Posts by broj1

Please post also the checklogin.php code which is where you are supposed to check credentials and set up the session and phpconfig.php (and remove any sensitive data from it!!).

Post the latest version of the code you have.

I hope this is what you are after:

mysql_connect ("localhost", "jimbooth_test","test1")  or die (mysql_error());
mysql_select_db ("jimbooth_groupproject");

// you get users to supply keywords, probably using a form, I'll just make them up
// in this test case the user is searching by two keywords: Business and Human
$userKeywords = array('Business', 'Human');

// find course IDs from the C_Search table that contain above keywords
// start the first part of the query including the dummy WHERE condition
$query = 'SELECT Course_ID FROM C_Search WHERE 1';

// add each of the keywords that the user supplied
foreach($userKeywords as $kwd) {

    $query .= "  OR C_Key_Words LIKE '$kwd'";
}

// shoot the query
$res1 = mysql_query($query);

// initialize the string that will hold the course IDs that match the keywords
// IDs will be separated by comma
$courseIdList = '';

// retrieve course IDs that match the keywords and add them to $courseIdList
while ($row = mysql_fetch_array($res1)){

    $courseIdList .= $row[0] . ',';
}

// remove the trailing comma from the $courseIdList
$courseIdList = rtrim($courseIdList, ',');

// now when you have all the found course IDs, read the data about the courses
$query = 'SELECT * FROM C_Info';

// add the course IDs only if they exist in the $courseIdList
if($courseIdList != '') {

    $query .= " WHERE Course_ID IN ($courseIdList)";
}

// shoot the query
$res2 = mysql_query($query);

// display the keywords
echo '<p>You searched by: <strong>';
echo implode(', ', $userKeywords);
echo '</strong></p>';

// read each row and display the data
while ($row …

I need some data so I can do a test in my environment. I hope you use phpmyadmin to manage your database. Phpmyadmin allows you to export data from a table. So click on the table name in the left pane and select the Export menu on the top of the right (main) pane. Leave options as they are and save the SQL file on your machine and then post the contents here. If the table contains confidential information, remove it before posting.

If you do not use phpmyadmin then you can run the following queries from mysql client or a PHP script. To get the table structure run these two queries:

SHOW CREATE TABLE courseinfo;
SHOW CREATE TABLE batchinfo;

To display some data run the following two queries:

SELECT * FROM courseinfo LIMIT 10;
SELECT * FROM batchinfo LIMIT 10;

What would you like to do when case 0? I think case 0 is when the import went without any problems. Then you don't have to do anything else apart from letting users know (which has already been done).

How would you fill the values dinamically? From the user input, form the database or some other way?

I assume the /home/delhioia/public_html/facebook/index.php file is being included from /home/delhioia/public_html/index.php, right?

The error message says that /home/delhioia/public_html/index.php is sending output on line 7, probably before inclusion of the /home/delhioia/public_html/facebook/index.php that is why the error, I presume (provided that my assumptions are right).

I would presume that the query:

$query_recTenantuser = "SELECT * FROM md_storage WHERE tenantID='".$tenantID."'"; 

will return just one row ($tenantID is probably unique), so in the select element (drop down) you will have only one option. That does not make senese. Correct me if I am wrong.

Do the values come from the $nume_produs[1] and $key variables? Where do they get assigned and what from?

I do not understand your code yet but one thing is strange. You call a foonction

osc_query_item ("studio");

and if you look at this code snippet of the osc_query_item function definition

if($params==null) {
    $params = array();
} else if(is_string($params)){
    $keyvalue = explode("=", $params);
    $params = array($keyvalue[0] => $keyvalue[1]);
}

it seems like if parameter is string it is expected to contain = character by which the string is exploded to an array. In the following bit of code:

$params = array($keyvalue[0] => $keyvalue[1]);

$keyvalue[1] is undefined (not set) since there was no = character in the string studio.

I do not know how much sense that makes since I do not know the purpose of the code and all the elements (like the Search class). Hope it helps.

Sory, but I do not quite understand. Please explain in more detail.

Do you have the code for query_item() and osc_category_name() functions? If yes, please post them.

