Re: [PHP] images doesn't seem to cache
it won't be a php-parameter. Seen as the script isn't executed when the server decides it is the same as the cached version. So only if it deems not to be, then it runs the script, and when it does that, the script doesn't need to know anything about modified-since, because that checks has long since been passed. Really? It's not until the script is executed that the acutal image is accessed. Until, it's only refered to as a picture id, and int-value. Your suggestion was to use If-Modified-Since. How and where should I do a check for it? Best regards, Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] images doesn't seem to cache
Your eyes are fine. You need to check for If-Modified-Since header, if the time is older than file modification time (filemtime()) send Last-Modified header and the image, else send 304 Not Modified response. This code seems to work. Have I got it right? // Get the time the cache file was last modified $lastModified = filemtime($pPath); // Issue an HTTP last modified header header('Last-Modified: ' . gmdate('D, d M Y H:i:s', $lastModified) . ' GMT'); if (isset($_GET['If-Modified-Since'])) { // Split the If-Modified-Since (Netscape v6 gets this wrong) $modifiedSince = explode(';', $_GET['If-Modified-Since']); // Turn the client request If-Modified-Since into a timestamp $modifiedSince = strtotime($modifiedSince[0]); } else { $modifiedSince = 0; } // Compare time the content was last modified with client cache if ($lastModified = $modifiedSince) { header('HTTP/1.1 304 Not Modified'); } else { $extention = substr($path, -3); if ($extention == jpg) header(Content-type: image/jpeg); if ($extention == gif) header(Content-type: image/gif); if ($extention == bmp) header(Content-type: image/bmp); if ($extention == png) header(Content-type: image/png); readfile($pPath); } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] images doesn't seem to cache
This code seems to work. Have I got it right? No. I have not. Sometimes the images are viewed from the cache, just to get downloaded from the server again next time, just a minute later, when I try again. My local development server is running IIS, my production server is running Apache. Where is the best place to look for If-Modified-Since? Is $_GET['If-Modified-Since'] a safe bet? //Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] images doesn't seem to cache
Hi, I put all my images outside the web root, the prevent direct access, and then access them with a img-tag like this: img src=fnc_get_image.php?path=?=$path;? / where fnc_get_image.php is: // Check if user is logged in require_once 'global_includes.php'; $user = new User(); // Get path to image for display $path = $_GET['path']; // Prepend path - prevents misuse $pPath = /home/username/albums/ . $path; header(Cache-Control: private); $extention = substr($path, -3); if ($extention == jpg) header(Content-type: image/jpeg); if ($extention == gif) header(Content-type: image/gif); if ($extention == bmp) header(Content-type: image/bmp); if ($extention == png) header(Content-type: image/png); readfile($pPath); There is one slight problem though: To my eyes, it looks like the images are downloaded from the server every time. Is this a side effect of this method or is it just a optical illusion? Is there a way to tell for sure if the image is downloaded or displayed from the browser cache? I've tried with and without a Cache-Control header. It doesn't seem to do any difference at all. Best regards, Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is it safe to store username and password for mysql connection in session variables?
For the most part, yes, it is fine. Because session variables are maintained on the server, many risks are not a concern. Ok. So it's more or less safe, at least as long as the server is locked down. But someone, on this list or somewhere else, I don't remember, pointed out that if my site gets a lot of visitors, loading username, password and hostname for MySQL-connections in session variables causes a lot of overhead. So: What's the best way - in terms of security AND performance - to store and access username, password and hostname for my MySQL connections? PHP Security Handbook Coming mid-2004 Nice. From which publisher? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is it safe to store username and password for mysql connection in session variables?
David Sklar and Adam Trachtenberg (two smart guys who authored the PHP Cookbook) suggest storing this information in the Web server's environment. Guess we are talking about recipe 8.20 and 8.21? I'm on a SunOS shared server. Should I add SetEnv DB_PASS password to the .htaccess file in my public_html dir and then access it as $_ENV['DB_PASS']? What should the access rights to .htaccess be? -rw--- or something else? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] is it safe to store username and password for mysql connection in session variables?
