I feel this won't be the last as I am building a whole system, so here is the first problem, lol...

I am designing an e-commerce site. I am currently on the page where users will be created by administrators, and eventually, themselves, (as a registration), but initially this is just for admins.

Basically the form asks the admin who is logged in, to enter a username and password, which can then be used to log in. At the moment this just works on the admin logon, as there is no customer login, but I am creating that. I have added a bool field to my users table, which specifices 1 or 0, for admin or NOT admin, respectively.

At the moment, this is the code for my checkbox on the form page;


<td width="150" class="label">Admin?</td>
<td class="content"> <input name="boolAdmin" type="checkbox" id="boolAdmin"></td>
</table>

This then transfers to a processing document which carries the function through to the database. The boolAdmin is referred to in the database as 'user_admin', as a boolean(1);


function addUser()
{
$userName = $_POST['txtUserName'];
$password = $_POST['txtPassword'];
$user_admin = $_POST['boolAdmin'];

/*
// the password must be at least 6 characters long and is
// a mix of alphabet & numbers
if(strlen($password) < 6 || !preg_match('/[a-z]/i', $password) ||
!preg_match('/[0-9]/', $password)) {
//bad password
}
*/
// check if the username is taken
$sql = "SELECT user_name
FROM tbl_user
WHERE user_name = '$userName'";
$result = dbQuery($sql);

if ($user_admin == "checked") {
$user_admin == 1;
} else {
$user_admin == 0;
}

if (dbNumRows($result) == 1) {
header('Location: index.php?view=add&error=' . urlencode('Username already taken. Choose another one'));
} else {
$sql = "INSERT INTO tbl_user (user_name, user_password, user_regdate, user_admin)
VALUES ('$userName', PASSWORD('$password'), NOW(), )";

dbQuery($sql);
header('Location: index.php');
}
}

The important part is in the middle;



if ($user_admin == "checked") {
$user_admin == 1;
} else {
$user_admin == 0;
}


Firstly, this did work, as just to add the user, but it was irrelevant whether the checkbox was checked or not. It always made the user 0 to being admin, as usual.

I need to transfer something to the database in this line, in the above function:



"INSERT INTO tbl_user (user_name, user_password, user_regdate, user_admin)
VALUES ('$userName', PASSWORD('$password'), NOW(),XXXXXXXXXXXXXXX )";

in the part marked with the XXXX's... but Im not sure what format to put it through as?

Then, I changed it to "checked", and it now errors saying this:


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 2

This line two refers to a completely different file, so I am a little reluctant to believe that is the main cause. I just feel my coding in the add user function is incorrect.

To make it clear, I want the administrator to be able to "add new user", enter a username and password of their choice, and then tick the box to say ADMIN, if they want them to be an admin also. Otherwise, they will just be a normal customer.

Many thanks for ALL help, firstly I need to work out whether "checked" is even valid... haha

cheers

:xmas:

<td width="150" class="label">Admin?</td>
<td class="content"> <input name="boolAdmin" value="true" type="checkbox" id="boolAdmin"></td>
</table>and


if ($user_admin == "true") {
$user_admin = '1'; // '==' compares, '=' sets
} else {
$user_admin = '0';
}with


"INSERT INTO tbl_user (user_name, user_password, user_regdate, user_admin)
VALUES ('$userName', PASSWORD('$password'), NOW(), $user_admin
)";

YES SMIFIS! YOU DA MAN!

Thankyou muchly :D :D :D +rep

no doubt there will be more, this is just the first stage! many, many thanks!

Does it work?

I have this tenancy of missing ';'s and miss spelling things.

Also, if you need anything else, my msns on my profile

== is a comparitor

= sets a variable

$user_admin = '1'; // '==' compares, '=' sets

one step ahead :D

one step ahead :D

you wish :lol:

I dont need to wish, you wish that i wish :D:D

Ah dont you love my smarticles!

Could you come on msn? I've been meaning to ask you something

Right, next bit, Im trying to get it so that when an admin logs in, it redirects to the admin page, and when a user logs in, it goes to the user page, here is the function.

I get to the logon screen, but it rejects ALL logins... admin or no admin?


function doLogin()
{
// if we found an error save the error message in this variable
$errorMessage = '';

$userName = $_POST['txtUserName'];
$password = $_POST['txtPassword'];

// first, make sure the username & password are not empty
if ($userName == '') {
$errorMessage = 'You must enter your username';
} else if ($password == '') {
$errorMessage = 'You must enter the password';
} else {
// check the database and see if the username and password do match
$sql = "SELECT user_id, user_admin
FROM tbl_user
WHERE user_name = '$userName' AND user_password = PASSWORD('$password')";
$result = dbQuery($sql);

if (dbNumRows($result) == 1) {
$row = dbFetchAssoc($result);
$_SESSION['plaincart_user_id'] = $row['user_id'];

// log the time when the user last login
$sql = "UPDATE tbl_user
SET user_last_login = NOW()
WHERE user_id = '{$row['user_id']}'";
dbQuery($sql);

// now that the user is verified we move on to the next page
// if the user had been in the admin pages before we move to
// the last page visited
if ($user_admin == "true") {
header('Location: index.php');
exit;
} else {
header('Location:' . WEB_ROOT . 'customer/index.php');
}
} else {
$errorMessage = 'Wrong username or password';
}

}

return $errorMessage;
}original code



function doLogin()
{
// if we found an error save the error message in this variable
$errorMessage = '';

$userName = $_POST['txtUserName'];
$password = $_POST['txtPassword'];