The first while loop has no code since you did not use any curly brackets. Is this suppose to be like that? Or would be more correct like this:

while (osc_has_categories ()) {

    // check category id and name inside while loop is ok!
    echo osc_category_id(), ": ", osc_category_name() ;

    echo "<p>results:</p>" ;

    // query_items inside the while loop after category is changed.
    // note: "studio" -             show results from "studio" BUT everywhere, 
    // note: osc_category_name() -  show ALL results from ALL categories AND everywhere,
    // note: "$osc_category_name" - show ALL results from ALL categories AND everywhere,

    osc_query_item ("studio") ;

    // check if items present
    while ( osc_has_custom_items() ) { 

        // echo result
        echo osc_item_title () ; 
    } 

    // reset query
    osc_reset_custom_items () ;
}

In the code above you have errors:
- a ) and ; missing on line 7
- first part of the main query has gone

Does the C_Key_Words field in the C_Search table contain multiple keywords separated by comma in each row? Please confirm, since the query has to be changed then.

This is jQuery code, actually the ajax bit of it. jQuery is a javascript library that has various useful functionalities that work in most of browser (without you worrying about all the differences in browser implementations). Ajax is basically a technology or approach to update just a part of a web page contents without reloading the whole page. It uses Javascript XHR object for that and XML for datatransfer (but most people use JSON or just generate the return with PHP). Ajax can do all this asinchronously (while you are browsing, without disturbing your browsing experience).

The code above shoots an ajax call, calling search.php script that returns a result - data - (probably a search result), which is inserted into a HTML element with ID errprofilename. It is using HTTP post as a method (as opposed to get, put, delete ...).

1. It assigns a value to $username variable, using EscapeCharacters() method of a $secure object (it is an example of object oriented PHP) to escape characters. $secure is an object derived from some class that is obviously designed to deal with user (form) input at login. There must be an instantiation code $secure = new ... somewhere prior to this code. The main goal of escaping characters is rendering safe some characters, that would make possible attacking or corrupting the data in the database. In mysql (and some other databases) the most dangerous characters are ' and ; so after escaping they become \' and \; and can not be used in injected queries. Google for SQL injection attack.
2. It does the same with the input value for a password (escaping).
3. It also hashes the value for password in order to store the hash in the database. Hashing is converting string into some value for later comparison. Everytime you hash a same string you get the same hash. You can not go the other direction i.e. you can not get the password form hashed string. This means you have a password hash in the database, not knowing what the password is, but you can always check if entered password is correct (so only user knows the password).

I am trying to test this in my environment but it is hard without the data. Can you post the structure and some data for the courseinfo and the batchinfo tables. Please do it in SQL INSERT format. The easiest way of doing it is exporting the tables in phpmyadmin with default values.

When user clicks on logout link it takes him to the logout script that has the code that Webville312 suggested in his post. The script does not do anything visual. It just destroys the session and redirects to the index page. We are assuming here that you keep the login information in the session. For really secure logout I would add a couple of statements, which just show what a vigilant person I am:

<?php

session_start(); // First initialize the current session

$_SESSION = array(); // initializes the session array to an empty array

unset($_SESSION); // unset the session array

session_destroy(); // Then destroy the session  

header('Location: index.php'); // redirect the user to the index page 

exit(); // terminate the script

?>

Have you tried the test from my previous post? Can you post the output?

Can you also post some of the current data in the C_Search table (just a few rows).

Another ideas:
1. change method to GET and see if it works
2. specify enctype="application/x-www-form-urlencoded" for the form (which is default anyway)

 <form action="processorder.php" method="post" enctype="application/x-www-form-urlencoded">

A few 'stupid' questions (I am blindly guessing now):

• if you download the php file, what is the contents of it?
• have you tried this in different browsers (FF, Chrome, IE)?
• do you use Google sitemaps plugin?
• have you been changing the php config?
• how much memory does php have (see in phpinfo)
• do you use a .htaccess file

You use mysqldump program to export database into a SQL file, something like:

mysqldump -u USER -p DATABASE > FILENAME.sql

then use mysql client to import SQL file into another database:

mysql -u USER -p DATABASE < FILENAME.sql

This was taken from this link.