Hi, In the ini-files for my php-projects, I store various settings. Two of them is username and password for my mysql-connections. Is it safe to load these two into session variables when a user logs in to my application? Or is it better to access the ini-file each time a mysql-connection is needed? What I don't understand, and hence the questions, is wether session variables are accessible by my website's visitors, or just to the php-scripts on the server. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] secure query string before sending it to mysql
Hi, I'm working on a database class of my own. I've got the following method: /** * query() performs a query on the selected database */ function query($dbQuery) { if (is_string($dbQuery)) $this-dbQuery = $dbQuery; else die(The submitted query isn't a string); $this-queryResult = mysql_query($this-dbQuery) or die(Couldn't perform the query: . mysql_error()); } In the best of all words, variables that are part of the query string has been validated before going into the query. But if I sometimes forget to verify that user input doesn't contain dangerous code, I want to add some validating mechanism into the method above as well. $dbQuery will be query string like INSERT INTO $article_table SET a_header = '$a_header'. Is there anything I can do, inside the method, to increase security? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] configuration class - skeleton code for first OOP adventure
This will not work. For example if you have: option1 = value; option2 = value2; then ereg_replace('value', 'changed', $contents); will make it: option1 = changed; option2 = changed2; My plan is to have option1 = value; as old value and option1 = changed; as new value. Not only the change value. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] configuration class - skeleton code for first OOP adventure
Save yourself a lot of headache learn how to use PEAR and OOP all in one fell swoop by using PEAR::Config I've already had a look at it, but it's to big for me to get. Though learning by doing would be a better way. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] configuration class - skeleton code for first OOP adventure
Hi, My first larger project is growing out of control. I've spent some weeks reading OOP tutorials, and feel ready to make my first dive into a new programming style. One of the things that led me this way was the need for user configuration of my project. Therefor, I'll start with a class that let's me read and write a configuration file. Is this a good start, or should I change anything? class configuration { var $configurationFile; function configuration($configurationFile) { $this-setConfigurationFile($configurationFile); } function setConfigurationFile($configurationFile) { // Code to check that $configurationFile points to a valid file } function readConfigurationFile() { $configurationArray = parse_ini_file($this-configurationFile, TRUE); return $configurationArray; } function writeConfigurationFile($changedValues) { $fp = fopen($this-configurationFile, r ); $contents = fread($fp, filesize($this-configurationFile)); fclose($fp); foreach ($changedValues as $changedValue) { $new_contents = ereg_replace($changedValue[old], $changedValue[new], $contents); $contents = $new_contents; } $fp = fopen($this-configurationFile, w ); fwrite($fp, $contents); fclose($fp); } } Best regards, -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: configuration class - skeleton code for first OOP adventure
I'm not a OO expert but I think you could include the SetConfigurationFile () function in your contructor. And if it fails inside the constructor exit to your other class controlling errors. You mean that I don't need a separate function for setConfigurationFile, but could rather include the controlling code in my constructor? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] where are the good examples of using OOP?
Hi, I'm just about to take the first step into OOP with PHP. I've searched the web for tutorials, and even if there are alot, most of them use metaphores with houses or cars or other real life things to explain what classes and methods are. I wonder if someone can point me to tutorials that uses real PHP examples instead, examples that shows me in a direct way how to use OOP. My biggest trouble right now is what should be the classes and what should be the methods. Also, I wonder if someone could name a blog-application och web album-application that uses OOP in a good way and which I can have a look at to see how things are done. Best regards, -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] this code unsets $_SESSION['editor'] but doesn't touch any other session variables
Hi, I've had troubles with an application that randomly (until now) unsets the session variable $_SESSION['editor']. I've hunted through all my code and finally managed to rule out everything else than the following couple of lines. It unsets the session variable $_SESSION['editor'], but leaving others, like $_SESSION['admin'] untouched. At the first debug, I get Admin: Y Editor: Y printed (which is the way I suppose things to be), but at the second debug I just get Admin: Y Editor:. I can't find the error though. Any input appreciated! Best regards, Anders Thoresson ?php // Debug, echoing session variables echo (Admin: ); echo ($_SESSION['admin']); echo ( Editor: ); echo ($_SESSION['editor']); $issuequery = SELECT un_issue.i_date, un_issue.i_editor FROM un_issue WHERE un_issue.i_date CURDATE() ORDER BY i_date ASC; $issueresult = mysql_query($issuequery); $editorquery = SELECT u_uname, u_id FROM un_user WHERE u_editor = 'Y'; $editorresult = mysql_query($editorquery); ? form action=issue_save_changes.php method=post table cellspacing=0 ?php // Initate counter for table background $background = 1; // Loop through all coming issues while ($issue = mysql_fetch_row($issueresult)) { mysql_data_seek($editorresult, 0); if (is_even($background)) { $row_background = even; } else { $row_background = odd; } ? tr class=?php echo $row_background; ? td class=borderlessinput name=issue[] type=hidden value=?php echo $issue[0]; ? ?php echo format_date($issue[0]); ?/td td class=borderlessselect name=issue_editor[] ?php // If editor isn't entered, highlight Inte bestämt if (!isset($issue[1])) { ? option value=NULL selectedInte bestämt ?php while ($editor = mysql_fetch_row($editorresult)) { ? option value=?php echo $editor[1] ??php echo $editor[0]; ? ?php } } // If an editor is entered, highlight her/him else { ? option value=NULLInte bestämt ?php while ($editor = mysql_fetch_row($editorresult)) { if ($editor[1] == $issue[1]) { ? option value=?php echo $editor[1] ? selected?php echo $editor[0]; ? ?php } else { ? option value=?php echo $editor[1] ??php echo $editor[0]; ? ?php } } } ? /select /tr ?php ++$background; } ? /table input type=submit value=Spara ändringar /form ?php // Debug, echoing session variables echo (Admin: ); echo ($_SESSION['admin']); echo ( Editor: ); echo ($_SESSION['editor']); -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] this code unsets $_SESSION['editor'] but doesn't touch any other session variables
You more than likely have register globals ON, so by setting $editor to some value above, you are also changing the value of $_SESSION['editor']. Yes! Settings at ISP was with globals on, but at my local server they were off. Which added quite a lot to my confusion. Thanks! -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] this code unsets $_SESSION['editor'] but doesn't touch any other session variables
while ($editor = mysql_fetch_row($editorresult)) How about changing from an assignment operator = to a comparison operator ==. No. I want to step through each and every one of the rows in the result set, and that's done that way. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] shouldn't mysql_pconnect force reuse of mysql connections?
the second time you request in php you'll have two, and so on. Until the number of connections in the pool gets filled up will mysql tell php to use an id that exists. You mean that until the pool is filled a new id will be used? That's the case here, anway: I get up to 30 id's and then no more new a added, but the time column reset, which I take means that that id is reuses? Thank's for helping me sort things out! -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] shouldn't mysql_pconnect force reuse of mysql connections?
