Posts by broj1

You first have to insert new user data into tbl_user table, somehow creating fields (id could be autoincrement). Then use this user ID and add it to the query for the tbl_userprofile table.

You are welcome, hopefuly it helps. Please mark thread as solved if there are no more questions. Happy coding.

What do you mean by offline? Are database and webserver accessible when you are offline (localhost) or are they somewhere else (accessible through internet)? Do you have php.ini set up to display errors? Do you have a ob_end_flush() command at the end?

In my example I used mysqli extension but you are using mysql exstension (see the query on line 19 of your code). You should actually use only one exstension in your script. I strongly suggest you switch to mysqli which is newer and has more features. Mysql exstension is old and has been deprecated in newest versions of PHP. So if you have reasons stay with mysql and change the escape statements to:

// escape the values and assign them to variables
$warranty = mysql_real_escape_string($_POST['warranty']);
$delivery = mysql_real_escape_string($_POST['delivery']);
$price = mysql_real_escape_string($_POST['price']);

and the error won't appear anymore. When you have chance switch to mysqli extension. And sory for the confusion I might have caused :-)

As AHarrisGsy says you did not assign values from $_POST to variables you use in your query. So check for the existence of each of $_POST element, escape the values and assign them to variables. If any of the $_POST elements is missing then display an error message.

if(isset($_POST['warranty']) && isset($_POST['delivery']) && isset($_POST['price'])) {
    // escape the values and assign them to variables
    $warranty = mysqli_real_escape_string($_POST['warranty']);
    $delivery = mysqli_real_escape_string($_POST['delivery']);
    $price = mysqli_real_escape_string($_POST['price']);
} else {
    // if any of the values is missing display error message
    die('Please select all required fields!');
}
    // get username form somewhere (i.e. session)
    $username = $_SESSION['username'] // I am guessing this
    ...
    // now you can use variables in the query
    $sql = "INSERT INTO order SET username='$username', warranty='$warranty', delivery='$delivery', price='$price'";

On line 12 you assign a filename to $filename variable:

$filename = stripslashes($_FILES['file']['name']);

which is good. But then you do not use that variable on line 62:

$filename = "../../../../../../../../bloggbilder/". $_FILES['file']['name'];

which is strange since it defeats the purpose of the code on line 12. I think you should create a filename on line 12 and give it a random prefix or postfix, something like:

// create postfix
$postfix = '_' . date('YmdHis') . '_' . str_pad(rand(1,10000), 5, '0', STR_PAD_LEFT);
// get rid of slashes and add postfix
$filename = stripslashes($_FILES['file']['name']) . $postfix;
// handle the extension
...
// use the generated filename form now on
...

which will generate a filename like somename_20130416_005826.jpg

To add a row at the end of the HTML table you can use Javascript and insertRow() and insertCell() methods. Create a function that will insert a row and four cells in that new row. Then make a link with an onclick event that will trigger inserting of the row. See example here.

To save the data in database use either Ajax as diprofinfiniti suggested or just process the form by submitting it usual way.

On line 22 you are missing a semicolon on the end of the statement.

In the query all the field names should be enclosed in backticks and not in single quotes (a mysql syntax requirement).

Sometimes it is better to enclose column and table names in backticks to make sure they do not clash with mysql kkeyword:.

$query = mysql_query('SELECT `Name`, `Price`, `Quantity`, `Image` FROM `products`')
or die(mysql_error()); 

You can also try the query in phpmyadmin and see if you get any errors:

SELECT `Name`, `Price`, `Quantity`, `Image` FROM `products`

View the source in browser and check whether the html code for the form has been generated properly. In Firefox you right click and select View Page Source from the menu.

The reason are double quotes that you use in the middle of the string on line 28 above. If you want to use double quotes literaly in double quoted strings you have to escape them with backslashes like this <form action=\"insert.php\" method=\"post\">:

echo "
<div id='regbox'>
<form action=\"insert.php\" method=\"post\">
<p>
<label>Name:</label>
<input type='text' name='name' />
</p>
<p>
<label>Price:</label>
<input type='text' name='price' />
</p>
<p>
<label>Quantity;</label>
<input type='text' name='quantity' />
</p>
<label>Image:</label>
<input type='text' name='image' />
</p>
<input type=\"submit\">
</form>
</div>
</div>
<div id='bottom'></div>
</div>
</body>
</html>";

or use single quotes for all html attributes.