EDIT: I just noticed that you said you use Xamp. I think these two programs should be available in xamp but I am not 100% sure.

I have tested this in my environment (Ubuntu 12.10, Apache, Firefox 19.0) and it displays php file normaly.

What happens if you navigate your browser to the php file directly?

Sory for late answer, I was away whole day.

I can't se it assigned anywhere. So try to use $_SESSION['form'][Last_Name] instead of $Last_Name.

No, do not admit defeat yet. Make a new test file like this

<?php
mysql_connect ("localhost", "jimbooth_test","test1") or die (mysql_error());
mysql_select_db ("jimbooth_groupproject");

$res1 = mysql_query("select C_Key_Words from C_Search");
while ($keyword_row = mysql_fetch_assoc($res1)) {
    echo "{$keyword_row['keyword']} <br />";
}
?>

Post what gets displayed.

The rest of page is blank.

Yes, die statements displays the value of $_GET and stops the execution. That's the way I prefer to debug. Prease remove the die statement.

By the way where does the $Last_Name come from (where is it being assigned a value)? You could try it this way:

<a href="ZipLookup.php?Last Name=<?php echo $_SESSION['form']['Last_Name']; ?>">select</a>

And I also noticed that in this statement the semicolon is missing at the end. Try to correct that too, please:

<a href="ZipLookup.php?Last Name=<?php echo $Last_Name'; ?>">select</a>

P.S. I have to admit that I am more or less guessing here since I don't understand the purpose completely.

On the ZipLookup.php put this code in the beginning:

die($_GET['Last_Name']);

It should display last name. If not we still have an error somewhere.

Edit: disregard this please, I saw in your last post that you did.

Have you changed this line:

<input type="text" name="Last_Name" id="Last_Name" autofocus value="<?php echo $_SESSION['form']; ?>" placeholder="last name" size="32" />

to:

<input type="text" name="Last_Name" id="Last_Name" autofocus value="<?php echo $_SESSION['form'][Last_Name]; ?>" placeholder="last name" size="32" />

Maybe not the most elegant solution but it works.

<?php
// connect to DB
...

// run an endless loop
while(1) {

    // generate unique random number
    $randomNumber = rand(0, 999999999);

    // check if it exists in database
    $query = "SELECT * FROM tbl_rand WHERE the_number=$randomNumber";
    $res = mysql_query($query);
    $rowCount = mysql_num_rows($res);

    // if not found in the db (it is unique), break out of the loop
    if($rowCount < 1) {

        break;
    }
}

// pad the number with zeros (if needed)
$paded = str_pad($randomNumber, 9, '0', STR_PAD_LEFT);

// dash delimited string to be displayed
$delimited = '';

// add dashes
for($i = 0; $i < 9; $i++) {

    // add a character
    $delimited .= $paded[$i];

    // add dashes wherever appropriate
    if($i == 2 || $i == 5) {

        $delimited .= '-';
    }
}

echo $delimited; 
?>

My assumption is that you store numbers in the database as integers between 0 and 999999999. If you store them as strings then the code has to be adapted.

An improvement would be to generate random number and check the database all with an SQL. See this post on SO.

If user can upload this does not mean they can delete (if you do not permit them). The directory containing the books should not be browsable. You provide a GUI for uploading and downloading and that is it.

Why do you store contents in database? You could just save a file in a directory and let users downolad it from there. If it is really necessary to store the contents in database I think the field type should be binary. I am not sure if you can recreate the file back just by reading it form the database to be normally readable as PDF.

What is the keyword column name in the C_Search table? I named it keyword just as an example. You might have to change it to the real column name in the query on line 9:

$res1 = mysql_query("SELECT keyword FROM C_Search");

And a note: do you want to find results matching ALL the keywords or just at least ONE of them. In later case you might want to replace AND with OR in the sql.

And an excellent resource for web apps security is OWASP and their Top 10 cheat sheet. Go through their list.

When you click this link you are not submitting the form (which uses POST). You should use submit button for that.

