Posts by broj1

Great. What have you done to solve it? Otherwise I am in central europe (quite far from India :-).

Quite possible. But it is hard to tell just by looking at the snippet of code. Maybe you should store the I'd in a hidden field so it Would be available through the POST array.

Post the latest version of the scripts that are involved and the structure of the tables and data in a SQL format (export from phpmyadmin) for all the tables that are mentioned in queries. I will import the tables and data into my test database and try to run scripts on my local server. This is the only thing that comes to my mind to help you find the solution to the problem.

To export the tables structure and data in SQL format select the table in phpmyadmin, click on the export tab, leave all options default and click Go. You will be able to save the SQL statement (describing table structure and data) on your local machine. Do this for all tables in question and send everything as an attachment. I will do import (in phpmyadmin) and test the scripts in my environment.

If you are uncomfortable doing this you do not have to. Also if you prefer you can send all this as a personal message to me here on DW.

OK, you were too fast for me. Next thing we can do is you post the last version of the scripts and the tables in question (structure and data). I can try to recreate the problem here in my environment. If you post the table do it in a SQL form. Make sure confidental data is anonymized.

We have to find out why the app can not update the table. Change the code to this:

if ($has_data == true)
{
    $sql = "UPDATE db_purchase_form SET ";
    $sql .= "db_product_name = '" . $product_name . "', ";
    $sql .= "db_actor = '" . $choice_actor . "', ";
    $sql .= "db_user_name = '" . $user_name . "', ";
    $sql .= "db_user_email = '" . $user_email . "', ";
    $sql .= "db_vdo_script = '" . $vdo_script . "', ";
    $sql .= "db_hrt_msg = '" . $hrt_msg . "', ";
    $sql .= "db_port_approval = '" . $portApproval . "', ";
    $sql .= "db_delivery = '" . $delivery . "', ";
    $sql .= "db_price = '" . $net_price . "', ";
    $sql .= "db_date_time = NOW() ";
    $sql .= "WHERE id = '{$id}'";

    $result = mysql_query($sql);

    // debug code
    if($result == true) {
        $msg = 'Query executed successfully:' . $sql;
    } else {
        $msg = 'Query did not execute successfully: ' . mysql_error(); 
    }
    die($msg);
    //end debug code
}

Post the output here.

i do not know how to do it, and id is correct one, shall i show the screenshot of phpmyadmin?

In phpmyadmin select the database, click on the SQL tab and paste the query (displayed by the die statement) into the textarea. Click the Go button and the query will execute on your database. If there are errors in the query phpmyadmin will tell you.

Sometimes you do not see a forest because of the trees :-). There is a very nice reply on SO:

I dont see where you are executing your UPDATE STATEMENT.

In fact, the query seems to be OK, but you are not executing it. This very important part of the code is missing:

$result = mysql_query($sql);

Put it instead of the die (debug) statement.

Have you copied the displayed SQL into phpmyadmin and tested it there? And is the ID correct one?

Put the temporary debug code after the code for constructing SQL:

if ($has_data == true)
{
    $sql = "UPDATE db_purchase_form SET ";
    $sql .= "db_product_name = '" . $product_name . "', ";
    $sql .= "db_actor = '" . $choice_actor . "', ";
    $sql .= "db_user_name = '" . $user_name . "', ";
    $sql .= "db_user_email = '" . $user_email . "', ";
    $sql .= "db_vdo_script = '" . $vdo_script . "', ";
    $sql .= "db_hrt_msg = '" . $hrt_msg . "', ";
    $sql .= "db_port_approval = '" . $portApproval . "', ";
    $sql .= "db_delivery = '" . $delivery . "', ";
    $sql .= "db_price = '" . $net_price . "', ";
    $sql .= "db_date_time = NOW() ";
    $sql .= "WHERE id = '{$id}'";

    // temporary debug code
    die($sql);
}

When you submit the form it should display the SQL and stop the script. Post the output here.