// first, make sure the username & password are not empty
if ($userName == '') {
$errorMessage = 'You must enter your username';
} else if ($password == '') {
$errorMessage = 'You must enter the password';
} else {
// check the database and see if the username and password combo do match
$sql = "SELECT user_id
FROM tbl_user
WHERE user_name = '$userName' AND user_password = PASSWORD('$password')";
$result = dbQuery($sql);

if (dbNumRows($result) == 1) {
$row = dbFetchAssoc($result);
$_SESSION['plaincart_user_id'] = $row['user_id'];

// log the time when the user last login
$sql = "UPDATE tbl_user
SET user_last_login = NOW()
WHERE user_id = '{$row['user_id']}'";
dbQuery($sql);

// now that the user is verified we move on to the next page
// if the user had been in the admin pages before we move to
// the last page visited
if (isset($_SESSION['login_return_url'])) {
header('Location: ' . $_SESSION['login_return_url']);
exit;
} else {
header('Location: index.php');
exit;
}
} else {
$errorMessage = 'Wrong username or password';
}

}

return $errorMessage;
}
It does some fancy bit where it returns the admin to the last page they visited :P

sql injection - google it.... one mo

So it's a pretty unsafe way of doing it?

Yes,

Read, decipher, and learn


function clean_input($input)
{
if(get_magic_quotes_gpc())
{
//Remove slashes that were used to escape characters in post.
$input = stripslashes($input);
}
//Remove ALL HTML tags to prevent XSS and abuse of the system.
$input = strip_tags($input);
//Escape the string for insertion into a MySQL query, and return it.
return mysql_real_escape_string($input);
}

function doLogin()
{
// if we found an error save the error message in this variable
$errorMessage = array();

$userName = clean_input($_POST['txtUserName']);
$password = clean_input($_POST['txtPassword']);

// first, make sure the username & password are not empty
if ($userName == '') {
$errorMessage[] = 'You must enter your username';
} else if ($password == '') {
$errorMessage[] = 'You must enter the password';
}

if (sizeof($errormessage)==0)
{
// check the database and see if the username and password do match
$sql = "SELECT user_id, user_admin
FROM tbl_user
WHERE user_name = '$userName' AND user_password = PASSWORD('$password')";
$result = dbQuery($sql);

if (dbNumRows($result) == 1)
{
$row = dbFetchAssoc($result);
$_SESSION['plaincart_user_id'] = $row['user_id'];

// log the time when the user last login
$sql = "UPDATE tbl_user
SET user_last_login = NOW()
WHERE user_id = '{$row['user_id']}'";
dbQuery($sql);

// now that the user is verified we move on to the next page
// if the user had been in the admin pages before we move to
// the last page visited
if ($user_admin == "true")
{
header('Location: index.php');
exit;
} else {
header('Location:' . WEB_ROOT . 'customer/login.php');
exit;
}
} else {
$errorMessage[] = 'Wrong username or password';
}

}
$msg='The following Errors occured:<ul>';
foreach ($errorMessage as $error)
{
$msg.='<li>'.$error.'</li>';
}
$msg.='</ul>'
return $msg;
}

Hmm.. It does have a checker at the top of each page, though, that checks the user is a valid user and allowed to access the page;



function checkUser()
{
if (!isset($_SESSION['plaincart_user_id'])) {
header('Location: ' . WEB_ROOT . 'admin/login.php');
}

if (isset($_GET['logout'])) {
doLogout();
}
}

cleaninput() stops sql injection.

Ok, so I can just shove that at the top of every page and Im in business.

Nice one.

Still not got the login working though... it didn't like your RETURN, said something about T_RETURN didnt work.

Ah, and




Notice: Undefined variable: errormessage in /functions.php on line 53

Notice: Undefined variable: user_admin in /functions.php on line 76

Warning: Cannot modify header information - headers already sent by (output started at /functions.php:53) in /functions.php on line 81

So... I cleared them up and got it having no errors :)

But... it still doesn't work. It just redirects to customer/index.php every time, user_admin=1, or user_admin=0 :(


function clean_input($input)
{
if(get_magic_quotes_gpc())
{
//Remove slashes that were used to escape characters in post.
$input = stripslashes($input);
}
//Remove ALL HTML tags to prevent XSS and abuse of the system.
$input = strip_tags($input);
//Escape the string for insertion into a MySQL query, and return it.
return mysql_real_escape_string($input);
}

function doLogin()
{
// if we found an error save the error message in this variable
$errorMessage = 0;

$userName = clean_input($_POST['txtUserName']);
$password = clean_input($_POST['txtPassword']);

// first, make sure the username & password are not empty
if ($userName == '') {
$errorMessage = 'You must enter your username';
} else if ($password == '') {
$errorMessage = 'You must enter the password';
} else {
// check the database and see if the username and password combo do match
$sql = "SELECT user_id
FROM tbl_user
WHERE user_name = '$userName'
AND user_password = '$password'";
$sql1 = "SELECT user_admin
FROM tbl_user
WHERE user_name = '$userName'
AND user_password = '$password'";
$result = dbQuery($sql);
$admin = dbQuery($sql1);
if (dbNumRows($result) == 1) {
$row = dbFetchAssoc($result);
$_SESSION['plaincart_user_id'] = $row['user_id'];

// log the time when the user last login
$sql = "UPDATE tbl_user
SET user_last_login = NOW()
WHERE user_id = '{$row['user_id']}'";
dbQuery($sql);

// now that the user is verified we move on to the next page
// if the user had been in the admin pages before we move to
// the last page visited
if ($admin == "1")
{
header('Location: index.php');
exit;
} else {
header('Location:' . WEB_ROOT . 'customer/index.php');
exit;
}
} else {
$errorMessage = 'Wrong username or password';
}

