no time. Here is my very simple test spreadsheet:
Google test spreadsheet

You could add a link to your web site so anyone can link to the spreadsheet. You can set the sharing and editing options and provide a list of invitees who are allowed to read or edit it (any email address, doesn't have to be a google email address). If you want to let a bunch of people see it without editing, then you can provide universal access like I did. I believe there is an API that you can use from PHP if you want to get fancy and spend some more time at it. You can customize it and probably eliminate the need to invite them by email. You can also make it so that anyone who is sent the link automatically gets access (Read or Edit) priviledges. You could put this link on your website and limit access to that page to whoever you choose. You can also use that link on a restricted page of your site to encapsulate the Google spreadsheet page so it gets displayed like it is part of your site. The CMS that I use provides a "wrapper" function so it …

I have just adapted the code to your example. A bit of a mind twister making it but here it is:

<?
echo '<form action="test_insert.php" method="POST" name="form1" style="margin:0px; padding:0px;">
<select size=3 multiple="multiple" name="category[]" onchange="document.form1.submit()">
<option value="Noun">Noun</option>
<option value="Pronoun">Pronoun</option>
<option value="Adjective">Adjective</option>
<option value="Adverb">Adverb</option>
<option value="Adp">Adp</option>
<option value="Conjunction">Conjunction</option>
<option value="Inter/Particles">Inter/Particles</option>
</select></form>';

if (isset($_POST['category'][0])) {
    if (in_array('Noun',$_POST['category'])) {
        echo '<form method="post">
        <select name="box2">
        <option value="1">1
        <option value="2">2
        <option value="3">3
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    if (in_array('Pronoun',$_POST['category'])) {
        echo '<form method="post">
        <select name="box2">
        <option value="4">4
        <option value="5">5
        <option value="6">6
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    if (in_array('Adjective',$_POST['category'])) {
        echo '<form method="post">
        <select name="box2">
        <option value="1">1
        <option value="3">3
        <option value="5">5
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    if (in_array('Adverb',$_POST['category'])) {
        echo '<form method="post">
        <select name="box2">
        <option value="21">21
        <option value="22">22
        <option value="23">23
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    if (in_array('Adp',$_POST['category'])) {
        echo '<form method="post">
        <select name="box2">
        <option value="91">91
        <option value="92">92
        <option value="93">93
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    if (in_array('Conjunction',$_POST['category'])) {
        echo '<form method="post">
        <select name="box2">
        <option value="94">94
        <option value="95">95
        <option value="96">96
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    if (in_array('Inter/Particles',$_POST['category'])) {
        echo '<form method="post">
        <select name="box2">
        <option value="31">31
        <option value="32">32
        <option value="33">33
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    }
echo "<xmp>";
print_r($_POST);
echo "</xmp>";
?>

Well php does not directly write to excel files however people in the past have written libraries to handle excel files. Some time ago I had to write to excel, searched and searched then found the best one seems to be located at http://phpexcel.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=10715 And the download I used was the direct php oop library and not the pear library as I find pear libraries too hard to install.

Then just use a little javascript to submit the form like the following:

<?
echo '<form method="post" name="form1">
<select name="box1" onchange="document.form1.submit()">
<option value="apple">Apple
<option value="orange">Orange
<option value="lemon">Lemon
</select></form>';

if (isset($_POST['box1'])) {
    if ($_POST['box1']=='apple') {
        echo '<form method="post">
        <select name="box2">
        <option value="1">1
        <option value="2">2
        <option value="3">3
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    if ($_POST['box1']=='orange') {
        echo '<form method="post">
        <select name="box2">
        <option value="4">4
        <option value="5">5
        <option value="6">6
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    if ($_POST['box1']=='leamon') {
        echo '<form method="post">
        <select name="box2">
        <option value="1">1
        <option value="3">3
        <option value="5">5
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    }
echo "<xmp>";
print_r($_POST);
echo "</xmp>";
?>

Here is a piece of code with the basic concept for that:

<?
echo '<form method="post">
<select name="box1">
<option value="apple">Apple
<option value="orange">Orange
<option value="lemon">Lemon
</select><input type="submit" value="Submit"></form>';

if (isset($_POST['box1'])) {
    if ($_POST['box1']=='apple') {
        echo '<form method="post">
        <select name="box2">
        <option value="1">1
        <option value="2">2
        <option value="3">3
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    if ($_POST['box1']=='orange') {
        echo '<form method="post">
        <select name="box2">
        <option value="4">4
        <option value="5">5
        <option value="6">6
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    if ($_POST['box1']=='leamon') {
        echo '<form method="post">
        <select name="box2">
        <option value="1">1
        <option value="3">3
        <option value="5">5
        </select><input type="hidden" name="box1" value="'.$_POST['box1'].'">
        <input type="submit" value="Submit"></form><br>';
        }
    }
echo "<xmp>";
print_r($_POST);
echo "</xmp>";
?>

Remember the name of the files getting uploaded , delete them if any of the upload fails.

If you are talking about temporary storage on the server php does that for you.

Try this:

if (strlen($_FILES['file1']['name'])>0) {
//// file upload
}
if (strlen($_FILES['file2']['name'])>0) {
//// file upload
}

And in addition, you can't just name the files file1, file2, file3, file4 on the php side and have it differently in the html form. Make sure that in your html form you have the file fields called file1, file2, file3 and file4. Then you may use those names in the array.

Welcome to daniweb. I would suggest placing the value in a hidden field where when the next field is submitted it will then again be added to the $_POST array. So the following is an example:

<?php
$req = $_POST['req'];

echo '<form>';
for ($i=1; $i <= $req; $i++) {
echo '<label>Requirement ' . $i . ' :</label><br/>';
echo '<input name="req'.$i.'" type="text" /> <br />';
}
echo '<br /><input name="submit" type="submit" />';
echo '<input type="hidden" name="req" value="'.$_POST['req'].'"></form>';
?>

Second page

$req=$_GET['req'];

I also fixed a html bug in your code and changed the loop to make it run faster. And please use code tags.

Try to echo the transaction id before the url encode. See if that matches what it should be. Other than that I would suggest checking the paypal manual.

For starters it means your transaction id is invalid or corrupted. If you are using $_POST then you may want to use something like the following to unescape the characters:

$id=stripslashes($_POST['transaction_id']);

Also, try to echo the transaction id directly before processing it to make sure the transaction id processed correctly.
Just let me know if you need more detailed info.

Hi, I'm making a site security tester which is basically a bot that scans a selected website for any php security holes such as sql injections then reports them to the user. I have managed to write the bot and all but the last piece left is the function that actually tests each individual page for security holes. The function that starts testing each individual page is as follows:

generate($url) {
$data=file_get_contents($url);
//now to do some tests on the page
}

As you can see, this function will be used on each and every valid url inside the website to perform tests on. But my question is, how do I test for php security holes and what security holes are possible?
I read something about if ;ls -la is placed in the url and not filtered it can display the contents of a web directory. But what would file_get_contents return if that is the case?

This is also an open source project so just let me know if you want the full code.

An example of what you did in short is as follows:

mail("reecestanton@hotmail.co.uk", $subjectall, $message, "From: Psychedelic Rhinos <reecesplace@hotmail.co.uk>");

And an example of what you need to do in short is as follows:

mail("reecestanton@hotmail.co.uk", $subjectall, $message, "From: Sombody else <different_valid_email@hotmail.co.uk>");

Although I don't know a thing about xml but if it is a client side text language then wouldn't you use the following:

echo "var xmlvariable= '$phpvariable';"

If you are retrieving the value of just one column then the following will do the trick. Just adjust the $column variable to the column name.

$select=mysql_query("SELECT * from db where name='rajeesh'") or die(mysql_error());
$column='first'; //set the column name
for ($key=$column;$row = mysql_fetch_array($select),$val=$row[$column];) {
echo "$key -> $val <br>";
}

Try this:

Options +FollowSymLinks
RewriteEngine On
RewriteRule ^search/(.*)$ index.php?s=$1&search=Search

I haven't tested the above code but should rewrite the url to www.whatever.com/search/SEARCHTERM

Try making the From header address different from the To address. That can sometimes increase the chances of the message being spam.