You mean that until the pool is filled a new id will be used? That's the case here, anway: I get up to 30 id's and then no more new a added, but the time column reset, which I take means that that id is reuses? There are still 30 open threads/processes in the process list, all with command Sleep. Does MySQL clean this list when they've been to sleep for too long? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] back works in opera but not in internet explorer
When I push the back buttom in Opera, I get back to the previous (database/php-generated) page in my site, but when I'm using IE and push back, I get a message saying that the page isn't valid any more. Is this an internal IE-issue, or could I make my php-script IE-friendly? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] back works in opera but not in internet explorer
Does it work when you refresh the page? No. A reload in Internet Explorer kicks me out of my web application. Does a reload within IE reset session variables? Reloading a page in the application using Opera works. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] back works in opera but not in internet explorer
But to clarify, are you getting a little dialog box that asks you to resubmit the data or cancel? OR is it an actual error page from IE? I get an error page from IE saying that the page isn't valid any more (I think that's what IE would tell me if I was using an english version anyway. I'm using the swedish one, so it's just a rough translation). What I'm trying to do is not returning to a form to resend it, but rather step backwards through my menu system. My menu is built by multiple forms, all having to following syntax: form method=post action=article_view_issue.php select name=show_article_issue OnChange = form.submit() optionVisa nummer ?php db_connect($dbuser, $dbpassword, $dbdatabase); $query = SELECT i_date FROM un_issue WHERE i_date CURDATE(); $result = mysql_query($query); while ($row = mysql_fetch_row($result)) { ? option value=?php echo $row[0]; ??php echo $row[0] . \n; ? ?php } ? /select /form I'm also starting every page in the system with a call to my function accesscontrol() that checks if certain session variables, like username and password, are set. If, they are validated, if not, the login page are shown. Pressing reload causes the login page to show up, and that's why my guess is that the session variables for some reason are reseted. Accesscontrol() is 134 lines of code, and I don't know which parts might be of interest here. At log in, username and password are stored to two session variables: $_SESSION['uname'] = $_POST['uname']; $_SESSION['pwd'] = $_POST['pwd']; Everytime accesscontrol() is called, I make three if-checks: if(isset($_SESSION['uname'])) { Validate already logged in users. } elseif(isset($_POST['uname'])) { Login-form just filled in. Validate. } else { If neither $_POST['uname'] nor $_SESSION['uname'] is set, here I display the login form } And since reloads brings up the login form, $_SESSION['uname'] is not set anymore, for some reason. //Anders -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] one out of four session variables lost
$_SESSION['uname'] = $_POST['uname']; $_SESSION['pwd'] = $_POST['pwd']; When the user first logs in I also adds two more session variables within accesscontrol(): $_SESSION['editor'] = mysql_result($result,0,u_editor); $_SESSION['admin'] = mysql_result($result,0,u_admin); Both is either an Y or a N. When showing menus, I use these two session variables to decide wether editor and admin menus should be shown to the present user. Like this: include (schedule.php); if ($_SESSION['editor'] == Y) include (editor.php); if ($_SESSION['admin'] == Y) include (admin.php); But something strange happens. Sometime, while an user who is both admin and editor is logged in, the $_SESSION['editor'] variable is dropped, causing the editor menu not being shown. A check through all my source code shows that the only instance where I assign is in accesscontrol() shown above. Are there any known circumstances where session variables are lost? (I guess that the answer is no, and this is an error caused by myself, but since I can't find it, I have to ask ;) -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] first time using exec() - are getting parse error.
Hi, I'm trying to call mysqldump from within a php-script, like this: $backuptime = date(ymdHi); $backupfile = un . $backuptime . .txt; exec(mysqldump --opt -u$dbuser -p$dbpassword $dbdatabase $alltables /web/un/backup/$backupfile); It works fine on my local Win2k, php 4.3.1, but not on my ISP:s Sun Solaris/php 4.3.2 machine I get a parse error. What am I doing wrong? Is there a better way to backup my database? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] problem with sessions - IE working after session.use_trans_sid enabled.
Hi, I've had some problems with Internet Explorer not working on the site I'm building at the moment. At my local system it worked, but not on my ISP. After comparing the session settings, only use_trans_sid differed: enabled at my local system, disabled at remote. Before I changed anything IE worked only when accessing the site at my local host, while Opera managed to access it both local and from my ISP. After enabling session.use_trans_sid in my .htaccess on my ISP, Internet Explorer can be used even there. Ok. I've solved my problem, but don't really understand how session.use_trans_sid made the difference? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] first time using exec() - are getting parse error.