}

return $errorMessage;
}


It's probably a clumsy way of doing it, having two queries but I don't really understand it :/

What's the whole functions.php file?

there are only 71 lines in the code i posted

Added after 3 minutes:

You forgot to get $admin out of the database, i also tidied up the sql



function clean_input($input)
{
if(get_magic_quotes_gpc())
{
//Remove slashes that were used to escape characters in post.
$input = stripslashes($input);
}
//Remove ALL HTML tags to prevent XSS and abuse of the system.
$input = strip_tags($input);
//Escape the string for insertion into a MySQL query, and return it.
return mysql_real_escape_string($input);
}

function doLogin()
{
// if we found an error save the error message in this variable
$errorMessage = '';

$userName = clean_input($_POST['txtUserName']);
$password = clean_input($_POST['txtPassword']);

// first, make sure the username & password are not empty
if ($userName == '') {
$errorMessage .= 'You must enter your username,';
} else if ($password == '') {
$errorMessage .= 'You must enter the password,';
} else {
// check the database and see if the username and password combo do match
$sql = "SELECT *
FROM tbl_user
WHERE user_name = '$userName'
AND user_password = '$password'";

$result = dbQuery($sql);

if (dbNumRows($result) == 1) {
$row = dbFetchAssoc($result);
$_SESSION['plaincart_user_id'] = $row['user_id'];
$admin = $row['user_admin'];

// log the time when the user last login
$sql = "UPDATE tbl_user
SET user_last_login = NOW()
WHERE user_id = '{$row['user_id']}'";
dbQuery($sql);

// now that the user is verified we move on to the next page
// if the user had been in the admin pages before we move to
// the last page visited
if ($admin == "1")
{
header('Location: index.php');
exit;
} else {
header('Location:' . WEB_ROOT . 'customer/index.php');
exit;
}
} else {
$errorMessage = 'Wrong username or password';
}

}

return $errorMessage;
}

Ok... you asked for it :P


<?php

/*
Check if a session user id exist or not. If not set redirect
to login page. If the user session id exist and there's found
$_GET['logout'] in the query string logout the user
*/
function checkUser()
{
// if the session id is not set, redirect to login page
if (!isset($_SESSION['plaincart_user_id'])) {
header('Location: ' . WEB_ROOT . 'admin/login.php');
exit;
}

// the user want to logout
if (isset($_GET['logout'])) {
doLogout();
}
}

/*

*/
function clean_input($input)
{
if(get_magic_quotes_gpc())
{
//Remove slashes that were used to escape characters in post.
$input = stripslashes($input);
}
//Remove ALL HTML tags to prevent XSS and abuse of the system.
$input = strip_tags($input);
//Escape the string for insertion into a MySQL query, and return it.
return mysql_real_escape_string($input);
}

function doLogin()
{
// if we found an error save the error message in this variable
$errorMessage = 0;

$userName = clean_input($_POST['txtUserName']);
$password = clean_input($_POST['txtPassword']);

// first, make sure the username & password are not empty
if ($userName == '') {
$errorMessage = 'You must enter your username';
} else if ($password == '') {
$errorMessage = 'You must enter the password';
} else {
// check the database and see if the username and password combo do match
$sql = "SELECT user_id
FROM tbl_user
WHERE user_name = '$userName'
AND user_password = '$password'";
$sql1 = "SELECT user_admin
FROM tbl_user
WHERE user_name = '$userName'
AND user_password = '$password'";
$result = dbQuery($sql);
$admin = dbQuery($sql1);
if (dbNumRows($result) == 1) {
$row = dbFetchAssoc($result);
$_SESSION['plaincart_user_id'] = $row['user_id'];

// log the time when the user last login
$sql = "UPDATE tbl_user
SET user_last_login = NOW()
WHERE user_id = '{$row['user_id']}'";
dbQuery($sql);

// now that the user is verified we move on to the next page
// if the user had been in the admin pages before we move to
// the last page visited
if ($admin == "1")
{
header('Location: index.php');
exit;
} else {
header('Location:' . WEB_ROOT . 'customer/index.php');
exit;
}
} else {
$errorMessage = 'Wrong username or password';
}

}

return $errorMessage;
}

/*
Logout a user
*/
function doLogout()
{
if (isset($_SESSION['plaincart_user_id'])) {
unset($_SESSION['plaincart_user_id']);
session_unregister('plaincart_user_id');
}

header('Location: login.php');
exit;
}


/*
Generate combo box options containing the categories we have.
if $catId is set then that category is selected
*/
function buildCategoryOptions($catId = 0)
{
$sql = "SELECT cat_id, cat_parent_id, cat_name
FROM tbl_category
ORDER BY cat_id";
$result = dbQuery($sql) or die('Cannot get Product. ' . mysql_error());

$categories = array();
while($row = dbFetchArray($result)) {
list($id, $parentId, $name) = $row;

if ($parentId == 0) {
// we create a new array for each top level categories
$categories[$id] = array('name' => $name, 'children' => array());
} else {
// the child categories are put int the parent category's array
$categories[$parentId]['children'][] = array('id' => $id, 'name' => $name);
}
}

// build combo box options
$list = '';
foreach ($categories as $key => $value) {
$name = $value['name'];
$children = $value['children'];

$list .= "<optgroup label=\"$name\">";

foreach ($children as $child) {
$list .= "<option value=\"{$child['id']}\"";
if ($child['id'] == $catId) {
$list.= " selected";
}