In your first version of code your link was:

<a href="ZipLookup.php?Last Name=<?php echo $Last_Name ?>

which still does not post the form data but would carry over the Last name usin GET method and storing it into $_GET (the $_POST is still not set). The trouble is that in the URL you can't/shouldn't have spaces. You should encode them like this:

<a href="ZipLookup.php?Last+Name=<?php echo $Last_Name ?>

or even better, change the Last Name parameter to Last_Name, like this:

<a href="ZipLookup.php?Last_Name=<?php echo $Last_Name ?>

Do a simple test. Create a PHP file (say test.php) with only the following content and check in the browser what happens when you open it.

<?php
phpinfo();
?>

The phpinfo() function should display all sorts of info about PHP if PHP is installed and configured properly on your server. If not then you have to check the installation.

Can you insert this DEBUG code on line 15 (as above):

die($query);

and post the result here. It will display the query in its final form.

Another note: if the keyboards in the table are whole words already you might not need a % wildcard character in a query and the query can be changed to the following form:

$query = "select * from C_Info WHERE keyword IN ($keyword_list)";

The $keyword_list variable would be a comma delimited string of keywords. You would build it using php implode function which would join resulting array using a comma as a separator.

Change line 16 from:

if (mysql_num_rows($sql) <= 0) {

to:

if (mysql_num_rows($res2) <= 0) {

and line 20 from:

while ($row = mysql_fetch_array($sql)){

to:

while ($row = mysql_fetch_array($res2)){

I changed the $sql to $res2 to be more descriptive (it represents a result).

OK, so first read all the keywords from the C_Search (I hope it is not too many of them) and use the resulting array to build your search query:

// first part of the main query (with dummy WHERE operator so you can then use AND operators)
$query = "select * from C_Info WHERE 1";

// query the keywords
$res1 = mysql_query("select keyword from C_Search");

// loop through rows and add conditions to the main query
while ($keyword_row = mysql_fetch_assoc($res1)) {
    $query .= " AND C_Description like '%{$keyword_row['keyword']}%'"";
}

$res2 = mysql_query($query);
...

Well, something like that, I haven't tested it. If it does not work OK, we'll go into detail

Can you clarify this: you have a table C_Search containing a set of keywords. Do you want to search by all of them or just a few of them?

Is web server configured to serve PHP? Can you show the code of the html file?

This one is pretty hard to debug since I do not have all the tables and the corresponding data. But one thing is quite obvious. On line 266 you define an input (text) box with a value taken from a $_SESSION['form'] variable:

<input type="text" name="Last_Name" id="Last_Name" autofocus value="<?php echo $_SESSION['form']; ?>" placeholder="last name" size="32" />

The thing is $_SESSION['form'] is not set before the user presses submit and is an array once the user presses submit. So in both cases it can not be echoed as a string. You should do it at least this way:

<input type="text" name="Last_Name" id="Last_Name" autofocus value="<?php echo isset($_SESSION['form']['Last_Name']) ? $_SESSION['form']['Last_Name'] : ''; ?>" placeholder="last name" size="32" />

So if we just look at the php code bit:

<?php echo isset($_SESSION['form']['Last_Name']) ? $_SESSION['form']['Last_Name'] : ''; ?>

This will echo the value of $_SESSION['form']['Last_Name'] if it is set (it exists) or empty string if the value does not exist. This is ternary way of doing it and is the same as:

<?php if(isset($_SESSION['form']['Last_Name'])) {
    echo $_SESSION['form']['Last_Name'];
} else {
    echo '';
}
?>

Hope it helps.

A lot of code :-). It might take me a while. Hope you are not in a hury.

This means $_SESSION['form'] is not existing so $_SESSION['form']['Last_Name'] is not existing so you can't use it. It also means that $_POST is not set which in turn means the form did not get posted. Do you have a submit button in the form <input type="submit">?

I still do not understand what is the purpose of assigning $_POST to $_SESSION.

I will try to give you an example of how I would do it but I am not sure exactly if this is what you want. But can you post complete code first.