I have made a use at your own risk function that will convert a number of currencies. The reason why I say use at your own risk is that it uses another website for the conversions. First there is the convert function which is as follows:

function currency_convert($Amount,$currencyfrom,$currencyto)
{
$buffer=file_get_contents('http://finance.yahoo.com/currency-converter');
preg_match_all('/name=(\"|\')conversion-date(\"|\') value=(\"|\')(.*)(\"|\')>/i',$buffer,$match);
$date=preg_replace('/name=(\"|\')conversion-date(\"|\') value=(\"|\')(.*)(\"|\')>/i','$4',$match[0][0]);
unset($buffer);
unset($match);
$buffer=file_get_contents('http://finance.yahoo.com/currency/converter-results/'.$date.'/'.$Amount.'-'.strtolower($currencyfrom).'-to-'.strtolower($currencyto).'.html');
preg_match_all('/<span class=\"converted-result\">(.*)<\/span>/i',$buffer,$match);
$match[0]=preg_replace('/<span class=\"converted-result\">(.*)<\/span>/i','$1',$match[0]);
unset ($buffer);
return $match[0][0];
}

Then there are the different currency codes you can use which are as follows:

-------------
CONVERT FROM:
-------------

British Pound         GBP
Euro                  EUR
US Dollar             USD
Japanese Yen          JPY
Chinese Yuan          CNY
Australian Dollar     AUD
Swiss Franc           CHF
Canadian Dollar       CAD
Thai Baht             THB
Indian Rupee          INR
Indonesian Rupiah     IDR
Hong Kong Dollar      HKD


-----------
CONVERT TO:
-----------

Euro                  EUR
British Pound         GBP
US Dollar             USD
Japanese Yen          JPY
Chinese Yuan          CNY
Australian Dollar     AUD
Swiss Franc           CHF
Canadian Dollar       CAD
Thai Baht             THB
Indian Rupee          INR
Indonesian Rupiah     IDR
Hong Kong Dollar      HKD

And then to use the function you can use the following:

echo currency_convert(150,'EUR','GBP');

Well what line does the does the message say the error is on?

If it isn't displaying anything chances are the true/false statement is not being stored. So perhaps the following might be better:

<?$email=mysql_real_escape_string($_POST['email_to']);

$sql="SELECT `user_pass` FROM tbl_user WHERE 
user_email='".$email."'";
$result=mysql_query($sql,$con);

$count=mysql_num_rows($result);
if (isset($_POST['Submit']))
{
if($email == "")
{
$error ="Enter Email";
}

elseif($count==1){

$row=mysql_fetch_array($result);
{

$password = $row['user_pass'];

}

$to=$email;

$subject="Your password here";

$header="from: B2Bassociates";

$messages= "Your password for login to our website \r\n";
$messages.="Your password is $password \r\n";
$messages.="more message... \r\n";

if(mail($to,$subject,$messages,$header)){
$error2 = "Your Password Has Been Sent To Your Email Address.";
}
else {
$error3 = "Cannot send password to your e-mail address";
}
}

else {
$error1 = " Not Found ";
}
}
?>

I am planning to setup a website but need flash movies. So I was thinking of perhaps paying for a developer to develop some flash moves and a viewer but have no idea how much it will cost. Does anybody know how much it would cost for each of the following:

• a decent flash player with customisable colours via html parameters.
• a 1 minute, 20 second flash move with very basic graphics and sound. The graphics, sound & programming will need to be made by the developer.

So please share how much it would cost for each of the above so I know what price range the project is worth.

Utter BS
a html table does not magically become an excell file by giving it a header.
excell file format is comprised largely of characters outside any of the printable charactersets which have to be hex encoded.