$list .= ">{$child['name']}</option>\r\n";
}

$list .= "</optgroup>";
}

return $list;
}

/*
If you want to be able to add products to the first level category
replace the above function with the one below
*/
/*

function buildCategoryOptions($catId = 0)
{
$sql = "SELECT cat_id, cat_parent_id, cat_name
FROM tbl_category
ORDER BY cat_id";
$result = dbQuery($sql) or die('Cannot get Product. ' . mysql_error());

$categories = array();
while($row = dbFetchArray($result)) {
list($id, $parentId, $name) = $row;

if ($parentId == 0) {
// we create a new array for each top level categories
$categories[$id] = array('name' => $name, 'children' => array());
} else {
// the child categories are put int the parent category's array
$categories[$parentId]['children'][] = array('id' => $id, 'name' => $name);
}
}

// build combo box options
$list = '';
foreach ($categories as $key => $value) {
$name = $value['name'];
$children = $value['children'];

$list .= "<option value=\"$key\"";
if ($key == $catId) {
$list.= " selected";
}

$list .= ">$name</option>\r\n";

foreach ($children as $child) {
$list .= "<option value=\"{$child['id']}\"";
if ($child['id'] == $catId) {
$list.= " selected";
}

$list .= ">&nbsp;&nbsp;{$child['name']}</option>\r\n";
}
}

return $list;
}
*/

/*
Create a thumbnail of $srcFile and save it to $destFile.
The thumbnail will be $width pixels.
*/
function createThumbnail($srcFile, $destFile, $width, $quality = 75)
{
$thumbnail = '';

if (file_exists($srcFile) && isset($destFile))
{
$size = getimagesize($srcFile);
$w = number_format($width, 0, ',', '');
$h = number_format(($size[1] / $size[0]) * $width, 0, ',', '');

$thumbnail = copyImage($srcFile, $destFile, $w, $h, $quality);
}

// return the thumbnail file name on sucess or blank on fail
return basename($thumbnail);
}

/*
Copy an image to a destination file. The destination
image size will be $w X $h pixels
*/
function copyImage($srcFile, $destFile, $w, $h, $quality = 75)
{
$tmpSrc = pathinfo(strtolower($srcFile));
$tmpDest = pathinfo(strtolower($destFile));
$size = getimagesize($srcFile);

if ($tmpDest['extension'] == "gif" || $tmpDest['extension'] == "jpg")
{
$destFile = substr_replace($destFile, 'jpg', -3);
$dest = imagecreatetruecolor($w, $h);
imageantialias($dest, TRUE);
} elseif ($tmpDest['extension'] == "png") {
$dest = imagecreatetruecolor($w, $h);
imageantialias($dest, TRUE);
} else {
return false;
}

switch($size[2])
{
case 1: //GIF
$src = imagecreatefromgif($srcFile);
break;
case 2: //JPEG
$src = imagecreatefromjpeg($srcFile);
break;
case 3: //PNG
$src = imagecreatefrompng($srcFile);
break;
default:
return false;
break;
}

imagecopyresampled($dest, $src, 0, 0, 0, 0, $w, $h, $size[0], $size[1]);

switch($size[2])
{
case 1:
case 2:
imagejpeg($dest,$destFile, $quality);
break;
case 3:
imagepng($dest,$destFile);
}
return $destFile;

}

/*
Create the paging links
*/
function getPagingNav($sql, $pageNum, $rowsPerPage, $queryString = '')
{
$result = mysql_query($sql) or die('Error, query failed. ' . mysql_error());
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$numrows = $row['numrows'];

// how many pages we have when using paging?
$maxPage = ceil($numrows/$rowsPerPage);

$self = $_SERVER['PHP_SELF'];

// creating 'previous' and 'next' link
// plus 'first page' and 'last page' link

// print 'previous' link only if we're not
// on page one
if ($pageNum > 1)
{
$page = $pageNum - 1;
$prev = " <a href=\"$self?page=$page{$queryString}\">[Prev]</a> ";

$first = " <a href=\"$self?page=1{$queryString}\">[First Page]</a> ";
}
else
{
$prev = ' [Prev] '; // we're on page one, don't enable 'previous' link
$first = ' [First Page] '; // nor 'first page' link
}

// print 'next' link only if we're not
// on the last page
if ($pageNum < $maxPage)
{
$page = $pageNum + 1;
$next = " <a href=\"$self?page=$page{$queryString}\">[Next]</a> ";

$last = " <a href=\"$self?page=$maxPage{$queryString}{$queryString}\">[Last Page]</a> ";
}
else
{
$next = ' [Next] '; // we're on the last page, don't enable 'next' link
$last = ' [Last Page] '; // nor 'last page' link
}

// return the page navigation link
return $first . $prev . " Showing page <strong>$pageNum</strong> of <strong>$maxPage</strong> pages " . $next . $last;
}
?>

Thanks for your help Smifis

Added after 2 minutes:

Oh. HE DOES IT AGAIN!

Im such a dumbass, I didn't realise $row fetched a value :( Ive been searching the net for hours on "getting value from sql into php" to no avail :(

thanks a lot Smifis

The error messages dont match up to anything

the 'headers already sent' is most likely due to blank space at the beginning of a document (not functions.php, but the file calling the function),
delete this, and it should all be good again, if you can see anything, you might want to have a sneek peek in edit, (Start>Run>edit (drag the file into the box after typing this) > enter> delete the boxes at the beginning)

Added after 10 minutes:



Added after 2 minutes:

Oh. HE DOES IT AGAIN!