Or use heredoc syntax

echo <<<EOT
<div id='regbox'>
<form action=\"insert.php" method="post">
<p>
<label>Name:</label>
<input type='text' name='name' />
</p>
<p>
<label>Price:</label>
<input type='text' name='price' />
</p>
<p>
<label>Quantity;</label>
<input type='text' name='quantity' />
</p>
<label>Image:</label>
<input type='text' name='image' />
</p>
<input type="submit">
</form>
</div>
</div>
<div id='bottom'></div>
</div>
</body>
</html>";
EOT;

This is the complete code that works fine for me:

<html>
<body>
<form method="post" action="">
<input type="text" name="customername" required/>
<input type="text" name="productname" required/>
<input type="text" name="units" required/>
<input type="text" name="price" required/>
<input type="submit" value="submit"/>
</form>
<?php
session_start();
if($_POST)
{
    array_push($_SESSION['array'],($_POST));  
    print_r($_SESSION['array']);
}
?>
</body>
</html>

An remove this line:

$_SESSION['array']=array();

You do not want to initialize array each time if you want to append to it.

array_push cannot handle the $_POST which handles more than one value. it onlyu handles one value per transaction so it needs to be in this form

@masterjiraya: can you explain above statement. $_POST is an array and array_push is defined as:

int array_push ( array &$array , mixed $var [, mixed $... ] )

where $var is of mixed type (it can also be an array).

In PHP code use session_start() on the beginning to use a session.

<?php
session_start();
if($_POST)
{
    $_SESSION['array']=array();
    array_push($_SESSION['array'],($_POST));
    print_r($_SESSION['array']);
}
?>

The basic principle is:

At login page you create a session variable to store login information when login is successfull. The login information might include the user rights level i.e.

if(<login successful and user level= admin>) {
    $_SESSION['user_level'] = 'admin';
}

On each secured page where you first check if the user_level exists and if it is appropriate. i.e on admin page you would check:

if(isset($_SESSION['user_level']) && $_SESSION['user_level'] == 'admin') {

    // do admin stuff here
    ...

} else {
    header('location:logout.php');
    exit();
}

If login information is not correct the user will be redirected to logout page that will destroy the session and clean up whatever needed and redirect to login page.

Try:

else if ($password !== $cPassword)

OK, looking at your script again, here is where you set the value:

$_SESSION['k8goodsID']=$tenantIdentifier;

But if $tenantIdentifier has no value, $_SESSION['k8goodsID'] also has no value and the query fails. So you have to make sure $tenantIdentifier has appropriate value. Suppose it is an integer:

if(is_int($tenantIdentifier) && $tenantIdentifier > 0) {
    $_SESSION['k8goodsID']=$tenantIdentifier;
} else {
    die("ERROR: Tenant identifier has not been set!");
}

Basicaly, you have to make sure tenantIdentifier has been set to appropriate value before using it.

I guess your problem is not the session unsetting at all but the HTTP header is not redirecting as you are expecting. Can you post the whole logout.php and how you get to it (e.g. by clicking a link).

SELECT * FROM k8_goodsin WHERE k8goodsID=''

so i try it on the phpmyadmin, it returned zero rows.
what does it mean..?

It means that the value for the $_SESSION['k8goodsID'] does not exist (there is nothing between single quotes). Where is the value for $_SESSION['k8goodsID'] supposed to be set? You have to look for error there. Do you have session_start() on the beginning of every script that uses session?

The solution for your requirement seems to be OK. But in some circumstances the result in line 5 returns FALSE which indicates an error when querying. You should change the code in line 5 to:

$result=mysql_query($statement) or die(mysql_error());

This way if there is an error when querying the error will be displayed and the script stopped. Now you can examine the reason for the error.

BTW: in future you might want to consider dropping the old and deprecated mysql extension and switching to newer mysqli extension or PDO.

Sorry for being quiet so long, I was away.

The code with included debug statement should look like this:

$query_k8goodsin = "SELECT * FROM k8_goodsin WHERE k8goodsID='" . $_SESSION['k8goodsID'] . "'";

// DEBUG
die($query_k8goodsin);
// END DEBUG

$rs_k8goodsin = mysql_query($query_k8goodsin) or die ('Query failed:' . mysql_error() . "<br /><\n $query_k8goodsin");
$reck8goodsin = mysql_fetch_array($rs_k8goodsin);

while(mysql_fetch_assoc($rs_k8goodsin)) {
    echo '<tr>';
    echo '<td class="labelcell">' . $count . '</td>';
    echo '<td>' . $reck8goodsin['goodsDesc'] . '</td>';
    echo '<td>' . $reck8goodsin['k8goodsQty'] . '</td>';
    echo '<td>' . $reck8goodsin['valuePerUnit'] . '</td>';
    echo '<td>' . $reck8goodsin['valueTotal'] . '</td>';
    echo '<td><input name="k8Check" type="checkbox" value="" /></td>';
    echo '</tr>';
}

Thie code will display the query constructed with the value from session and stop the script. Paste the displayed query into phpadmin for testing or post it here.