What is the error you get? Problem solved: it was a combination of permissions and wrong options. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] need help with table lock - could this be performed with mysql commands or do I to write my own PHP function
What happens when the user doesn't finish editing or the browser simply crashes on him? Well. Didn't think of that. So how can I avoid that two editors loads the same record for editing at the same time, while still making all records available for regular visitors to read? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] send group of files at once to website administrator
Hi, I have the following code which I use to make regular backups of my databases. Is there a way to have all backup files sent at once after they are created, istead of presenting the list of files available for download? db_connect($dbuser, $dbpassword, $dbdatabase); // Lock and flush tables before backup $query = LOCK TABLES un_article READ, un_article_writer READ; $result = mysql_query($query) or error(mysql_error()); $query = FLUSH TABLES; $result = mysql_query($query) or error(mysql_error()); // Perform backup $query = BACKUP TABLE un_article, un_article_writer TO 'c:/web/un/backup'; $result = mysql_query($query) or error(mysql_error()); // Unlock tables $query = UNLOCK TABLES; $result = mysql_query($query) or error(mysql_error()); // Present all files with link to download if ($handle = opendir('/web/un/backup')) { echo Files:br\n; /* This is the correct way to loop over the directory. */ while (false !== ($file = readdir($handle))) { echo Download $file a href='backup/$file'here/abr\n; } closedir($handle); } -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: why doesn't default values for this function work
Change your logic here... if($max_length == -1) then you did not send a value for $max_length and act accordingly. or if(!($max_length == -1)) you did send a $max_length value and act accordingly. But I want to make the same things, with some additions if $max_length is set. That's why I start with the check if($max_length -1). function secure_string($unsafe_string, $max_length = -1, $errormessage = Du har skrivit för många tecken.) { if($max_length -1) { do stuff that's have to be done when $max_length is set } do stuff that's have to be done wether $max_length is set or not } Is there really something wrong with this logic (since it doesn't work, it obvious is, but what)? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] why doesn't default values for this function work - resending because of bad formatting
Hi, I'm having problem with a function that I'll use to validate user input before passing it to MySQL. For strings, I want to make sure that they aren't to long, so I have written this function: function secure_string($unsafe_string, $max_length = -1, $errormessage = Too many characters. ) { // verify that string isn't longer then $max_length, if $max_length is set if ($max_length -1) { if (!is_int($max_length)) { error(Variable max_length is not an integer. ); } if (strlen($unsafe_string) $max_length) { error($errormessage); } } [... and the validation will continue here.] When I want to use the max length check I pass a value to the function like this: $a_header = secure_string($_POST['a_header'], 60, Header must not be more then 60 characters. ); But I having to problems: 1) If no max length is passed, and $max_length gets the value -1, the if- loop if ($max_length -1) is still run. 2) Calls to my own function error doesn't work. Instead of creating a popupwindow with javascript (which works in other places where error() is called) the errormessage is printed like html. What's wrong? Best regards, -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: why doesn't default values for this function work
function secure_string($unsafe_string, $max_length) { if(!is_int($max_length)) error(Variable max_length is not an integer. ); if (strlen($unsafe_string) $max_length) error(Too many characters.); } I want the $max_length to be optional. With your solution it isn't? I thought I could make it optional by assigning a default value of -1, which would tell the function not to bother with max_length and continue the execution. All in all my function looks like this (crossing my fingers and hopes that linewrap works this time): function secure_string($unsafe_string, $max_length = -1, $errormessage = Du har skrivit för många tecken.) { // verify that string isn't longer then $max_length, if $max_length is set if ($max_length -1) { if (!is_int($max_length)) { error(Variabeln max_length är inte en siffra.); } if (strlen($unsafe_string) $max_length) { error($errormessage); } } // create array containing bad words $badwords = array(;,--,select,drop,insert,xp_,delete); $goodwords = array(:,-,choose,leave,add, ,remove); // check for occurences of $badwords for($i=0; $i7; $i++) { $unsafe_string = str_replace($badwords[$i], $goodwords[$i],$unsafe_string); } $unsafe_string = AddSlashes($unsafe_string); $unsafe_string = htmlentities($unsafe_string); $unsafe_string = strip_tags($unsafe_string); $unsafe_string = trim($unsafe_string); Return $unsafe_string; } Are the last steps (AddSlashes through trim) overkill? I want to make it safe for mysql. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] why doesn't default values for this function work
Hi, I'm having problem with a function that I'll use to validate user input before passing it to MySQL. For strings, I want to make sure that they aren't to long, so I have written this function: function secure_string($unsafe_string, $max_length = -1, $errormessage = Too many characters. ) */ { // verify that string isn't longer then $max_length, if $max_length is set if ($max_length -1) { if (!is_int($max_length)) { error(Variable max_length is not an integer. ); } if (strlen($unsafe_string) $max_length) { error($errormessage); } } ... and the validation will continue here. When I want to use the max length check I pass a value to the function like this: $a_header = secure_string($_POST['a_header'], 60, Header must not be more then 60 characters. ); But I having to problems: 1) If no max length is passed, and $max_length gets the value -1, the if- loop if ($max_length -1) is still run. 2) Calls to my own function error doesn't work. Instead of creating a popupwindow with javascript (which works in other places where error() is called) the errormessage is printed like html. What's wrong? Best regards, -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] need help with table lock - could this be performed with mysql commands or do I to write my own PHP function
