Posts by Will Gresham

This is discussed at length on vBulletin's own forum:
http://www.vbulletin.com/forum/showthread.php?t=21342

What happens if you put the following into the PHP script:

echo $_POST['attn'];

wrap the switch and mail functions with /* and */ to prevent them running:

/*
switch($_POST['attn']) {

case webmaster:$to_email = "erich.krauz@rgl-e.com";
break;
case info:$to_email = "krauz2@hotmail.com";
break;
default:
$to_email = "erich.krauz@rgl-e.com";
}
mail($to_email, $subject, $message, $from);
*/
echo $_POST['attn'];

Also, I just noticed you previously had $attn = $_POST; so you would be able to replace $_POST with $attn in the switch statement.

Thats the one

take out the space between the " and values in the form. so " webmaster " becomes "webmaster" you follow?

Does the script in your last posts work? As this seems to be correct.

Make sure you put your code in code-tags so that it displays correctly

Also, yes I am based in the UK, but I work nightshift as tech support in the US department of a PC company

Try de-capitalizing the W in webmaster, that was meant to be lower case

You can use a While statement to do this:

while($row=mysql_fetch_array($set)) {
  //Processing of the returned row
}

This will loop through the same amount of times as rows returned and the code will be run (in this case, 3 times).

This is HTML/JavaScript help you are looking for, try here

VB4/5/6 Forum

In contact1.php, change the 'value' for each of the <option> tags in the select to a single word in lower case to make it easire, for example, webmaster, info, tech and rgl like so:

<select name="attn" size="1">
<option value="webmaster">Webmaster </option>
 <option value="info">General Info </option>
</select>

Then in the other file put:

switch($_POST['attn']) {
case Webmaster:
$to_email = "erich.krauz@rgl-e.com";
break;
case info:
$to_email = "krauz2@hotmail.com";
break;
default:
$to_email = "krauz2@hotmail.com";
}
mail($to_email, $subject, $message, $from);

It would also be a good idea to handle any errors thrown by the mail function like so:

@$send_email = mail($to_email, $subject, $message, $from);
if($send_email) {
echo "E-Mail sent successfully";
} else {
echo "The E-Mail was not sent.";
}

Ok, im looking though you're code at the moment, one thing I have noticed is that this line is at the top of the file:

$conf = mysql_fetch_array(mysql_query("SELECT * FROM config WHERE id = 1"));

It may as well be removed since it will not be available within the function without declaring it as a global within each function it is required.

As for the SQL queries, try putting the coluumn names in backticks ` example:

$conf = mysql_fetch_array(mysql_query("SELECT * FROM `config` WHERE `id` = 1"));

You will need to take the POST value for the drop-down and use that as the E-Mail to address in the mail function, preferably, use names without an @ or domain.com and use PHP to assign an email:

switch($_POST['attn']) {
case name1:
$to_email = "name1@domain.com";
break;
case name2:
$to_email = "name2@domain.com";
break;
default:
$to_email = "Address if email not selected";
}

Don't put the E-Mail address in the field on the form as this can be edited client-side and may compromise your script.

I deleted the bracket all together- now it's just this: Parse error: syntax error, unexpected $end in /home/a5957980/public_html/includes/functions.php on line 247

.... By doing this, you are including all the code following where the bracket should be in the same function which may well result in further errors when the current one is fixed.

If you put this bracket back and then post the other errors as there are obviously multiple problems through the script if you are getting errors and removing a required } to hide these is not solving the problem, just masking it..

Which functions are being called from this script? and what are the values being passed to the functions when the errors occur.

Line 217 should be

}
elseif ($numrows > 1)
{

not

}
	else
	if ($numrows > 1)
	{

Ill keep checking but I thinks thats the only other error.

Also, I can see no use for this elseif as it does exactly the same as the else below it.