BUT FINALLY WHEN USER CLICKS THE SUBMIT BUTTON [AFTER EDITING THE VALUES IN THE FORM]
THE DATABASE IS NOT UPDATING FOR THE SAME ID, INSTEAD IT IS MAKING A NEW ROW IN THE DB WITH NEW ID,
FOR THE ABOVE EXAMPLE (id 48) WHEN I EDIT THE PAGE AND CLICK ON SUBMIT AGAIN I AM TAKEN TO PAGE2 BUT THE NEW URL IS

OK. The solution is quite simple:

The action attribute of the form is set to:

<form id="PurchaseForm" name="PurchaseForm" method="post" action="purchase_form1.php">

When the form gets submitted the page is reloaded and you do not have an ID anymore. Therefore you do not read the data and the $has_data variable is set to FALSE. Due to this the INSERT gets carried out instead of UPDATE. All you have to do is add the id into the action URL:

<form id="PurchaseForm" name="PurchaseForm" method="post" action="purchase_form1.php?id=<?php echo $id;?>">

I am not sure if this is 100% solution since I do not know the rest of the app (maybe you should add other parameters to the querystring). But at least $has_data will be true and it will get to the UPDATE part.

Probably not the most elegant solution either. I would prefer to use ajax on this one but it is up to you (if you want to bother learning ajax approach).

Also, the update query is a mess and it contains errors - mainly the backslashes which act as escape sequences for the double quotes that …

Trying to get through your code. I am affraid your explanation is confusing me a bit. You are talking about page1 and page2 but those pages have filenames (like purchase_form1.php referred to in a form). Can you please post the two scripts as they are and with their proper names. At the moment I can't figure out in which script the form is. Sory about the delay. I will have to go out for a couple of hours now but will be back at the problem later, if this is OK.

however if it not needed we can remove it as well,

No, it is OK, just to know what the output of it is (it is not directly related to the problem).

I'll check your code in next hour (waiting a big download to finish so I can switch to Linux :-). In mean time - I have a question: what is the pSQL function meant to be doing?

One solution:
The form with the button should be within the while loop so each row has additional column containing the form with one button. The button's name should be the ID ($row['id']) so you get the ID in the $_GET array upon clicking (please note that it is more appropriate to use action="post" when changing data on the server).

Another solution:
Each row has additional column with a checkbox so the user can select as many rows as they wish. At the end of the table there is only one submit button to submit all the checked rows at once. In this case you have only one form and the checkbox valuees are the IDs ($row['id']). See this article as an example. Again, note that it is more appropriate to use action="post" when changing data on the server.

Which solution to choose is a matter of how you would like the data to be used.

Also: Your html tags are in wrong places.

Could you post the latest versions of the code for both the form page and the processing page, please.

If array() is displayed that means that the $_POST contains nothing. Have you put the die() statement in the correct script (the snippet from your first post)? I do not know why the form is not displayed. I has got nothing to do with the processing.

Put his code just before line 22:

die(print_r($_POST, 1));

This will display the contents of the $_POST array after submitting the form (don't forget to click on the Submit button). Post the displayed result here.

Can you put this temporary debug code just before line 27:

die($sql);

This will print the query (on submit) and stop the script. Please post the displayed query here.

Can you post the code for the form also?

Then you have to establish similar criteria for other requirements (i.e. if the qualification equals the required degree then rank it with 0 otherwise 1, 2, 3 or so). The ranks for different requirements have to be somehow comparable. Then you can sum up rank values for each person and the one(s) with the lowest value are the best candidates.

In your foreach loop I would put applicants' data in an array and add a rank which is just a difference between an applicant's age and advertised required age (assuming that x years older and x years younger candidates rank equally). Then the array should be sorted.

// this will hold data about the applicants
// ID => rank
$aplicants = array();

foreach ($job_advert as $advert) {
    $job_title = $advert->job_title;
    $age = $advert->age;

    $rank = $applicant_age - $age;

    $aplicants[$applicant_id_number] = $rank;
}    

// sort by values and maintain index information (applicant's ID)
asort($aplicants);

// now you can process the applicants array where the first key(s) have the best ranks
...

This code is encrypted. You will need a key or hash to decrypt, echo will not work.

To my knowledge this code is not encrypted but encoded (translated to different representaton of information). Encryption involves a secret (usually a secret key) whilst encoding involves only an alghoritm or scheme, base64 in the above case. To decode you use base64_decode() function (as in above code).