Hi, For an application that I'm working on, I wan't users to be able to show content even while an editor/administrator makes changes in one of my database's tables. But if another editor tries to load the same content for editing, he/she shouldn't be able to do this. I've been reading up on MySQL's internal LOCK command, but it doesn't seem to be what I need. I need a read/write lock based on what the current user/editor want's to do, and not only based on what content an editor is working with at the moment. I'm thinking of the following solution: Create a new database: CREATE TABLE table_lock ( table_name VARCHAR(40), table_id INT, PRIMARY_KEY (table_name, row_id) ); And two functions: set_lock($table_name, $row_id), check_lock($table_name, $row_id) and release_lock($table_name, $row_id). Whenever an editor opens some content for editing, check_lock() will be called to se if table_lock contains a row with the same table_name and row_id. If, the content isn't loaded and the editor is told that someone else is working on the content, and are asked to try again later. If not, set_lock() is called to make sure that no other editor opens the content before it's saved and release_lock() is called, which will remove the line from table_lock again. Is this a good way to do this? Or are there any other suggestions? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] why doesn't default values for this function work - resending because of bad formatting
What is this mess that you have here :-) I don't have a clue! :) It looks allright here, when I press send. How exactly are you calling the function when no $max_length is passed? If you're doing something like: secure_string($string, '', 'error msg'); Just secure_string($string);. In that case, $max_length should be set to -1 (since the function is defined function secure_string($unsafe_string, $max_length = -1, $errormessage = Too many characters. ). Or is this where I'm mistaken. The thing is that I've tried with zero, null and 0 as signals to the function that a max_length isn't applied. Nothing works. But I've several functions with the same syntax, all working... -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] web site security: how to hide login info for mysql-connection
Hi, At the moment I store username, password and database for my MySQL connections in a file called settings.php to avoid putting them in my php files direct. On a Linux server, what extra steps can I take to prevent others from accessing settings.php? Somewhere, I've read that settings.php should be placed in a directory outside the html/php-directories. Today, my web directory is /home/anders/public_html and subdirectories to public_html. Should settings.php be placed in /home/anders/include? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] web site security: how to hide login info for mysql-connection
Be aware that wherever you store the settings folder, your php.ini should have that path in it's include_directories setting, and the webserver must have read permissions for that file. I don't have access to php.ini on my ISP's web server. Is there a way for a user to make their own set ow include_directories? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] session handling works on local server, but not when uploaded to ISP
Hi, I've a login script that works fine on my local server, but when I runs it from my ISP I get the following error: Warning: Cannot send session cookie - headers already sent by (output started at /export/home/thore/public_html/phptest/reporter_view.php:5) in /include/accesscontrol.php on line 9 Warning: Cannot send session cache limiter - headers already sent (output started at /export/home/thore/public_html/phptest/reporter_view.php:5) in /include/accesscontrol.php on line 9 If I had made any mistake in my handling with the session functions, shouldn't that be the case also at my local server? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] function doesn't return value
Hi, After a new user has filled in a form to register for my site, I check that she has entered the same password twice by calling a homemade function. Like this: $u_pwd = validate_password($_POST['u_pwd'],$_POST['u_pwd1']); And the function looks like this: function validate_password($unchecked_password1, $unchecked_password2, $errortype = 1, $errormessage = Password must contain just letters and figures.) { if(!($unchecked_password1 == $unchecked_password2)) { error(Passwords entered doesn't match!); } if(!ereg((^[a-zA-ZåÅäÄöÖ0-9]{6,15}$), $unchecked_password2)) { if($errortype == 1) { error($errormessage); } Return 1; } } I have verified that $_POST['u_pwd'] and $_POST['u_pwd1'] as well as $unchecked_password1 and $unchecked_password2 contains the entered values, but $u_pwd is empty. Why? As with my previous problems this evening, it works on my local server, but not on my ISP's. At home I'm running Windows 2000 and PHP 4.3.1, while my ISP is on SunOS 5.7 with PHP 4.1.1. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] differences in session handling between 4.1.1 and 4.3.1
Are there any big differences in session handling between 4.1.1 and 4.3.1 of PHP. Almost nothing works like it should since I have moved my site from my local server (4.3.1 on Win2000) to my ISP (4.1.1 on SunOS 5.7). I just started to dump my four $_SESSION-variables on top of every page, and to my big suprise they changes all the time. At login is store the users userid in $_SESSION['u_id']. At later times, I'm working with $_POST['u_id'] when for example changing administrators for different parts of the site. When I'm doing this, also $_SESSION['u_id'] changes. And at my localhost, $_SESSION's stays put. I'm going crazy here. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: differences in session handling between 4.1.1 and 4.3.1
I would also advise to check for register_globals, since I have the faint feeling it was OFF on your old version and ON in your new (though most logcial would be viceversa :P) register_globals are on in 4.1.1 and off in 4.3.1. So, your faint feeling was wrong (which I'm sorry for, cause any feeling that helps me, no matter how faint, are wanted. I'm going crazy here. ;-)) -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] function doesn't return value
AFAIK in PHP, if you don't specifically return something from a function, the function will not return anything. True. I'm so frustrated over here that I miss the most obvious things. Thank's. Strange thing is that it worked at my localhost, though. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] session problem solved.
At some places, I was using $_SESSION['u_uname'] as variable name, at other $_SESSION['uname']. Changing to $_SESSION['uname'] through all my accesscontrol.php solved the problem. Now it works on my ISP's server. Question is, though: Why does the faulty script work on my localhost? Next step is to try the script that work at my ISP's server at my localhost. ;-) -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] mysql lock
Hi, I've never used a lock on a MySQL table so far, but need one now. Two questions: 1. Do I set the lock by a normal query, but in the form of LOCK TABLE tablename WRITE, instead of SELECT * FROM tablename WHERE x = 1? 2. Can I set the lock in one query, then perform multiple other queries on the table, in between which I do some PHP work, and then release the lock several queries and lines of PHP code later? In general, when is it wise to use a lock, and when is it uneeded? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] need help breaking out of loop.