I cant see a problem at line 18, but line 47:

$conf = mysql_fetch_array(mysql_query("SELECT * FROM config WHERE id = 1")

does not have an ; on the end and there is a missing ).

Can you post what code you have at the moment?

When you say join, do you mean the LEFT JOIN, RIGHT JOIN... in SQL to get the data across multiple tables, or do you mean joining the strings from the 3 columns in PHP?

If the users have to register, that would mean that you most probably have a database, why not add an account expiration column into the table and put a date/time 1 month from the time they register. When the user logs in check this field to see if their account is valid.

Hi all

Just a quick question, I have avoided the ternary operator type If statement a lot in my code, because personally I find it easier to read a statement like this:

if (empty($_POST['action'])) {
    $action = 'default';
} else {
    $action = $_POST['action'];
}

Rather than:

$action = (empty($_POST['action'])) ? 'default' : $_POST['action'];

My question is: Is there any advantage to using the Ternary operator over a standard IF statement other than obviously saving a few characters...

To get a list of files in a directory, look into the opendir() readdir() and closedir() functions in PHP, to get the contents of the files, look at the fopen() fread() and fclose() This is the starting point, for assistance in Javascript there is a specific forum on here for that.

This is not possible with PHP without using some other language as well, PHP is a server-side scripting language and does not control how the text is displayed, this is dealt with by the HTML/CSS/javascript.

PHP can open the files and display the contents of them, but to move to the next file without reloading the page will require AJAX or at least some form of JavaScript

Theres the problem, the line above the comment telling you not to edit, line 32, does not have an " or ; on the end and that is whats causing the problem here.

change

$mainText = "Welcome to Surfanatiks........you visit, you get 75% of those back!<br><br>

to

$mainText = "Welcome to Surfanatiks........you visit, you get 75% of those back!<br><br>";

You can increase the memory limit in PHP which may help with the problem, see http://www.ducea.com/2008/02/14/increase-php-memory-limit/

If PHP is installed on a remotely managed server, this may not be an option depending on the build options used.

The best way would be to obfuscate the code prior to uploading it to the server PC, by doing this there is no alterations needed to the operating system/accounts. Also, look at http://www.raizlabs.com/software/phpobfuscator/ since this one would probably require little change to your source code to get this working. Providing the server is running PHP5 this would be the easiest option.

as far as "It would be better if you put your code in code tag. Easier to look through."

I don't know what that means. This is how it is in the script.

.... Read the rules of the forum before posting, the code tags are explained in the paragraph at the top of the PHP forum main page which also links to this page you should read the last paragraph on there which details the repercussions of not using code tags.

Also, you would have been asked to provide the code since problems can't be seen in the code you posted, it is possible PHP is reporting a line other than the one it appears to be which could be above or below what you quoted.

First, php.net is a great place to start to learn about the functions and can be alot quicker than asking here ;)

One thing i will say, is never, ever use $_POST, $_GET, $_QUERY...etc directly in SQL queries or the like (you're asking for trouble if you do), always sanitize them first, if the value should only contain numbers, check this first and put them into their own variables. REGEX is ideal for this sort of job.

Always test your applications and try to find security holes in them, or ask a friend to do this as well before publishing it.

htmlspecialchars() will take characters like & and < and > and convert them to their HTML entities, such as &amp; &lt; &gt
in doing this, it means that people cant put HTML into the database and at best mess your styles, at worst add javascript which could well be malicious.
You can do this on either the input or the output, but since most times I assume you will be displaying to a HTML page it makes little difference, only when printing to plain text will it be better to do it on output..

mysql_real_escape_string() would be better to use over addslashes(), they do basically the same thing though, take a look here
stripslashes() will obviously remove any escaped characters from the strings, so this would be needed otherwise all the " and ' would show as \" …

Do you have the php_mysql.dll in the correct place and have you changed the line

;extension=php_mysql.dll

to

extension=php_mysql.dll

in your php.ini file?