Im such a dumbass, I didn't realise $row fetched a value :( Ive been searching the net for hours on "getting value from sql into php" to no avail :(

thanks a lot Smifis
hah, it's just simple things.

A crash course is as follows,

Clean everything that goes into as database beforehand using clean_input(), check everything between each step, dont assume. So dont startb a function grabbing values from a form, check the form's been sent.

Keep error messages in a global variable, index them with an array,
so the beginning of each function should have

global $errors;
then to add an error, you call
$error[]='this is my new error';.

later when you parse the page into some html, you can check if the array is empty, is it isn't then loop through each error and output them.

Read into OOP, believe me, that is the stuff you want to learn. dont start with it, but read about it, it takes a while to get your head around.

have database functions, so, have db_query('SELECT * mytable WHERE abc=\'' . $my var . '\''); then in the function, you can start to think about caching options to improve overall performance.

Get the backend done before making it look nice.

use print_r to see what arrays are is you have to.

draw out to structure on paper.

look into already made classes.

ask a friend etc

i've relised i've started to ramble so i'm going to stop now

Ok I will check it all out.

tomorrows job is to verify on every page the user is an admin, or not.
And.... sort the filters for what they can see, for example the order info
and then sort all the link :)

and then a whole lot more! super!

cheers

what i would suggest doing is setting a session value to dictate if it is an admin or not and restrict access, not redirect.
so in your login script

if ($admin == "1")
{
header('Location: index.php');
exit;
} else {
header('Location:' . WEB_ROOT . 'customer/index.php');
exit;
} you have


$_SESSION['is_admin'] = $row['user_admin'];


And then on admin restricted pages you have

if (!$_SESSION['is_admin']) {
header('location: index.php');
exit;
}

Right, Ok, I have been thinking about it and am not sure whether a user section may be too much work. It's still out there for consideration, but at the moment I have paused it.

My next one to do I decided, was tracking of the order. I did the code, quite well if I may say so, or so I thought, until it didn't work!!
Here is the tracking page:



<?php
require_once '../library/config.php';
require_once './library/functions.php';

$errorMessage = '&nbsp;';
$row = '&nbsp;';

if (isset($_POST['txtOrder'])) {
$result = doTrack();

if ($result != '') {
$errorMessage = $result;
}
}
?>
<html>
<head>
<title>Shop User - Track Order</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="include/admin.css" rel="stylesheet" type="text/css">
</head>
<body>
<table width="750" border="0" align="center" cellpadding="0" cellspacing="1" class="graybox">
<tr>
<td><img src="include/banner-top.gif" width="750" height="75"></td>
</tr>
<tr>
<td valign="top"> <table width="100%" border="0" cellspacing="0" cellpadding="20">
<tr>
<td class="contentArea"> <form method="post" name="frmTrack" id="frmTrack">
<p>&nbsp;</p>
<table width="350" border="0" align="center" cellpadding="5" cellspacing="1" bgcolor="#336699" class="entryTable">
<tr id="entryTableHeader">
<td>Track Order</td>
</tr>
<tr>
<td class="contentArea">
<div class="errorMessage" align="center"><?php echo $errorMessage; ?><?php echo $row; ?></div>
<table width="100%" border="0" cellpadding="2" cellspacing="1" class="text">
<tr align="center">
<td colspan="3">&nbsp;</td>
</tr>
<tr class="text">
<td width="100" align="right">Order Number</td>
<td width="10" align="center">:</td>
<td><input name="txtOrder" type="text" class="box" id="txtOrder" size="10" maxlength="20"></td>
</tr>
<tr>
<td width="100" align="right">Postcode</td>
<td width="10" align="center">:</td>
<td><input name="txtPostcode" type="text" class="box" id="txtPostcode" size="10"></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
<td><input name="btnTrack" type="submit" class="box" id="btnTrack" value="Track Order"></td>
</tr>
</table></td>
</tr>
</table>
<p>&nbsp;</p>
</form></td>
</tr>
</table></td>
</tr>
</table>
<p>&nbsp;</p>
</body>
</html>


Here is the function that deals with the track query:


function doTrack()
{
// if we found an error save the error message in this variable
$errorMessage = '';

$orderno = clean_input($_POST['txtOrder']);
$postcode = clean_input($_POST['txtPostcode']);

// first, make sure the username & password are not empty
if ($orderno == '') {
$errorMessage .= 'You must enter your order number,';
} else if ($postcode == '') {
$errorMessage .= 'You must enter the postcode,';
} else {
// check the database and see if the username and password combo do match
$sql = "SELECT od_status
FROM tbl_order
WHERE od_id = '$orderno'
AND od_shipping_postal_code = '$postcode'";
$result = dbQuery($sql);

if (dbNumRows($result) == 1) {
$row = dbFetchAssoc($result);
} else {
$errorMessage = 'Wrong username or password';
}

}
return $errorMessage;
return $row;
}


It should, in theory, place the Order status into the variable $row (not sure about the name, dont ask), but it doesn't come back with anything... It feeds back error messages saying "enter a username", so I know that the function contact actually works, just something to do with the query is borked :S

any help appreciated!

A pointer:
Instead of constantly doing this:

if ($result != '') {...Why not do this:

if (!empty($result)) {...Are you making your database connection BEFORE clean_input() runs? A database connection is required for mysql_real_escape_string() to work.

If you still can't work it out, why not have the code print the query out before executing it so you can check it's correct?

Right, Thanks for the advice, will remember that if I can!!

The database connection is working, because the function file is full of functions, one of which is seen earlier in this thread, to log in as a user_admin or not, and that works, I believe the functions.php calls a config file to log into the database.