Better stick to DECIMAL as pritaeas suggested. Float is aproximate, int does not provide decimal values. Migt want to read this: http://blog.rietta.com/2012/03/best-data-types-for-currencymoney-in.html

Also have a look at Example 1 on PHP.net session_destroy page:

http://php.net/manual/en/function.session-destroy.php

try adding unset($_SESSION); after session_start()

I wouldn't recommend that. See note here. This will disable the registering of session variables through the $_SESSION superglobal.

I tested your code on my server and it works OK. Clicking on Back button always brings me to index.php. Make sure you have no html before the code you posted (not even a space). If you have any html before a header() function, the function will not work.

Also the ultimate checklist for web app security is [OWASP's to 10]. It is comprehensive but it is worth taking some time to get to grips with it.

<?php $name=?>

This piece of code will generate an error since it is not complete.

To pas a JS function value to PHP the JS function should return the value first. Then the value could either be
1. set into a form element (maybe a hidden input) and the form posted to the server or
2. sent to the server by ajax

Hope I understood the question. Could you explain more what you want to achieve, please.

public function getLastInsertId()
{
    // you can do checks first (has the query been successful etc)

    return $this->mysqli->insert_id;
}

It would be good idea to initialize the properties:

protected $mysqli = null;
protected $result = null;

I would also use more descriptive names. The connection class is not only doing the connection, it is also returning the data. $mysqli property would be better named $db so you can extend the class for other drivers (i.e Oracle). Otherwise you are just duplicating the functionalities of mysqli.

Also post the displayed query here.

This is what it says in your php.ini:

mail.log = "C:\xampp\php\logs\php_mail.log"

(this line has to be uncommented)

i tried this query on phpmyadmin:

SELECT * FROM k8_goodsin WHERE k8goodsID='".$_SESSION['k8goodsID']."'

You did not copy the code correctly. This is correct code (see my post above):

$query_k8goodsin = "SELECT * FROM k8_goodsin WHERE k8goodsID='".$_SESSION['k8goodsID']."'";

Or this is another variation of the same thing:

$query_k8goodsin = "SELECT * FROM k8_goodsin WHERE k8goodsID='{$_SESSION['k8goodsID']}'";

Change line 5 to:

if(isset($_POST['submit']) && isset($_POST['start']) {
    ...

but the data still not visible..is it because of the session id..?

Check out what the query returns. After this line:

$query_k8goodsin = "SELECT * FROM k8_goodsin WHERE k8goodsID='".$_SESSION['k8goodsID']."'";

put the following debug code:

die($query_k8goodsin);

It will display the query and stop the script. Now you can copy the displayed query into phpmyadmin and test it. You can also post it here.

Have you checked the log file?

As NardCake said put session_start() function on top of the script so you can use a session. Then do not use session_register() function since it has been deprecated and removed after PHP 5.4. Just assign the values to the $_SESSION array (see NardCake's post).

Then before using $_POST array values check for their existence first since users might forget to input values in which case you have to deisplay an error message. So just wrap your code in if / else blocks:

if(isset($_POST['myusername']) && isset($_POST['mypassword'])) {

    // Connect to server and select databse.
    mysql_connect("localhost", "root", "")or die("cannot connect");
    mysql_select_db("db_feedback")or die("cannot select DB");
    // username and password sent from form 
    $myusername = $_POST['myusername'];
    $mypassword = $_POST['mypassword'];   
    ...

} else {

    echo 'Please enter username and password';
}

Variables $title and $entry haven't been defined anywhere in the script. Did you forget to add these two lines:

$title = $_POST['title'];
$entry = $_POST['entry'];

See my last post.

One thing: enable logging in php.ini. Uncomment the following line:

mail.log = "C:\xampp\php\logs\php_mail.log"

Now you can check in the log what happened. And make sure you set and use valid addresses.

Sorry, I am not sure if I understood this. Did you mean you did not receive the mail that was successfully sent?

