Posts by broj1

After I download it offline to run it in my localhost, that error start appearing.

What do you mean by that? You can not download PHP code from a web page, can you?

Anyway, the error you are getting means that you are sending some HTML output before the session_start function. You can not do that since session_start sends a cookie and cookies are a part of a header. And header directives have to be sent before any HTML output. This includes any spaces that maybe you do not see in your code, as well as included files that also should not send HTML before headers. The solution is to put the session_start function on the very beginning of the code (as it says in the comment).

In general you:

1. check for existence of any input (in $_GET or $_POST)
2. clean existing input
3. display it in the corresponding form fields

For detailed answer you should post your existing code.

Newline in HTML is <br> tag (a break):

echo $row_selecttemptable['ArtistName'] . ' ,<br>' . $row_selecttemptable['NAMEOfTheDVD'];`

The code on line 9 is wrong, it wont return what you expect. You could change your query a bit and ad AS to the substring expression in the query:

SELECT runners.raceid, SUBSTRING(runners.raceid,1,4) AS raceyear,...

and then change line 9 in the code to:

echo $row['raceyear'];

phpacademy - learning by watching videos, various PHP forums like Daniweb :-), Stackoverflow, a good book on PHP, the documentation on the PHP.net site (comprehensive, free, but sometimes harder to get through it) and a lot of experimenting - set up LAMP or XAMP and go for it.

And do not forget other companion technologies: mysql, javascript, jquery, html, css etc. Happy coding in 2014.

There might be some errors in your script(s), but your web server is not telling you about them since most probably the display of errors is turned off. Change the following settings in your php.ini:

error_reporting=E_ALL
display_errors=On

and restart your web server.

The errors could be in the included inc/config.php or are there simply because maybe $_POST elements do not exist. You can avoid the later by wrapping the code in an if check:

if(isset($_POST['username']) && isset($_POST['password'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    $md5 = md5($password);
    ...
}

On line 5 you are trying to write date object into the text file. It won't go. Also the third argument to the fwrite is optional string leght. I doubt you wanted to use it that way. Change line 5 to something like:

fwrite($file, $ip . ' ' . $dt->format('Y-m-d H:i:s') ."\n");

For one thing you are missing quotes arround associative index names. Since the array elements are complex variables you should also enclose them in curly braces to get them parsed properly in a double quoted string. Another issue is that you echo the if condition which is not right. Then you are missing a space before selected and the angle bracket after the selected goes to the next echo statement (otherwise it might get lost). See my attempt at the correct code:

echo "<option value=\"{$row['province']\""; 
if($_POST['prov'] == $row['province']) {
    echo ' selected="selected"'
}
echo ">{$row['province']}</option>";

So, if solved, please mark as solved. Happy coding in 2014!

You have a space in the src URL, just before the $photo variable:

echo "  ".$results['image']."<a href='http://www.mysite.org/br/s.php?id=$id'><img src='/cate/upload/ $photo' width='100%' height='100%'></a>"

Decide on how many characters you can display. Then change line 30 from:

<td ><?php echo $row['service_content']; ?></td>

to:

<td >
<?php 
$contentLength = strlen($row['service_content']);
// check if the length of the content exceeds max number of chars e.g. 120
if($contentLength > 120) {
    echo substr($row['service_content'], 0, 120) . '...';
} else {
    echo $row['service_content'];
}
?>
</td>

You are welcome. If that solves the problem, please mark it as solved. Happy coding in 2014.

1.but the field total is empty when add value to quantity

Establish initial values and put them into the input fields.

1. the float don't work for per exemple 2.50 it give 2.5 but for 2.75 is work fine like usualy float.

Get rid of the toString() method since toFixed() already returns a string. Use number_format() in PHP part for the same purpose.