Well actually, excel has a html based encoder which allows files exported to html to be reimported back into excel. That is what makes the magic happen when setting the headers. Because if you set a html file to load in excel the html to excel decoder will come into place where the data is reloaded. The only thing is that for best compatibility you need to use the Microsoft sloppy version of html. But there are also true techniques to make it a proper excel file in the first place as mentioned earlier.

Yes and if you wish to view the php files locally then you will need to use a package such as xampp.

You have a broken loop statement!!
Try the following:

$table_field = 'name';
$result = "select * from table";
while($myrow = mysql_fetch_array($result)) {
 $text .= $myrow[$table_field] . ", "; // Note: if I use 'name' it works fine...
}
echo $text;

No evidence, thats the difference between theory and conjecture

Wouldn't that make religion a conjecture? Because the description I gave is also like a religion in its own way saying that humans decended from achients just like a religion would say humans decended from god.

I just realised that this thread relates to a movie series called Stargate. For all we know there could be a burried stargate in egypt where 10000 years ago the achients could have enhabited the planet and transported species from a variety of planets from the universe. Crazy theory but very possible just like any other theory.

Try replacing the last couple of lines with the following:

if($sentmail){
$error2 = "Your Password Has Been Sent To Your Email Address.";
}
else if (isset($sentmail)){
$error3 = "Cannot send password to your e-mail address";
}
}
?>

Glad to see code tags with syntax properties used on large chunks of code for once.:)

If you use the Post method then the user cannot bookmark the results however, if you use the Get method then the user can bookmark the page. Using the Get method means dumping the data into the url and the data in the url can only contain a maximum of 500 characters.

Also if you plan to have a lot of traffic you can use url's and arrays. Simply assign each error message a number and place each number in the url $_GET tag then use something like the following to retrieve the errors.

<?
//$_GET['errs']=1-3-5-6
$errors=explode('-',$_GET['errs']);
$error[0]='This is the first error message<br>';
$error[1]='This is the second possible error message<br>';
$error[2]='Example: Name field too short<br>';
$error[3]='This is another possible error message<br>';
$error[4]='There are some empty fields<br>';
$error[5]='Example error<br>';
$error[6]='Many more errors can be added<br>';
$finalerror=''; //avoid e_notice error
foreach($errors AS $err) {
$finalerror.=$error[$err];
}
//Now to display the errors
echo $finalerror;
?>

Try and simplify the mysql query with the following on line 4:

$query_recunvesummary="SELECT * FROM paymentsummary WHERE username='".mysql_real_escape_string($_SESSION['MM_Username'])."' AND paymentmode='".mysql_real_escape_string($modeofpay)."' AND foryear='".mysql_real_escape_string($_SESSION['MM_yearlynow'])."' AND initialstatus='".mysql_real_escape_string($_SESSION['MM_paymentstatus'])."'");

And also make sure the variables/arrays have valid values.

In my opinion, as long as you don't have more than 500,000 photos to list, you should be able to store them all in the one table without the slightest cpu problem providing the script is written correctly. But if you plan to have more than five hundred thousand (500,000) photos then you will probably want seperate tables for each category to save cpu.

Well php comments from my judgment would effect the page by a few microseconds and there are 10000 microseconds in a second. And as for html/css/javascript comments, they only effect the download time by a few bites. To calculate how much they effect the download time it is the number of letters/numbers/characters = number of bites (1024 bites in 1KB). So really comments overall might effect the page by one tenth of a second if you use a lot of html/css/javascript comments.

Then with that extra info, I would suggest using the following as a test script untill things a right. So just make the following as a new php file and configure the first two variables. Also make sure both emails are different and valid as a test.

<?
$email='receiver@example.com';
$secondemail='sender@example.com';
$mess='It works';
if(mail($email, 'Test', $mess, "From: ".$secondemail)){echo 'Mail sent!';}else{echo 'Mail failed';}
?>

Also if the above code doesn't work normally it is the php.ini settings that need changing. If you are using the script under localhost (on your local machine and not a server) then you may find the php.ini file is a real devil to configure the mail function. But normally on a web host these settings are pre configured.

Although I couldn't understand all of that question(s) to empty all sessions just use the following:

$_SESSION=array();