Hi, I'm working of a PHP-MySQL-planning system for a newspaper. I want to add dates and number for each issue. I have to following code, where $current_date is a unix timestamp. If $current_date is a Saturday or Sunday, I want to quit the current execution of the loop and contiune with the next date. But when the if- clause that checks if $issue_day_of_week is Sunday or Saturday is included in my while-loop, everything stalls. Without it, everything goes smooth. What am I missing? while ($i = $number_of_days) { $issue_date = strftime(%Y-%m-%d, $current_date); $issue_month = date(m, $current_date); $issue_day = date(d, $current_date); $issue_day_of_week = date(l, $current_date); // Check that $issue_date isn't Saturday or Sunday if ($issue_day_of_week == Sunday | $issue_day_of_week == Saturday) { continue; } if ($issue_month == 1 $issue_day == 1) { $issue_number = 1; $current_date = $current_date + 86400; $i++; $issue_number++; continue; } $current_date = $current_date + 86400; $i++; $issue_number++; } -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] problem with mktime
The following line of code doesn't work for me: $previous_issue_unixdate = mktime(0, 0, 0, $previous_issue_month, $previous_issue_day, $previous_issue_year, 0); $previous_issue_month is set to 06, _issue_day is 30 and _issue_year to 2003. Still $previous_issue_unixdate is emtpy. -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] file upload
Am I making any obvious mistakes here, in my upload script? I want to upload text-files only, they should end up in the directory from which the script is executed and be names __traningsmatcher.txt. HTML-form: FORM ENCTYPE=multipart/form-data METHOD=POST ACTION=store.php TABLE INPUT NAME=max_file_size TYPE=hidden VALUE=300 TR TDFil: /TD TDINPUT NAME=userfile TYPE=file/TD /TR TR TD/TD TDINPUT TYPE=submit VALUE= skicka /TD /TR /TABLE /FORM And php, on the recieving end: ?php // check and validate uploaded file if($_FILES['userfile'] == none) { die(Problem: Ingen fil uppladdad.); } if($_FILES['userfile']['size'] == 0){ die(Problem: Filen är tom.); } if($_FILES['userfile']['type'] != text/plain) { die(Problem: Filen är inte en textfil.); } if(!is_uploaded_file($_FILES['userfile']['tmp_name'])) { die(Problem: Filen är inte uppladdad); } $upfile = __traningsmatcher.txt; if(!copy($_FILES['userfile']['tmp_name'], $upfile)) { die(Kunde inte spara filen); } echo(Filen är sparad!); ? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] when is OOP a good choice?
I've just started to read about - and will soon try to write - object oriented code. I think I've got the basics both from the PHP-books I have, and from various sources on the web. But nowhere have I read a good explanation to two of my questions: 1. What are the main benefits from OOP? 2. When is OOP a good choice for a PHP script, and when is ordinary functions a better call? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] jumping between php and html or using echo for printing html-tags.
Which is more efficient: function admin_menu() { echo B Meny /BBR; echo A HREF=\ . $_SERVER['PHP_SELF'] . ?action= . MANAGE_MEMBERS . \Medlemmar/ABR; echo A HREF=\ . $_SERVER['PHP_SELF'] . ?action= . MANAGE_ALBUMS . \Album/ABR; echo A HREF=\ . $_SERVER['PHP_SELF'] . ?action= . INITIAL_PAGE . \Huvudmeny/ABR; echo A HREF=\ . $_SERVER['PHP_SELF'] . ?action= . LOG_OUT . \Logga ut/ABR; } or function admin_menu() { ? B Meny /BBR A HREF=?=$_SERVER['PHP_SELF']??action=?php echo(MANAGE_MEMBERS) ;?Medlemmar/ABR A HREF=?=$_SERVER['PHP_SELF']??action=?php echo(MANAGE_ALBUMS) ;?Album/ABR A HREF=?=$_SERVER['PHP_SELF']??action=?php echo(INITIAL_PAGE) ;?Huvudmeny/ABR A HREF=?=$_SERVER['PHP_SELF']??action=?php echo(LOG_OUT);?Logga ut/ABR ?php } Any reasons other than speed to choose either? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] processing form with unknown number of checkboxes, each with a unknown name.
Hi, I building a form which will be used to set access rights to different parts of my web album. When editing the settings for each album, like the albums name and wether or not everyone should be allowed to upload pictures to it, I also present a list of checkboxes to the administrators. One checkbox for each registred user. If checked, to user is allowed to view the pictures, if not check, no pictures show. The checkbox part of the form I build uses this code: db_connect($dbuser, $dbpassword, $dbdatabase); $query = SELECT userid FROM members; $result = mysql_query($query); while($row = mysql_fetch_array($result)) { echo($row[0]); ? INPUT TYPE=checkbox name=?php echo($row[0])? VALUE=YES But how do I process this form when saving the settings for the album? For the forms I've built so far, I've known what information I can find in $_REQUEST['']. But this time, I don't know how many checkboxes there are, and what their names will be. How do I do this? Is the form ok, or is a bad form design the reason I can't figure out what to form processing code should be? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] help needed with form and mysql design.