The above code has been encoded used base64 and additionally compresed using zlib. To run the code you have to decode the above 'gibberish' using base64_decode() and then unzip using gzuncompress() and then run the result using eval() which is the case in above snippets.

I also know this code belongs to : paymentmedium.com

@hallianonline: If this is true then please confirm that you have appropriate licence to use the scripts. Inappropriate use of intelectual property is against the DW rules, I believe.

Will you post it (it might help someone else)?

Thanx for this tip. However note that $_SERVER['HTTP_REFERER'] is not always 100% reliable.

The isset() function returns TRUE or FALSE. You probably wanted it this way:

if(isset($_GET['_rp']) && $_GET['_rp'] == 1)
...
elseif(isset($_GET['_rp']) && $_GET['_rp'] == 2)
...

The $_POST array doesn't contain a name element. The reason is in that the name input field has not been submitted yet. Include a check such as:

<?php
if(isset($_POST['name']) && !empty($_POST['name'])) {
    $name1=$_POST['name'];
    echo "<br> Your name is $name1 . Thanks for using our system.";
}
?>

Even better would be to check for form submission:

<?php
if(isset($_POST['submit']) && isset($_POST['name']) && !empty($_POST['name'])) {
    $name1=$_POST['name'];
    echo "<br> Your name is $name1 . Thanks for using our system.";
}
?>

In order this to work you should add a name attribute to the submit button:

<input type="button" onclick="formSubmit()" name="submit" value="Submit" />

Shuldn't it be:

header('location: ../admin.php'); // 1 folder up
header('location: ../../admin.php'); // 2 folders up

But HTTP 1.1 requires an absolute URI for the Location field so I am not sure if the above is OK to be used. Anyone knows more about that?

There are two ID's so use a form that includes table name:

WHERE table1.id = '".$q."'

Put the where clause before the ORDER clause (and after the JOIN clauses).

And remove the comma after the table3.file_name.

Yes, if it returns the scriptname (I think it depends on globals on setting). You can also use $_SERVER['PHP_SELF'].

The first two scripts have the same filename. Is that a typo?

One suggestion:

In the registration processing script you check for the validity and existence of username, password and email. If any of these data doesn't exist or is invalid you stop the script using die() displaying some message. Better user experience would be redirecting the user back to registration form, filling-in the existing data and highlighting the field with the error. This way user can correct the missing or incorrect input and carry on with the registration with minimum effort.

The PHP manual will answer most of your questions. This is what it says for mail function:

bool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )

$to - Receiver, or receivers of the mail
$subject - Subject of the email to be sent
$message - Message to be sent
$additional_headers (optional) -  String to be inserted at the end of the email header. This is typically used to add extra headers (From, Cc, and Bcc). Multiple extra headers should be separated with a CRLF (\r\n). 

In the manual there are useful examples. In your case have a look at the example #2:

<?php
$to      = 'nobody@example.com';
$subject = 'the subject';
$message = 'hello';
$headers = 'From: webmaster@example.com' . "\r\n" .
    'Reply-To: webmaster@example.com' . "\r\n" .
    'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);
?>

So the answers to your questions are.

Q1: The $sender="***********"; code is meant for setting a sender envelope header which tells the server who is the sender. It should be used in $additional_parameters part using the -f switch something like:

mail($to, $subject, $message, $headers, "-f$sender");

Please consult the PHP manual for correct syntax.

Q2: The lines

$mail_from="From:$email n";
$mail_from .="Content-Type: text/html; charset=utf-8 n";

set the From: header and the Content-Type header (as part of additional headers). The From and the sender might be the same but this is not necessary. The From should be present otherwise the server might complain. …

Writing into a text file could be problematic if you have more than one concurent writing attempt (e.g. two users trigger an error at the same time). With database logging the DB server takes care of queing writes. Also the contents of text files tends to be more clumsy to review, filter or sort. Also when text files grow in size significantly, writing and reading might get slower. I use text files for logging only DB connection errors (where logging into DB would not work).

I think mysqli_real_escape_string function does it's job (which is escaping) but escaping is often not enough. So use other techniques like whitelisting (or blacklisting), string lenght checking etc.