Afraid I'm out of ideas, arrays are not my strong point :)

Shouldn't be, they will be passed as plain text to the function, try re-naming the variables in the function rather than calling them $key and $value.

If I copy and paste the code from inside the function, into the foreach loop, it works fine, but if I call the function from inside that foreach,

Does the script work if you comment the require_once line and put the function into the main page?
I may have overlooked something but I can't see any problems in there..

So long as the array is defined before the first call the the function emptyValue is made this should be fine.

So, your file should look like this now (basically)

require_once ("path_to_function.php");
$errorArray = Array();
foreach ($_POST as $key => $value) {
    $$key = addslashes(trim($value));
    emptyValue($key, $value)
}

Then the file with the function in would look like this:

function emptyValue($key, $value) {

  if (empty($value)) {

    if (strtolower(substr($key, 0, 1)) == "r") {
      $stripped = substr($key, 9);
      $errorArray[] = "Item $stripped: You have left the reference field empty. Please fill it in.";
    }
    if (strtolower(substr($key, 0, 1)) == "q") {
      $stripped = substr($key, 8);
      $errorArray[] = "Item $stripped: You have left the quantity field empty. Please fill it in.";
    }
    if (strtolower(substr($key, 0, 1)) == "d") {
      $stripped = substr($key, 7);
      $errorArray[] = "Item $stripped: You have left the details field empty. Please fill it in.";
    }

  }

  if (strtolower(substr($key, 0, 1)) == "q") {

    if (!is_numeric($value)) {
      $stripped = substr($key, 8);
      $errorArray[] = "Item $stripped: The value in the quantity field is not a valid number. Please try again.";
    }

  }

}

That is the what you would be looking for, give it a spin and let us know if there are any other problems

No problems :)

The way I would do this:

$errorArray = array();

foreach($_POST as $key => $value) {
$$key = addslashes(trim($value));
if ( empty($value) ) { $errorArray[] = "$key is empty"; }

}

I am unsure of what you mean for the $quantity variables, but if I understand correctly, use the substr function in an if statement within the foreach to check if the field being checked has the correct name and if it does run the validation if that makes sense..

Yes, The $$key means create a variable with the name of $key. so running the foreach statement will mean that every single field on the form will be assigned to a variable named after the forms name (if you want to look into these, they are called variabe variables).

For basic cleaning you could do this in the foreach loop:

$$key = addslashes(trim($value));

To help protect against problems with certain characters and to also remove any spaces from the ends of the strings.

Providing all the fields are going to be validated in the same way, you could add the validation into the foreach loop and as you said have an array for the errors.

So are you looking to put $_POST into $reference1 and $_POST into $reference2 etc. ?

If this is the case, use something lie:

foreach($_POST as $key => $value) {
 $$key = $value;
}

Note the double $ in there.

This effetively does the same as enabling register_globals although only with the $_POST array so ensure that the data is cleaned and validated before any processing is done on it.

Yes, you could use a foreach statement to do this:

foreach($_POST as $key => $value) {
 // Process here using $value for the content of the field.
}

Is that what you're looking for?

Not quite,

You need to specifically state which characters you want to allow in the [] so to allow alpha numeric, you need ([a-zA-Z0-9])

:)

I would suggest looking into regex extensively as there are many options for this.

if you are using letters, you can define which particular ones you will allow any whether they are caps, lower case or case insensitive.

In rewrites your regex goes in the (), conditions go in the [] and modifiers go between the ] and ), for example, to allow all lower or upper character(Latin, Greek, and Cyrillic character sets only) use ([a-zA-z]+) if you want to internationalize and allow accented characters you would use ([a-z]+) and add [NC] to the end of the line.

Take a search online for regex, specifically for mod_rewrite as there are slight differences you need to use in the .htaccess file compared to some programming/scripting languages.