Post this debug code after assigning to $_SESSION:

<?php
session_start();
$_SESSION['form'] = $_POST; 

// DEBUG - display the contents of the session array
die(print_r($_SESSION, 1));

?>

It will display the contents of the session variable and stop the script. Please post the output. Now check if $_SESSION['form']['Last_Name'] exists. If not then it does not exist in $_POST either.

<?php
// you have your subject
$subject = ...;

do it in php:

// echo this in appropriate place in html (betwen <head> and </head> tags)
echo '<meta name="description" content="' . $subject . '">';
echo '<title>' . $subject . '</title>';
?>

or in html:

<meta name="description" content="<?php echo $subject; ?>">
<title><?php echo $subject; ?></title>

Just one question: why do you store the $_POST array in session? What is the exact purpose of that?

Tipically the code goes like that:

• you have a form wrapped within <form> and </form> tags (you do not have that, any reason why not?)
• in the opennig <form> tag you declare an action and a method attributes
  
  
  • the action is the name of the page where the result will be show - you also do the database query on tnis page
  • the method is the HTTP method of sending the form data to the server (POST is safer and has more capacity, GET is a bit less safe but can be bookmarked since the values are visible in URL)
• form aslo has a submit button which is input type="submits" which actuall triggers the sending of data to the server and redirects to the action page
• once on action page you check whether all needed values are present in the $_POST or $_GET array
• if yes you do a SQL query and display the results
• id no you let user know (i.e. by displaying an error message)

Certainly there are other variations like:
- having results displayed on the same page
- using ajax to avoid any reloading of the page
- autosubmitting the form using javascript etc

Please let us know what exactly are your goals.

You are welcome. Please mark as solved if there are no questions. Happy coding.

Here is corrected / rearranged code. Please see the comments within the code.

<?php 
// !!!!!!!!!
// this is my stuff to connect to the DB
// please use your DB connection code here
include '../common/connect.php';
$link = dbConnect();

// variables for filling-in the form fields
$policyNum = '';
$surname = '';
$name = '';

// changed the $_REQUEST to $_POST to avoid possible clashes if you decided to
// also use $_GET in future
// OK; lest's check if the user clicked on submit button
// please note name and ID of the button were changed to 'submit' to avoid confusion
if(isset($_POST['submit'])) {

    // initialize variables that represent conditions
    $search_policy = '';
    $search_surname = '';
    $search_name = '';    

    // isset function is also used in checking for the existence of data in $_POST
    if (isset($_POST["policyNum"]) && $_POST["policyNum"] != '') {
        $policyNum = mysql_real_escape_string($_POST["policyNum"]);
        $search_policy = " AND (policyNumber LIKE '%$policyNum%')";
    }

    if (isset($_POST["surname"]) && $_POST["surname"] != '') {
        $surname = mysql_real_escape_string($_POST["surname"]);
        $search_surname = " AND (lastName LIKE '$surname')";
    }

    if (isset($_POST["name"]) && $_POST["name"] != '') {
        $name = mysql_real_escape_string($_POST["name"]);
        $search_name = " AND (firstName LIKE '%$name%')";
    }

    $sql = "SELECT * FROM tblclients WHERE clientID > 0".$search_policy.$search_surname.$search_name;   

    $sql_result = mysql_query($sql) or die (mysql_error());

    // now echo the code for the table heading
    // echo table head
    echo '<table width="700" border="1" cellspacing="0" cellpadding="4">';
    echo '<tr><td width="90" bgcolor="#CCCCCC"><strong>Policy No.</strong></td>';
    echo '<td width="95" bgcolor="#CCCCCC"><strong>Name</strong></td>';
    echo '<td width="159" bgcolor="#CCCCCC"><strong>Surname</strong></td></tr>';

    // if there are any rows, echo each of them
    if (mysql_num_rows($sql_result)>0) {

        while …

And also post a few sample rows of csv file, especially the ones that cause problems.

Now another small issue is that i do not want the table to show by default & i want it to show only after i enter values in textboxes and press the search button

You can achieve that by placing the whole php block on the beginning and wrapping it in aanother if condition checking for whether the button has been pressed. Within that block you construct the table.

I will try to prepare a code and show it in next post so you can experiment on your own in the mean time.