<?php 
// number of decimals
$NoOfDecimals = 2;
// initial values for quantity and total
$initialQuantity = 1;
$initialTotal = number_format($initialQuantity * $row_itemdetaille['price'], $NoOfDecimals);
?>
<form action="" method="post" name="formulaireajout" class="formulaireajout" id="formulaireajoutid">
<input name="price" type="text" id="pricefield" value="<?php echo $row_itemdetaille['price']; ?>" readonly>
<input name="quantity" type="number" min="1" max="20" value="<?php echo $initialQuantity;?>" id="quantityfield">
<input name="total" type="text" id="totalfield" value="<?php echo $initialTotal;?>" readonly>
</form>

<script type="text/javascript">
$("#quantityfield").change(function() {
var value = parseFloat(<?php echo $row_itemdetaille['price']; ?>);
var quantity = parseInt($("#quantityfield").val());
var total = value * quantity;
$("#totalfield").val(total.toFixed(<?php echo $NoOfDecimals;?>));
});
</script>
</body>

You can either download it to your local (or any other) server or just include it from one of the CDNs (content delivery networks) which in my opinion is better method, since:
- it is always there for you, hosted on reliable server
- it is tuned for good performance (caching, availability...)

You can download jquery from here: http://jquery.com/download/. Choose the newest version if you do not have any legacy code. Download it to a directory that is readable by your web server and reference it in your scripts.

If you include it form the CDN just put the scriot tags in the head of html pointing to the jquery URL, like:

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>

See https://developers.google.com/speed/libraries/devguide.

Then put the code snippet from the above to the end of the html body - just before the closing </body> tag.

...
<script type="text/javascript">
    $("#quantityfield").change(function() {
        var value = parseFloat(<?php echo $row_itemdetaille['price']; ?>);
        var quantity = parseInt($("#quantityfield").val());
        var total = value * quantity;
        $("#totalfield").val(total.toString());
    });
</script>
</body>
</html>

OK, this is tested jquery, nicely broken down so it can be easily understood :-)

$("#quantityfield").change(function() {
    var value = parseFloat(<?php echo $row_itemdetaille['price']; ?>);
    var quantity = parseInt($("#quantityfield").val());
    var total = value * quantity;
    $("#totalfield").val(total.toString());
});

Use javascript and on change event on the quantitiy input field that would triger a function. Something like (not tested):

<input name="quantity" type="number" min="1" max="20" value="1" id="quantityfield" onchange="updateQuantity();">
...
<script type="text/javascript">
function updateQuantity() {
    var quantity = document.getElementById("quantityfield").value;
    var price = <?php echo $row_itemdetaille['price']; ?>;
    document.getElementById("totalfield").value = quantity * price;
}
</script>

or jquery version (again not tested since it is getting quite late here)

$("#quantityfield").change(function() {
    $("#totalfield").val(
        $("#quantityfield").val() * <?php echo $row_itemdetaille['price']; ?>;
    )
});

What was the problem with the layout? TCPDF is quite flexible and I did not have problems creating nice tables.

To recap the above two posts:

// check whether $_GET has any value and if the value is valid
// (you might use some more proper validation depending on the value of the movie ID)
if(isset($_GET['movie_id']) && !empty($_GET['movie_id'])) {
    $query = "SELECT movie_name,movie_year,movie_director,movie_leadactor,movie_type,movie_running_time,movie_cost,movie_takings FROM movie WHERE movie_id= " . mysql_real_escape_string($_GET['movie_id']);
    $result = mysql_query($query, $db) or die(mysql_error($db));
} else {
    echo 'The movie ID is missing!';
}

And please note: mysql extension is a bit old and is about to become a history. Switch to mysqli or even better, the PDO.

The first PHP snippet should be on top of the script and should not echo the variable but just assign a value to it. You will echo it later in the appropriate place in the html.

// initialize the error message variable
$error_message = '';

if(isset($_POST['jansave']))
{
    $basic = $_POST['basic'];
    $epf = $_POST['epf'];

    if($basic&&$epf)
    {
        require "connect.php";
        $total=($basic + $epf);
        $query=("INSERT INTO january (basic,epf) VALUES ('$basic','$epf')");
        $result=mysql_query($query);
        if($result)
        {
            $message = "<b>Your Total Income is $dtotal</b>";
        }
        else
        {
            $message = "db sucks";
        }

    }
    else
    {
        $message = "<b>Please fill out the entire form.</b>";
    }
}

Now here comes your html where you can echo the message whatever it is:

<div class="rm">
<h3><?php echo $message; ?></h3>
</div>

I hope this is what you are after (at least this is what I understood from your post). If you still have problems post the complete sript(s) from top to bottom and mark exactly where you want to put the string. However, make sure all the variables you want to echo out do exist otherwise you will get the error.