Your insert query syntax is a bit strange. The basic syntax would be:

INSERT INTO tablename (field1, field2,...) VALUES (value1, value2, ...)

so in your case

 $q1 = "INSERT INTO job_employer_info
(ename,
epass,
CompanyName,
CompanyCountry,
CompanyState,
CompanyZip,
CompanyCity,
CompanyAddress,
CompanyPhone,
CompanyPhone2,
CompanyEmail)
VALUES(
'$ename',
'$epass',
'$CompanyName',
'$CompanyCountry',
'$CompanyState',
'$CompanyZip',
'$CompanyCity',
'$CompanyAddress',
'$CompanyPhone',
'$CompanyPhone2',
'$CompanyEmail')";

Now, if I got it, then you have the number of comments for each post already in the $post['total_comments'] element. In this case you do not need the gather_comments function. Just use the $post['total_comments']:

<h4 style="text-decoration: none;">(<?php echo $post['total_comments']; ?> 
<?php
if($post['total_comments'] == 1) {
echo 'comment';
} else {
echo 'comments';
?>

Correct me if I am wrong.

Your function is not returning the number of comments but the resource (a special PHP type) for the query. And also the query has to be changed to:

$sql = "SELECT COUNT(*) FROM `comments` WHERE `post_id`= {$pid}";

The function should be something like:

function gather_comments ($pid){
    $pid = (int)$pid;
    $sql = "SELECT COUNT(*) FROM `comments` WHERE `post_id`= {$pid}";

    $res = mysql_query($sql);
    $row = mysqli_fetch_row($res)
    $comments = $row[0];

    return $comments;
}

The logic for displaying singular or plural should be simple:

// call the function only once so you do not shoor too many queries
$commentsCount = gather_comments($pid);

if($commentsCount == 1) {
    echo 'comment';
} else {
    echo 'comments;
}

If you retrieve comments earlier in the script (i.e. for displaying) the function is not necessary since you can just count the retrieved comments.

I don't see any submit button. How do you submit the form?

You can change the hidden input into submit button. Change this code:

<input type="hidden" name="submitted" value="true" />

into this code:

<input type="submit" name="submitted" value="Submit" />

But this only add the last entry to the database!

In your last version the query is outside both foreach loops so it gets run only once with the last assigned values. Put the query inside the inner loop and also apply the sanitizing (mysql_real_escape_string function), like suggested in above posts (take security seriously).

It is a good practice to assign a query to a string before running it - this is how you can echo it and test it in phpmyadmin:

$query = "INSERT INTO links  VALUES (...)";
...

// temporary debug code will display the query and stop the script
// you can now examine the query and copy it into phpmyadmin for testing
die($query);

// run the query
mysql_query($query);

Your responsibility is to format the data read from the database, using PHP and HTML, into something that looks useful and appealing to the user. You can use tables, lists and other HTML elements and CSS. Regarding CSS you can use media rules: @screen for onscreen display in the browser and print for printing. You can also dive into CSS3 media queries for more.

And of course as LastMitch suggested, you can use PDF which will give you much more formating freedom.

Then on the first page save the username into session ($_SESSION array). On the second page read it form the session and use it.

First page:

session_start();
$_SESSION['username'] = $username;
...

Second page:

session_start();
if(isset($_SESSION['username'])) {
    $username = $_SESSION['username'];
    ...
} else {
    die('Error: Username does not exist.');
}

In my example I used mysqli extension but you are using mysql exstension (see the query on line 19 of your code). You should actually use only one exstension in your script. I strongly suggest you switch to mysqli which is newer and has more features. Mysql exstension is old and has been deprecated in newest versions of PHP. So if you have reasons stay with mysql and change the escape statements to:

// escape the values and assign them to variables
$warranty = mysql_real_escape_string($_POST['warranty']);
$delivery = mysql_real_escape_string($_POST['delivery']);
$price = mysql_real_escape_string($_POST['price']);

and the error won't appear anymore. When you have chance switch to mysqli extension. And sory for the confusion I might have caused :-)

As AHarrisGsy says you did not assign values from $_POST to variables you use in your query. So check for the existence of each of $_POST element, escape the values and assign them to variables. If any of the $_POST elements is missing then display an error message.