Hi, I'm having trouble designing a good html-form/MySQL combination for an access rights system. I'm having three tables in MySQL: members (with member information for my site), albums (with information for separate albums with digital photos on my site) and accessrights (which should function as a bridge between members and albums, controling which albums a specific member could view). accessrights is defined by the following: CREATE TABLE accessrights ( albumid INT, userid INT, access ENUM(Y,N) DEFAULT N NOT NULL, UNIQUE (albumid, userid) ); albumid is from the albums table, and userid from the members table. For each member/album combination I want accessrights to contain one entry with access set to either Y or N. So far everythings alright. But how do I build a system that lets me control the entries in accessright? Right now, I'm trying with a form for album editing which contains something like this: db_connect($dbuser, $dbpassword, $dbdatabase); $query = SELECT userid FROM members; $result = mysql_query($query); while($row = mysql_fetch_array($result)) { echo($row[0]); ? INPUT TYPE=checkbox name=?php echo($row[0])? VALUE=YES } This creates a checkbox for every member on my site. But the problem is that only checked boxes are passed on to the next script, which process the form for album-editing. This means that if I uncheck a box that's been checked before, this information isn't passed along. From what I understand, information about unchecked boxes is never passed? Right now, my solution is to first set the field access in the table accessrights to N for every user and then update the table with an Y for those with checked boxes. But how can I limit the MySQL queries to just include members for which the access field has been changed? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] how to write clean code.
Where can I find good guidelines on how to write PHP-code that's easy to read for a human? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] help needed building query string based on which form fields that are filled.
Hi, I've got a html form where not all fields need to be filled by the users. How can I build a MySQL query based on which fields the user have filled? My guess is that I can do something like this: if(!empty($f_name)) { some_commands_to_add_$f_name_to_querystring } if(!empty($l_name)) { some_commands_to_add_$f_name_to_querystring } some_commands_to_build_querystring_based_on_if's $result = mysql_query($query) But what commands/functions should I use to build the query? -- anders thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] building web album - design questions
Hi, I'm planning to build a web album for my digital photographs, and have some questions regarding the design: 1) Is it better to store the images within the database, or just store pointers to the images which is put outside, in the filesystem? 2) At log in, I want to show to which albums new pictures have been added since last visit. For performance reasons, should information about last added pictures be added to the database, or is it ok to make a MySQL-query each time, comparing the add-date for every picture in every album with the users last log in date? 3) If I've understood things right, there is functions within PHP that can handle picture resizing? Is that correct? Best regards, Anders Thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] help with preg_match
Hi, I'm trying to write a function that validates the input in a textarea. I just want to allow alphanumrical characters, and if the user enters anything else, I display an error message by calling error(). But the following doesn't work. Even if I enter hello in the textarea, I get the error message. What am I missing? // validate entered text in textarea function validate_textarea($unchecked_text) { if (!preg_match (/^[a-zåäö0-9]$/is, $unchecked_text)) { error(You have used unlegal characters, just alphanumeric is ok.); } } Best regards, Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] security in guest book and user forums
I've seen both guest books and user forums hacked by users who enter javascript or other code, and that way redirects vistors to other sites or do other unwelcome things. What expressions should I look for and not allow in my forms? Best regards, Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] upgrading WAMP environment
I've been using Apache, MySQL and PHP under Win2k for a while to learn PHP. At the moment, I'm running PHP 4.2.2, MySQL 3.23.39 and Apache 2.0.40. During the holidays, I've read about a security hole in MySQL and therefore plans to upgrade to 3.23.54a. At the same time, I want to install PHP 4.3.0 and Apache 2.0.43. But when I started to look for upgrading instructions for each software package, I find nothing. Therefore, I would like to know how to perform an upgrade of each package? Should the MySQL and Apache deamons be stopped first? Should I install into my current directories? Will my config files be overwritten? Does it matter which of the three I upgrade first? What more should I keep in mind? If questions like these are considered off topic, please let me know. Best regards, Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] preventing sql injections
Would this function do the trick? ?php // validate.php - functions that validates form input function validate_string($unsafe_string) { // create array containing bad words $badwords = array(;,--,select,drop,insert,xp_,delete); $goodwords = array(:,---,choose,leave,add, ,remove); // check for occurences of $badwords for($i=0; $i7; $i++) { $unsafe_string = str_replace($badwords[$i], $goodwords[$i],$unsafe_string); } $unsafe_string = AddSlashes($unsafe_string); $unsafe_string = trim($unsafe_string); $safe_string = $unsafe_string; Return $safe_string; } ? Br, Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] preventing sql injections
addslashes should be enough and put qoutes arround your strings in the sql Meaning that a query like this one is safe, as long as I first have $e_namn = addslashes($e_namn);? $query = INSERT INTO addr (last_name, first_name, email) VALUES(\$e_namn\,\$f_namn\,\$email\); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] ereg.