And, while we are at it, do not insert user supplied values ($_POST[...]) into the database unescaped. You are risking an injection of malicious code into you db server.

Show us the rest of the code. From this snippet it is impossible to tell what is wrong. Could be html tags mismatch.

Something like:

<?php

// set styles the way you want
if($time < 8) {
    $tdStyle='background-color:green;';
} else {
    $tdStyle='background-color:red;';
}

while($row=mysql_fetch_array($result))
{    
    echo "</td><td style=\"$tdStyle\">";        
    echo $row['full_name'];        
    echo "</td><td style=\"$tdStyle\">";        
    echo $row['section'];        
    echo "</td><td style=\"$tdStyle\">";        
    echo $row['time'];        
    echo "</td><td style=\"$tdStyle\">";        
    echo $row['reason'];        
    echo "</td></tr>";
}
echo "</table>";  
?>

Please note the escaped double quotes so you can use them directly in a double quoted string.

Something like (not tested):

// check if the number of fields is multiple of 4
if(count($array) % 4 == 0) {
    // start building the query
    $query = 'INSERT INTO yourdatabase (`field1`, `field2`, `field3`, `field4`) VALUES ';
    // add values to the query
    for($x = 0; $x < $count($array); $x += 4) {
        // add a set of four values to the query
        $query .= "('{$array[$x]}','{$array[$x + 1]}','{$array[$x + 2]}','{$array[$x + 3]}'),";
    }
    // get rid of the last comma in the query
    $query = rtrim($query, ',');
    // run the query
    ....
}

Maybe this link can help a bit:

http://stackoverflow.com/questions/3740845/php-session-without-cookies

But keep in mind there are security issues with this.

Have you corrected the missing $ in line 1 of your code (as JorgeM suggested). You might have overlooked it since the error wasn't explicitly mentioned (just guessing).

Also you can examine the contents $_GET array by adding this code in the beginning of the script:

die(print_r($_GET, 1));

You are welcome. If this is it please mark it as solved. Happy coding.

Other issues:

1. never trust user input since not everyone will enter email address; some nasty boys might enter a bad query instead (it is called a sql injection), therefore escape the input:

   $email = mysql_real_escape_string($_POST["users_email"]);
   $pass = mysql_real_escape_string($_POST["users_pass"]);

2. before querying check whether user submitted the form at all and data exist:

   if(isset($_POST["users_email"])) {
   $email = mysql_real_escape_string($_POST["users_email"]);
   } else {
   // handle the error
   ...
   }

3. use some error checking upon querying:

   $result = mysql_query("SELECT users_email, users_pass FROM login WHERE users_email = $email") or die('ERROR');

4. avoid mysql extension, move to mysqli or PDO as soon as you can.

Put $email in single quotes since it is expected to be a string:

$result = mysql_query("SELECT users_email, users_pass FROM login WHERE users_email = '$email'");

Well, then maybe it's got to do something with the command itself and the redirections you use. Have you tried it without the 2>&1 part or executing each part of the command sepparately (now I am guessing :-)?

Have you tried to add a second argument that will hold the output of the command:

$command = "/usr/bin/lftp -u username,password ftp.website.com -e 'set ftp:ssl-allow off; put /var/www/folder/file.zip; bye'" . " 2>&1";
exec($command, $output);
print_r($output);

@203428:

why you put two * before checkdate var

probably just to indicate where the error occurs

start & end are date variable and $_POST[start] & $_POST[end] are just String so compare operation is not possible => result is always null;

If they are properly converted to mysql date format (line 6 and line 7) they can be compared in a query.

i php whene you try to concat var whith somthing else you must operator of concatination ". the dote" ".$_SESSION[user_id]."

What did you mean by that? There is no concatenation only comparison in the line you mentioned.

Seems like you are missing the quotes in the $_POST associative indexes. And in addition to that to get the $_POST array elements properly parsed withing the double quoted string enclose them within curly brackets.