I KNOW the code is working, because, when I type an invalid order number/postcode (one that definitley does not exist), it says "please enter a valid order number/postcode". BUT, when I do type a REAL order number and postcode, it says nothing. The error MUST be in my $_POST, it's somehow not exporting the value across. I tried setting the $status as just a random string, "hello" or something, just to see if it outputs, but it doesn't, so even if it is getting it from the database correctly, then it isn't outputting it.

This leads me to believe the error is in either of these code sections;



require_once './library/functions.php';

$errorMessage = '&nbsp;';
$row = '&nbsp;';

.................................//leads to this eventually :

<div align="center"><?php echo $row; ?></div>

and then, in the functions.php, it is this part:




$sql = "SELECT od_status
FROM tbl_order
WHERE od_id = '$orderno'
AND od_shipping_postal_code = '$postcode'";
$result = dbQuery($sql);

if (dbNumRows($result) == 1) {
$row = dbFetchAssoc($result);
} else {
$errorMessage = 'Wrong username or password';
}

}
return $errorMessage;
return $row;
}
I have coped it from the login, so I don't see why it isn't working, but the login doesn't POST, it just redirects... so I have definitely done something wrong!

edit: in declaring the $row as &nbsp, surely I have just cleared it? wtf!?

How do I declare it, but not void the value?

AND, return ENDS THE FUNCTION? So I need to build the error message and the row into an array to send it back, as return can only send 1 item back?

I think you've jumped into this way too quickly,

Draw out the system out on paper first, how everything will interact with each other, what functions you need and make a todo list.

set the php error reporting flags to help you :)

I think you've jumped into this way too quickly,

Draw out the system out on paper first, how everything will interact with each other, what functions you need and make a todo list.

The system is fully designed, old system analysed, I have data dictionaries, system objectives, site maps, hierarchy/structure diagrams, everything is sorted... I just don't really know how to do any of it :|

What made you say that anyway, I've am learning more every day I work with it, just struggling with one, tiny part...

That's a good idea DoubleTop, thankyou.

Get paper and draw it out,

You have to ask yourself, how is it going to work?

[Find product] -> [Add to basket] -> [Login/Register] - > {Shipping] - > [Confirmation] - >[Payment] -> [Notify shop owner of order].

How is it possible to get from one step to another? How do you even achieve the first step?

To Find a product, you need to
- have a way to cataloging them
- have categories
- and have a way of displaying them

etc...

I have this?

Although, lol, I noticed earlier I had 2 cakes in the basket and they were £3 each, total cost was £5... LOL, most basic of functions = fail.

Ah, and also, im sorry if I didn't make it clear at the start that the basics have been done... I understand your scepticism.

Not very competitively priced. :p

Lol, this is true, but the items are just for test purposes :P

lololololol:

http://www4.picturepush.com/photo/a/4710767/640/Web-Design/uberfail.jpg

Hmmm, YOU FORGOT TO ASK ME FOR MY EMAIL ADDRESS!


Lol, this is true, but the items are just for test purposes :P

lololololol:

http://www4.picturepush.com/photo/a/4710767/640/Web-Design/uberfail.jpg
what now?
that doesn't work

Yes I will go and have a look THOMAS SMITH!, it's rather embarrassing :D

AHA, that didnt take long!! The items are to 2 dp, and my integers aren't. lol....

but, how to solve it? it's a 9,2, decimal, so no probs in the database, but on the webpage... google here I come

lol,

well everything should be without tax/vat

so lets say, the price exc vat is 12.68, you multiply it by two, to get 25.36, then you ad vat which adds to 29.798

Right, well, I would assume the prices would include VAT already, as it's going to be mainly private customers.

In the database it says "pink cake, 2.50", on the webpage to buy it it rounds it to £3, but if I add two to the basket, it makes it £5, because it's got the original 2.5.
It's pretty annoying. I tried number_format but it didn't like that...

How on earth do you do that!?

just get the value from the database and echo it.

That's exactly what ive done!!! and it's limiting it to 0dp!!! I'll go and recheck the code...

Here is the function that obtains it;



function getProductDetail($pdId, $catId)
{

$_SESSION['shoppingReturnUrl'] = $_SERVER['REQUEST_URI'];

// get the product information from database
$sql = "SELECT pd_name, pd_description, pd_price, pd_image, pd_qty
FROM tbl_product
WHERE pd_id = $pdId";

$result = dbQuery($sql);
$row = dbFetchAssoc($result);
extract($row);

$row['pd_description'] = nl2br($row['pd_description']);

if ($row['pd_image']) {
$row['pd_image'] = WEB_ROOT . 'images/product/' . $row['pd_image'];
} else {
$row['pd_image'] = WEB_ROOT . 'images/no-image-large.png';
}

$row['cart_url'] = "cart.php?action=add&p=$pdId";

return $row;
}Lol, screw finding it! I just deleted it and it works... got to remove it from every instance now though!

edit again. Actually, that isn't efficient is it?

I found it!!


function displayAmount($amount)
{
global $shopConfig;
return $shopConfig['currency'] . number_format($amount);
}


Kind of weird... as it is completely unnecessary... lol.

erm... print_r(getProductDetail(26,19)); and post the results

Chocolate Delight
Price : £2
Array ( [pd_name] => Chocolate Delight [pd_description] => This cake is filled with chocolate goodness! [pd_price] => 1.50 [pd_image] => /cake/images/product/df3c93b616e570791af1453cab256617.jpg [pd_qty] => 97 [cart_url] => cart.php?action=add&p=26 )
The price:£2 is as it appears on the page.