Add From header with your (or some) email address. This is an example from PHP.net:

$to      = 'nobody@example.com';
$subject = 'the subject';
$message = 'hello';
$headers = 'From: webmaster@example.com' . "\r\n" .
    'Reply-To: webmaster@example.com' . "\r\n" .
    'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);

You can also set it in php.ini:

sendmail_from = me@example.com

mail() function is trying to connect to localhost at port 25 (which are default values). You make sure that php.ini settings are the same. This is how my php.ini is set:

SMTP = localhost
smtp_port = 25

But I am on Linux and am not sure how it works on Windows. Please also check the form of To: adresses. Thi is the note form PHP mail manual:

The Windows implementation of mail() differs in many ways from the Unix implementation. First, it doesn't use a local binary for composing messages but only operates on direct sockets which means a MTA is needed listening on a network socket (which can either on the localhost or a remote machine).

Second, the custom headers like From:, Cc:, Bcc: and Date: are not interpreted by the MTA in the first place, but are parsed by PHP.

As such, the to parameter should not be an address in the form of "Something <someone@example.com>". The mail command may not parse this properly while talking with the MTA.

mysql_num_rows() function returns a number of found rows (an integer), not an array of rows. You should use a mysql_fetch_assoc() in a while loop function instead. Something like:

while(mysql_fetch_assoc($rs_k8goodsin)) {
    echo '<tr>';
    echo '<td class="labelcell">' . $count . '</td>';
    echo '<td>' . $reck8goodsin['goodsDesc'] . '</td>';
    echo '<td>' . $reck8goodsin['k8goodsQty'] . '</td>';
    echo '<td>' . $reck8goodsin['valuePerUnit'] . '</td>';
    echo '<td>' . $reck8goodsin['valueTotal'] . '</td>';

    echo '<td><input name="" type="checkbox" value="" /></td>';
    echo '</tr>';
}

And give the checkbox a sensible name.

First check if your SMTP server is running and is correctly set up.

Notice: Undefined index: start in C:\wamp\www\cinema3\movies\films\booking\book here1.php on line 7

This error says that index named start does not exist in some array (most probably $_POST). I expect it is this line that is causing troubles:

$start =mysql_real_escape_string($_POST['start']);

See my post above for the solution.

You could add this code somewhere at the end of the snippet above:

die('<pre>' . print_r($send_params, 1) . '</pre>');

This will display array of the final version of all parameters needed for sending. Now you can go through each element and check it. Carefuly look at the $send_params['headers'] if it is assembled correctly. You can also post the output here fo us to look at it.

The problem is probably in this line:

$start =mysql_real_escape_string($_POST['start']);

$_POST['start'] is set if user selects one of the radio buttons (booking time). If user does not select any button you have to display an error message, but you have to test for it first:

if(isset($_POST['start'])) {
    $start =mysql_real_escape_string($_POST['start']);
} else {
    die( " please enter the time .<a href='../3D The Croods.php'>click here to choose time</a>");
}

And another thing: I thing it is not a good idea to have php script names with spaces in them.

OK, but do you have session_start() on each and every script that uses the session (including the script that is making troubles)? You also have to make sure there is no HTML sent before the session_start() statement otherwise session will not get initialized.

When I run your script, I am getting the error value does not exist,

This means that $_SESSION['clubsId'][0] is not set (does not exist) so you can not use it in your query.

The line of code below will produce html errors and contains two PHP errors:

 echo "New Quantity: <input type=text size=4 name=updateQuantity[$sku] />\n";

It should be:

 echo "New Quantity: <input type=\"text\" size=\"4\" name=\"{$updateQuantity[$sku]}\" />\n";

Note that I have used backslash to escape double quotes, added $ to updateQuantity array name and erapped $updateQuantity[$sku] in curly braces.

What exactly is the question? Are you getting any errors?

The only strange thing I spotted is that you are building the $productInfo array using quantity as the key.

$productInfo[$sku] = array();

First: there is no Quantity field in the query and second: when you have two rows with the same quantity (the key) the existing value in the $productInfo will be overwritten.

Quote the field names with backtick (assumming that you use mysql):

$qry = "insert into users (`name`, `surname`, `email`, `password`, `date`) 
values ('$name', '$surname', '$email', '$password', '$date')";

This is how you make sure column names do not clash with any keywords. Not sure if this is the right solution for your problem, though.

You can also check the query by adding this line:

die($qry);

It will display the query and stop the script. Now you can paste the query into phpmyadmin and test it. You can also post it here for us to see.