$checkdate = "SELECT * FROM emp_status 
    WHERE user_id = '{$_SESSION['user_id']}' 
    AND ((start <= '{$_POST['start']}' AND end > '{$_POST['start']}')  
        OR (start < '{$_POST['end']}' AND end >= '{$_POST['end']}'))";

See explanation in comments:

$common_words = array("van", "der", "de");

// initialize an array for removed words
$removedWords = array();

// save string to array
$achternaamArray = explode(' ', $achternaam);

// cycle through the array
foreach($achternaamArray as $key => $namePart) {

    // check if current word is in common words array
    // or is empty string (after trimming)
    if(in_array($namePart, $common_words) || trim($namePart) == '') {

        // if yes, add it to the removed words array
        // and remove it from the main array
        $removedWords[] = $namePart; 
        unset($achternaamArray[$key]);    
    }
}

// now you have only unremoved words in the $achternaamArray
// implode it to string (and capitalize first letter)
echo  ucfirst(implode(' ', $achternaamArray)) . '<br>';

// display the removed words
echo 'Removed words: ' . implode(', ', $removedWords);

The $achternaam variable contains spaces before the actual name and the first space gets capitalized by ucfirst function. Use trim to get rid of the spaces:

echo ucfirst( strtolower( trim($achternaam) ) );

Is the total field declared as NOT NULL in your table? If it has to have a value you have to make sure the value exists in the query.

You can also check the query if you insert this temporary debug code on line 8:

die($insertSQL);

This will display the constructed query and stop the script. You can examine the query or copy it to phpmyadmin and test it there.

This topic has been already marked as solved but I would like to add useful information that deserves to be added, and this is OWASP top 10 list of vulnerabilities of web apps and guides on how to minimize them. It might be a slightly more complex reading but it is worth it if you do a serious web development.

In the above code you can do it just before the inclusion of the files (first line).

This is where the session stops.

What do you mean by that? Do you get any error messages?

init.php included at first line, includes the session_start()

In this case it is important that you post the code of the included file.

On line 61 you have:

header('Location: edit.php?success');

This will not work since you output html before (i.e line 23). Use output buffering or save strings to a variable and output them after line 61.

Examine the constructed query to spot possible errors. Add the following temporary debug code to the register_user function:

function register_user($register_data) {
    array_walk($register_data, 'array_sanitize');
    $fields = '`' . implode('`, `', array_keys($register_data)) . '`';
    $data = '\'' . implode('\', \'', $register_data) . '\'';

    // temporary debug code
    die("INSERT INTO `sikeres` ($fields) VALUES ($data)");

    mysql_query("INSERT INTO `sikeres` ($fields) VALUES ($data)");
}

This will display the query as it is constructed, and stop the script. Please post the displayed query here.

Also the function should return some feedback about the success. I would add some error checking and use the return value of the mysql_query function:

function register_user($register_data) {
    array_walk($register_data, 'array_sanitize');
    $fields = '`' . implode('`, `', array_keys($register_data)) . '`';
    $data = '\'' . implode('\', \'', $register_data) . '\'';


    if(mysql_query("INSERT INTO `sikeres` ($fields) VALUES ($data)")) {
        return true;
    } else {
        return false;
    }
}

And last but not least: mysql_* functions are dinosaurs. They are on the verge of extinction. They are going to be dropped from PHP very soon. If you like yourself replace them with PDO or at least mysqli_* functionas.

but when I enter two variables it crashes

What do you mean by that? Does your computer crash? Or you just get an error message instead of expected outoput? If there is an error message, please post it. If it isn't enable reporting and display of error messages.

If user submits an empty form (no fields are filled-in) then none of the variables might exist at all. I would do a more thorough check in the if statements:

if(isset($CFHL_A) && !empty($CFHL_A) ) 
{
    ...
}

You have to initialize the $error_message to empty string frst: $error_message = ''; so in case there are no errors the empty string will be displayed (= nothing will be displayed).

EDIT: Also you can check if error message exists and display it only then:

<?php 
if(isset($error_message) && !empty($error_message)) {
    echo '<p class="error">' . $error_message . '</p>';
}
?>

You might also add a Javascript checking for better user experience. This way you do not submit the data before it is OK (you still check it on the server, though).