In that case you must be doing round() or something somewhere..., or typecasting to an integer somehow.

Intriguing. Database stores it as a decimal(9,2), so I will check all references for a change to an integer, or a round() function. What a silly mistake.

Added after 7 minutes:

aha... something which I have noticed which is interesting, is that the number is stored as



[pd_price] => 1.50

NOT =.... I.e. it can be MORE THAN? is this normal?!

Thats normal.

you must be doing round or ceil somewhere!

trace through every stage!

Ok, I will. I changed it to a Float and removed the formatting within the database, to no avail. It's definitely in the php. Going to check it all now :)

Added after 7 minutes:

Think I found it.

In the page where it is called, the line says


Price : <?php echo displayAmount($pd_price); ?><br>

This function, displayAmount, must format the number. Only problem is, I haven't a clue where the function is. Off to look now...

displayAmount is not a php function, it's something you've made

Damn it removed my edit :<

I found it,


function displayAmount($amount)
{
global $shopConfig;
return $shopConfig['currency'] . number_format($amount);
}
Added after 4 minutes:

Woohoo!! Sorted :D



function displayAmount($amount)
{
global $shopConfig;
//,2 = 2dp
return $shopConfig['currency'] . number_format($amount, 2);
}

Now... got to go sort that tracking page out!

Well done :D

ugh, ok, I put the result into a session variable.... but it still coming back blank!! :mad:



$sql = "SELECT od_status
FROM tbl_order
WHERE od_id = '$orderno'
AND od_shipping_postal_code = '$postcode'";
$result = dbQuery($sql);

if (dbNumRows($result) == 1) {
$row = dbFetchAssoc($result);
$_SESSION['od_status'] = $row;
} else {
$errorMessage = 'Wrong order number or postcode';
}

}
return $errorMessage;
}picked up here:



$od_status = $_SESSION['od_status'];


.....


<div class="row" align="center"><?php echo $od_status; ?></div>



Error messages come back brilliantly! Also, if I enter an invalid one, it says 'Wrong order number or postcode'. But, if I then check a valid one, it comes back saying nothing...

It's because you're trying to echo an array,

if you do print_r($_SESSION['od_status']), you will see that it is an array so what you have to do is
$_SESSION['od_status']['pd_price'] to get the price, and so on :D

Hmmm.. Ok, I edited it to echo the variable. That works. Kind of, as it just outputs "Array", when the postcode/order no. are correct. Where is it getting this "array" response from? Is this a PHP thing or another thing I have set without realising...

If it prints "Array" it means you're trying to echo an array and not a regular value.

print_r bassically echo's out everything that is in a variable, just so i can show you its an array

so, as with any other array, you access it like so

$my_array = array('part1' => 'fairyes', 'part2' => 'pixies');

So, lets say you want to see what part1 is in the array '$My_array',
echo $my_array['part1'];

simples

It responded with



Resource id #10 , as an output.

which the manual says about using mysql_result...

YES! Got it working!!!!!!!

I finally understood!

if

NEW NAME OF ARRAY = ARRAY, it's still an array!

you have to extract the result!!

$row = mysql_result($result, $od_id);

It works!! Page is covered in error messages but it works!

WAIT!

I see the issue,

$row = dbFetchAssoc($result);
$_SESSION['od_status'] = $row;
} else {You never said what row to get the data from, change it to


$row = dbFetchAssoc($result);

$_SESSION['od_status'] = $row['$orderno'];

} else {

hmm... different method, same outcome? lolwut..
anywhoo

new problem, bloody error message saying it isnt defined!! because it isn't, until the user send the form! this must be easy to fix...



Notice: Undefined index: od_status in /admin/track.php on line 42

So stop referring to it until the user has POSTed the form. ;) Or use isset() to determine if the variable is set before trying to use it.

So for example, if you're trying to do this:

if ($_SESSION['myvar'] == "lol") {...

And it's throwing you an error that myvar is an undefined index, change it to:

if (isset($_SESSION['myvar']) && $_SESSION['myvar'] == "lol") {...

Perfect!! Took a while, but I noticed the $errormessage has the same idea!! So I copied the IF and it works a treat.

Try it out if you want;

Order Numbers - Postcode
1001 - BN1 TEST
1002 - asdasdsa

and just for Thomas Smith (aka Smifis, original name chooser of the year)

1003 - nr318hg

Thanks again Peter, I +repped you, much appreciated!! Now i can go to bed HAPPY :D

As i mentioned before, checks are good and you should do them!


if (!isset($_POST)) {
return;
}


Faz, I cant log in.

As i mentioned before, checks are good and you should do them!


if (!isset($_POST)) {
return;
}
Faz, I cant log in.

isset($_POST) always evaluates to true even if no variables are POSTed, just like $_GET, so that return will never happen.

Instead you should use:

if (count($_POST) == 0) {
return;
}

I've never experienced that but that for the heads up peter, i suppose it depends how the server is setup.

Hold on, log in where? The login is temporarily on hold... lol.. And where did you get a password from xD

Ok, I see about the Isset, but if it works, surely it's not a problem? Or is it more efficient the other way?

Cheers

The tracking page, the one you linked to, that just takes me to the home page after you put in the details

Forgive my ignorance but you are clicking the 'Track Order', as opposed to 'Return to Shop'?

Besides that I am not sure, it works ok for me?

Wouldn't surprise me, i was tired last night.

Ok fairly simple one, maybe,

I am looking to encrypt the passwords for the users.

On the creation of the account, the user password will be presumably encrpyted, probably with MD5. This will then be saved to the database in the md5 state.