<textarea id="employees" name="textspace" cols="50" rows="5"></textarea>

If you mean this one, then it would be something like:

<textarea id="employees" name="textspace" cols="50" rows="5"><?=$my_fname?></textarea>

Assuming you want the $my_fname value in the box.

At another look, your $_POST values are incorrect, it should be $_POST['value'] not $_POST[value] so this line:

$get_addresses = "select emp_no, fname, lname, dept, position
           from employee where emp_no = $_POST[sel_id]";

should be:

$get_addresses = "select emp_no, fname, lname, dept, position
           from employee where emp_no = " . $_POST['sel_id'] . "";

I had a quick look at your script, the first thing I noticed was that these lines:

//get parts of records
     $get_list = "select emp_no, concat_ws(', ', lname, fname) as display_name
         from employee order by lname, fname";
     $get_list_res = mysql_query($get_list) or die(mysql_error());

were within the IF statement so would not be processed unless the condition is true, move these lines to above the IF statement or re-declare them in the ELSE clause to get this to work.

If the validation is as simple as 'is the field empty' then it would be fairly simple to get JavaScript to validate them with a single function, for example,
JavaScript code:

<language="text/javascript">
function CheckField(field) {
    if (field.value == "") {
    alert( "Field " + field.name + " is empty" );
    form.field.focus();
    return false ;
  }
  return true ;
}
</script>

Then add the following to each field which need validating:

onsubmit="return checkform(this);"

However, this assumes that they will click in every field, it will not work if the field is not clicked in.

If the validation is more in-depth than this it would take a lot more.
The same applies to PHP, there is not really a 'simple solution'

Try to use some standard in your coding, rather than some caps and some lower case, for example SQL commands in caps and value in lower case, makes it easier to read

You would do well to add an error handle to the end of the SQL query to see if it is actually fetching any data from the db:

$var = mysql_query(some query)or die(mysql_error());

The suggestions einfoway made are correct, however there are other factors to take into account, for example some people do not have JavaScript enabled so the Javascript validation and AJAX will not work for this so it would not be a good idea to rely on this.

It would be a good idea to employ both JavaScript client-side validation on the form as well as some sort of PHP validation with sessions to remember the values in the fields. That way if the JavaScript validation is bypassed the PHP should pick up any errors.

There are multiple resources online which deal with this issue, a quick search comes up with exactly what you are looking for, please research and dont ask other people to do all the work.

Post an example of what you have if it isnt working and we can assist you.

First, you do not need to declare the options and enable the rewriteengine more than once at the top of the file.

Also, I am assuming products and catagories will only be numbers, this being the case it would be good practice to only allow numbers in the query string rather than anything.
This can be done by putting ([0-9]+) which means only allow characters 0 through 9 and the + means 1 or more.

Options +FollowSymLinks
RewriteEngine on

RewriteRule categories_and_featured_products-pid-([0-9]+)\.htm$ categories_and_featured_products.php?pid=$1 

RewriteRule subcategories_and_featured_products-pid-([0-9]+)-cid-([0-9]+)\.htm$ subcategories_and_featured_products.php?pid=$1&cid=$2

RewriteRule productsincategories-ban-([0-9]+)-cat-([0-9]+)\.htm$ productsincategories.php?ban=$1&cat=$2

RewriteRule products-ban-([0-9]+)-cat-([0-9]+)\.htm$ products.php?ban=$1&cat=$2

Please use the code tags to put code on here.

From the information you provided it would not be possible to tell you what the issue is:
1. You have not said what is and what is not working
2. In the code you have posted you are using objects/variables which are not defined or described

In order to help we would need to know what the script is supposed to do and be able to see the classes and procedures used to populate the variables mentioned above.

This will require some server-side scripting to achieve what you are looking for, PHP is a popular choice for similar solutions.

Check what your webserver can support and search the internet, there are many packages available which fit what you describe.

Your best bet would be to ask in the Javascript forum here

No problem, make sure you mark finished topics as solved :)