A couple of other issues:

• since the data entered in the form will be inserted into html you have to sanitize it using htmlspecialchars() function. This way all dangerous characters entered wont do any harm (i.e. <script>)
• in the code where you use dollar sign as a currency you should use single quotes like $list_price_formatted = '$'.number_format($list_price, 2); or escape the $ sign. Otherwise php might expect a variable name following it.
• before using any element of the $_POST array you better check if it exists (using isset() function).

It will, when you correct a couple of mistakes:

1. the ?> end tag goes before the <form> tag
2. the if (isset($_POST['pay'])) should be changed to if (isset($_POST['print']))

I would (personaly) put the whole form processing in another file and cahnge the action attribute of the form to point to that file. Just my approach.

The simplest solution: move the html part (the form) to the end. This way no HTML will be output before the pdf.

<?php
if (isset($_POST['print']))
{
        require('fpdf/fpdf.php');
        class PDF extends FPDF
        {
        // Page header
            function Header()
            {
                $this->SetFont('Arial','B',14);
                $this->Cell(30,10,'Negros Oriental High School','C');
                $this->Ln();
                $this->SetFont('Arial','',12);
                $this->Cell(0,0,'Dumaguete City');
                $this->Ln();
                $this->SetFont('Arial','',14);
                $this->Cell(0,20,'OFFICIAL RECEIPT');
                $this->Ln();
            }


        }
// Instanciation of inherited class
$pdf = new PDF();
$pdf->AliasNbPages();
$pdf->AddPage();
$pdf->Output();
}
?>
<form method="POST" action="">
    <input type="submit" name="print"value="PRINT">
</form>

The condition for granting a login is incorrect:

if($result)
{
    echo "Login granted. <br>";
    ...

The fact is that whatever you get with the select query yields a result (even empty resultset). The $result variable is not your result yet, but just a special type - a mysqli_result object that will help you retrieve row(s). So the code

$row=mysqli_fetch_array($result);

retrieves the actual data. You have to compare it to the data entered into the form to confirm the login or at least check (count) if the $row array exist. So something like this:

require("C:\wamp\www\Onex\connect_db.php");
if(isset($_POST['login']) && !empty($_POST['login'])) {
    $uname = mysqli_real_escape_string($_POST['uname']);
    $pass = mysqli_real_escape_string($_POST['pass']);
    $login_query="select * from register where username='$uname' and password='$pass'";
    $result = mysqli_query($con,$login_query);
    if($result)
    {
        $row=mysqli_fetch_array($result);

        if(
            isset($row["username"]) && 
            isset($row["password"]) && 
            $row["username"] == $uname && // this is not strictly necessary
            $row["password"] == $pass // this is not strictly necessary
        ) {
            echo "Login granted. <br>";
            echo " Username: ".$row["username"]." and Password: ". $row["password"];
        } else {
            echo "Incorrect login. Please try again.";
        }
    } else {
        echo "Incorrect login. Please try again.";
    }
}
mysqli_free_result($result);
mysqli_close($con);

OK, but does the problem persist (and if yes, can you describe it)?

"Select query returns a result set upon success, whereas Insert query returns a true value upon success"

This just means that INSERT query returns true if it succeeds to insert the data into database. On the contrary the SELECT query return rows. If query is unsuccessful it returns false in both cases. It is good idea if you check for this (as IIM suggested).

But query within is getting fired up for wrong credentials

What exactly is happening? What do you get?

Do tell me if i need to add snaps ?

Are you talking about spirit that Germans lovingly call snaps? If yes it might help, but do not overdose :-) Just kidin. Yes if you have snapshots that might help.

Other issues with your code:

• check first if the username posted from the form conforms to basic rules (min and max length, allowed characters etc); if not return the user to the login page
• escape the strings before sending them to the database!!!!!!!!!!! (you can use mysqli_real_escape_string function)
• hash the password, do not store the plaintext of it in the database
• count the rows read from the database. if 0 - no match, if 1 - perfect match, if > 1 - something went wrong (same user saved many times)
• do not let the user know what went wrong so instead of "No such user registered." echo "Wrong credentials, please try again.". No need to help the potential attackers.