if(isset($_POST['warranty']) && isset($_POST['delivery']) && isset($_POST['price'])) {
    // escape the values and assign them to variables
    $warranty = mysqli_real_escape_string($_POST['warranty']);
    $delivery = mysqli_real_escape_string($_POST['delivery']);
    $price = mysqli_real_escape_string($_POST['price']);
} else {
    // if any of the values is missing display error message
    die('Please select all required fields!');
}
    // get username form somewhere (i.e. session)
    $username = $_SESSION['username'] // I am guessing this
    ...
    // now you can use variables in the query
    $sql = "INSERT INTO order SET username='$username', warranty='$warranty', delivery='$delivery', price='$price'";

On line 12 you assign a filename to $filename variable:

$filename = stripslashes($_FILES['file']['name']);

which is good. But then you do not use that variable on line 62:

$filename = "../../../../../../../../bloggbilder/". $_FILES['file']['name'];

which is strange since it defeats the purpose of the code on line 12. I think you should create a filename on line 12 and give it a random prefix or postfix, something like:

// create postfix
$postfix = '_' . date('YmdHis') . '_' . str_pad(rand(1,10000), 5, '0', STR_PAD_LEFT);
// get rid of slashes and add postfix
$filename = stripslashes($_FILES['file']['name']) . $postfix;
// handle the extension
...
// use the generated filename form now on
...

which will generate a filename like somename_20130416_005826.jpg

To add a row at the end of the HTML table you can use Javascript and insertRow() and insertCell() methods. Create a function that will insert a row and four cells in that new row. Then make a link with an onclick event that will trigger inserting of the row. See example here.

To save the data in database use either Ajax as diprofinfiniti suggested or just process the form by submitting it usual way.

The basic principle is:

At login page you create a session variable to store login information when login is successfull. The login information might include the user rights level i.e.

if(<login successful and user level= admin>) {
    $_SESSION['user_level'] = 'admin';
}

On each secured page where you first check if the user_level exists and if it is appropriate. i.e on admin page you would check:

if(isset($_SESSION['user_level']) && $_SESSION['user_level'] == 'admin') {

    // do admin stuff here
    ...

} else {
    header('location:logout.php');
    exit();
}

If login information is not correct the user will be redirected to logout page that will destroy the session and clean up whatever needed and redirect to login page.

Better stick to DECIMAL as pritaeas suggested. Float is aproximate, int does not provide decimal values. Migt want to read this: http://blog.rietta.com/2012/03/best-data-types-for-currencymoney-in.html

I tested your code on my server and it works OK. Clicking on Back button always brings me to index.php. Make sure you have no html before the code you posted (not even a space). If you have any html before a header() function, the function will not work.

Also the ultimate checklist for web app security is [OWASP's to 10]. It is comprehensive but it is worth taking some time to get to grips with it.

public function getLastInsertId()
{
    // you can do checks first (has the query been successful etc)

    return $this->mysqli->insert_id;
}

It would be good idea to initialize the properties:

protected $mysqli = null;
protected $result = null;

I would also use more descriptive names. The connection class is not only doing the connection, it is also returning the data. $mysqli property would be better named $db so you can extend the class for other drivers (i.e Oracle). Otherwise you are just duplicating the functionalities of mysqli.

Variables $title and $entry haven't been defined anywhere in the script. Did you forget to add these two lines:

$title = $_POST['title'];
$entry = $_POST['entry'];

mysql_num_rows() function returns a number of found rows (an integer), not an array of rows. You should use a mysql_fetch_assoc() in a while loop function instead. Something like:

while(mysql_fetch_assoc($rs_k8goodsin)) {
    echo '<tr>';
    echo '<td class="labelcell">' . $count . '</td>';
    echo '<td>' . $reck8goodsin['goodsDesc'] . '</td>';
    echo '<td>' . $reck8goodsin['k8goodsQty'] . '</td>';
    echo '<td>' . $reck8goodsin['valuePerUnit'] . '</td>';
    echo '<td>' . $reck8goodsin['valueTotal'] . '</td>';

    echo '<td><input name="" type="checkbox" value="" /></td>';
    echo '</tr>';
}

And give the checkbox a sensible name.