What's wrong with the following regular expression? As far as I can se, only alphabetic characters including the special swedish ones, should be let through, but whatever character passed on in $_REQUEST['f_name'] passes the test? if(!ereg((^[a-zA-ZåÅäÄöÖ]{4,20}), $_REQUEST['f_name'])) { error(Your first name should be between 4 and 20 alphabetic characters); } The next one, used to check valid birthday dates, work. And I can't see where they differ! if(!ereg(([0-9]{4})-([0-9]{2})-([0-9]{2}), $_REQUEST['birthday'])) Br, Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] script design question
As a PHP beginner, I'm not only struggling with sessions, functions and variables, but also with script design and good coding practices. I'm not sure how to best split up the code between different PHP-files. At the moment, I'm using a skeleton like this for the main script, the one that the website visitor loads: ?php # raw.php include (db_functions.php); include (html_functions.php); # define action constants define (INITIAL_PAGE, 0); define (XX, 1); define (YY, 2); define (ZZ, 3); # start $title = ; $header = ; html_begin ($title, $header); # if $action is empty, show the start page if (empty($action)) $action = INITIAL_PAGE; if(isset($_REQUEST[action])) { $action = $_REQUEST[action]; } # which action? switch ($action) { case INITIAL_PAGE: break; case XX: break; case YY: break; case ZZ: break; default: die(Unknown action: $action); } html_end(); ? For each case I call functions stored in different include-files. This way I get a rather clean view of the main script, which makes it easy for me to track what happens when. Is this a good way to do things? When is it a good thing to write multi-purpose scripts like my skeleton above, where one thing is shown on first run and then different things depending on what the user does, and when is it better to put not just functions in other files but also splitting the main script in multiple files? Best regards, Anders Thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] newbie having problem with SID
Hi, I'm just a few weeks into learning PHP, and now wants to understand sessions. But I've run into trouble with the very first script I've tried, even though it's more or less copied from the PHP manual. ?php include (html_functions.php); $title = Anders testing SID; $header = ; html_begin ($title, $header); if (!session_is_registered('count')) { session_register('count'); $count = 1; } else { $count++; } ? ?php echo $_COOKIE[PHPSESSID]? BR BR Hello visitor, you have seen this page ?php echo $count; ? times.p To continue, A HREF=visasida.php??php echo SID?click here/A ?php html_end(); ? The session id isn't attached to the link in the end of the script, and therefore $count always is '1', even after I click the link. But the $_COOKIE[PHPSESSID] does contain a value. I'm using PHP 4.2.2 and according to phpinfo() session.use_trans_sid is set to '1'. What I'm missing? Best regards, Anders Thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] newbie having problem with SID
You should use the session array ($_SESSION['count']) to handle session persistent data: Thanks. That solved my problem. At least for the moment. I know realize that all books and all web site-prints I have covering sessions are not using the session array, but the older way to handle sessions with session_register(),session_is_registered() and session_unregister(). There are obviously differences in how things are handled now and how they were handled then. Can someone point me to a good session tutorial based on the session array rather than the pre-PHP 4.2 (I think that's the version when this was changed)? Best regards, Anders Thoresson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] need help with sessions
Hi again, I'm still trying to understand sessions, and have made some progress during the afternoon, thanks to Ernest E. Vogelsinger. I'm at the moment trying to get a login-script up and running, but without 100 percent success. The script is split up in two major parts: bilder.php, which is the main script, and accesscontrol.php, which should check wether a valid username and password are entered or is already entered. The first time bilder.php is run, everything works fine. accesscontrol.php gets called, and since I've not logged in, a log in-form is displayed. I enter a valid username and password, which is checked in a MySQL-table and get the green light. But then the scripts forget that I've already logged in, and presents the log in-form over and over again. Since I'm new to this list, I'm not sure how big source code snippets that are needed and allowed to post. This time I make a rather long posting. If not ok, please let me know. bilder.php: ?php # bilder.php include (db_functions.php); include (html_functions.php); include (accesscontrol.php); include (bilder_functions.php); session_start(); define (INITIAL_PAGE, 0); define (LOGOUT, 1); # start $title = bilder; $header = ; html_begin ($title, $header); # if $action is empty, show the start page if (empty($action)) $action = INITIAL_PAGE; if(isset($_REQUEST[action])) { $action = $_REQUEST[action]; } # examine $action switch ($action) { case INITIAL_PAGE: accesscontrol(); menu(); break; case LOGOUT: accesscontrol(); logout(); break; default: die(Unknown action: $action); } html_end(); ? *** bilder.php ends here *** accesscontrol.php ?php function accesscontrol() { # accesscontrol.php - include-file to control that user is logged in session_start(); # check if either $_POST['uid'] or $_SESSION['uid'] is set if(!isset($_POST['uid']) OR !isset($_SESSION['uid'])) { $title = log in; $header = ; html_begin ($title, $header); ? H2You are not logged in./H2 p To see the pictures you need a username and a password. If you don't have these, send a A HREF=mailto:[EMAIL PROTECTED];mail/A. /p p FORM METHOD=POST ACTION=?=$_SERVER['PHP_SELF']? TABLE TR TDName:/TD TDinput name=uid type=text maxlength=20 size=15/TD /TR TR TDPassword: /TD TDinput name=pwd type=password maxlength=10 size=15/TD /TR TR TD/TD TDinput type=submit name=skicka value= OK input type=reset value=Clear/TD /TR /TABLE /FORM /p ?php html_end(); exit; } # if either $_POST['uid'] or $_SESSION['uid'] is set, here is where one end up $_SESSION['uid'] = $_POST['uid']; $_SESSION['pwd'] = $_POST['pwd']; $uid = $_SESSION['uid']; $pwd = $_SESSION['pwd']; # db_connect is my own function to connect to my database db_connect (XXX, YYY, ZZZ); $sql = SELECT * FROM users WHERE userid = '$uid' AND password = PASSWORD('$pwd'); $result = mysql_query($sql); if(!$result) { error(An error occured while your username and password were processed.\\n); } if(mysql_num_rows($result) == 0) { unset($_SESSION['uid']); unset($_SESSION['pwd']); $title = log in - error; $header = ; html_begin ($title, $header); ? H2 Log in failure! /H2 p Your username or password was wrong. A HREF=?=$_SERVER['PHP_SELF']?Try again/A. ?php html_end(); exit; } $_SESSION['username'] = mysql_result($result,0,fullname); } ? *** accesscontrol.php ends here *** My non-educated guess is that there is something wrong with the line if(!isset($_POST['uid']) OR !isset($_SESSION['uid'])). Also, at the moment I have a session_start(); in both files. Right or wrong? Best regards, Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php