I took some time to have a closer look at the jquery code as well. I changed it a bit to make it clear and working. See the comments in the code and consider the following:

• I made the template containing the filter (the three select elements within a div) hidden: <div id="template" style="display:none;">; this template is only used for clonning when user clicks +. This is neccessary to get the filter clonned before it gets chained (otherwise you can not clone select elements with all the possible values)
• the template is within the div with id=template, while the added filters are within the div with id=filters
• upon clonning the id of the clonned div has to be changed from the 'template' to filter + somesequentalnumber
• upon clonning also the id and name attributes of the select elements have to be changed (just by adding same somesequentalnumber to them)
• after that the select elements have to be chained
• on page load the first set of select elements is cloned, added and chained so you have the first filter (the template filter remains hidden)
• when you process the $_POST array you first unset (remove) the elements that you actually do not need (the submit button and the values of the three template select elements)

I hope this is what you are after. Also I hope that changing the code did not break your existing project. But this way it is clear how everything works.

This is the changed code:

<?php …

but even without adding any additional elements, if i print the values using php, I am not getting what I have selected. instead, i am getting the first element in the <option>.

I have had a look at the jquery code. The problem is that you call the $('#clone').click() on line 54 of your last posted code. This function call generates a new set of select elements immediately on page load and this set is hidden. The elements have the same name attributes as the first set that is visible. Upon clicking of a submit button the unchanged values of the second hidden set override the selected values of the first set in the $_POST array.

The solution is to remove the call to the .click() function on line 54 and let the user call it by clicking on + sign (which is how this method should be used).

The problem of same name attributes still remains though. The jquery code should be amended to assign different names to new sets of select elements. I am not an expert in jquery but will have a look at it once I find time.

There are two problems:

1. The new select elements do not get inserted within exiting form tags but outside. Probably the div with the id=filter should be inside the form.
2. the newly inserted select elements all have the same name which is semester. You have to make up a logic in the js script that will assign a sequential name attribute to each inserted select element.

Select names should not have the [] appended to them (you use this approach for grupped elements like radio button or checkbox groups). So:

<select class="semester" name="semester">

The third select element does not have a name attribute at all, so add it.

And this is how you display the values:

if(isset($_POST['submit'])) {
    foreach($_POST as $value) {
        echo $value;
    }
}

I you do not want to use the 'submit' element, you can skip it:

if(isset($_POST['submit'])) {
    foreach($_POST as $key => $value) {
        if($key != 'submit') {
            echo $value;
        } 
    }
}

The select elements have to have name attributes and be enclosed in form tags containing the action and method attributes in order to properly pass the values to the server. Something like:

<form action="process.php" method="post">
    <select class="pais" name="sel_pais">
        <option value="1">Argentina</option>
        <option value="2">Chile</option>
    </select>
    <select class="provincia" name="sel_provincia>
        <option value="1" class="1">San Juan</option>
        <option value="2" class="1">Mendoza</option>
        <option value="3" class="2">La Serena</option>
        <option value="4" class="2">Santiago</option>
    </select>
    <select class="ciudad" name="sel_ciudad>
        <option value="1" class="1">Rawson</option>
        <option value="2" class="2">Godoy Cruz</option>
        <option value="3" class="3">Coquimbo</option>
        <option value="4" class="4">Chiñihue</option>
    </select>
</form>

The process.php will do the processing (= storing into database) of the data which is stored in the $_POST global array, again just an example:

// initialize an array for possible error messages
$error_array = array();

// check if value for the country exixts and is not empty string
if(isset($_POST['sel_pais']) && !empty($_POST['sel_pais'])) {
    // trim the value and escape it if it goes to the DB
    $pais = mysqli_real_escape_string(trim($_POST['sel_pais']));
} else {
    // if no value add the error to the error_array
    $error_array[] = 'No country selected!';
}

// check if value for the province exixts and is not empty string
if(isset($_POST['sel_provincia']) && !empty($_POST['sel_provincia'])) {
    // trim the value and escape it if it goes to the DB
    $provincia = mysqli_real_escape_string(trim($_POST['sel_provincia']));
} else {
    // if no value add the error to the error_array
    $error_array[] = 'No province selected!';
}

// check if value for the city exixts and is not empty string
if(isset($_POST['sel_ciudad']) && !empty($_POST['sel_ciudad'])) {
    // trim the value and escape it if it goes to the DB …