When processing the login, how do I cross check the passwords? Presumably this is done by MD5ing the password entered, THEN comparing it to the database?

Oh, and where should the encryption occur? On the page the password is entered, or can it be transferred by POST to another processing page? Does that reduce the security of it?

edit: screw that, its working already!! That really didn't take long!!

I just encrypted it on both ends, when a user is created, and when the login is processed.

edit again... ok. job not done. it works when I encrypt the string myself from the MD5 Encrypter.com, but not when I do MD5($str). Something I have noticed it all the ones processed start with *, and are all upper case. Is this normal? I tried to force it lower case but it didn't work....

buhh I will just repost this time... It was ALSO encrypting using PASSWORD, so just changed that to MD5 and off I went.

Thanks for your help all (lol - im independent now :D )

I usually do all of my encrypting via PHP as it's one less variable to sanitise. Each to his own though.

fpo?

I normally use MD5, although there are a few neat little hashing scripts out there.

I have changed all my DATE( parts to GMDATE, to get them to GMT, but how do I translate the NOW() sql function into GMT? Or can this not be done?

now() just provides the current time on the mysql server so providing that the server time is set to GMT, then it will set the value to gmt, however, most servers are now set the UTC.

yes it seems mine is :( I wonder if I can get it to output it onto the screen at +6 hours. Will investigate.

You could always try


GETUTCDATE()

fpo?

I normally use MD5, although there are a few neat little hashing scripts out there.

Lol, was supposed to say "do" not "fpo", that's what I get for typing on my phone.

Please someone, put me out of my misery...

Unexpected T_RETURN :(



function doSubscribe()
{

$errorMessage = '';

$email = clean_input($_POST['txtEmail']);


if ($email == '') { $errorMessage = 'Please enter a valid email address';
} else {
mysql_query("INSERT INTO tbl_subscribe (sub_email)
VALUES ('$email')");
$errorMessage = 'Thanks, you have been added to our mailing list!';
}
return $errorMessage;
}

I cant see anything wrong with it, you might want to work with keeping your code presentable however, it helps with debugging issues and what-not.

function doSubscribe()
{

$errorMessage = '';

$email = clean_input( $_POST['txtEmail'] );

if ( $email == '' ) {
$errorMessage = 'Please enter a valid email address';
} else {
$sql="INSERT INTO tbl_subscribe (sub_email) VALUES ('$email')";
mysql_query($sql);
$errorMessage = 'Thanks, you have been added to our mailing list!';
}
return $errorMessage;
}

Ugh, I hate PHP, and my stupidity!!

Line 35 was not in that code at all, it was further up in your "clean_input" section.



{
if(get_magic_quotes_gpc())
{
//Remove slashes that were used to escape characters in post.
$input = stripslashes($input);
}
//Remove ALL HTML tags to prevent XSS and abuse of the system.
$input = strip_tags($input);a
//Escape the string for insertion into a MySQL query, and return it.
return mysql_real_escape_string($input);
}I obviously accidentally pressed "a" at some point, and without the ; after it just voided it!! Im so silly!

cheers

edit: and the layout changes from editor to editor, if I am editing it in the browser, which I do for small changes, the box is only about 600px wide, so I get random line breaks, like in the VALUES code above. Offline though I use notepad++ which does most of the formatting for me, very handy. Basically, the code was copied from the browser, not the notepad, so the line breaks are odd.

aye i always have these troubles, got sausage fingers :D always causes me a lot of trouble its so picky lol when you get it wrong :)

I have this habit of putting 'l's instead of a semicolon, we all have those moments :D

Ok big one now...

I am trying to link my tbl_order with my tbl_user, in order to create a section where users can see their orders, and essentially 'login' to save their postage details etc.

BUT. I don't have a clue how to link these in phpMyAdmin. I don't have 'relationship view', which would be nice, but there must be another way. I have normalised it, I think, but it's hard!

I will explain it clearly once more:

Three tables.

tbl_order, has an auto-increment called od_id

tbl_user, has an auto-increment called user_id

tbl_customerorders, has two values, called user_id and od_id. I imagine the non-changer is the od_id, as the order cant be submitted twice, but the user can have two orders.

Does this sound feasible? I have tried linking them with the sql query adding foreign key, which sounds right, but surely when I create a new user, it should automatically make a field in tbl_customerorders, and it didn't... ?

sql JOIN will be your friend here, find the points that reference across to tables and use JOIN to get one result set back with all the data.

DT.

Right. JOIN, will go have a look. I just need it to literally copy, in real time, the data from one field on another table, into the other field on the other table.

Added after 5 minutes:

hmmm problem with all these is they just seem like queries to me... but I need to actually write the data to the database?

You dont have to.

You have the table which specifies which orders goes with what.

In all reality, it would defiantly be best to have a 'user_id' on the end on#f the order tables, and then when you want to recall all the users of 'Bob Smith', you look up his name in a query with a joined table.

yes that is the best idea Smifis, I though that, but then the tbl_user, user_id is primary key, so how am I going to link that to the multiple orders?

Added after 5 minutes:

and plus... how do I link them?! I never really understood this primary/foreign key malarkey!

Don't worry about keys, they're rather advanced and not needed for this by any stretch of the imagination.

All you need is just a normal varchar(255) field for user_id in the table, and then with a query, use the join feature and match up the two user_id's

Ok. I have a working system sorted. Bear in mind the order user reference thingy part is only for showing an address, and also for showing past orders, so another table wasn't really necessary.

... I must say this system is very odd, perhaps you should download something like opencart or zentcar or oscomerce and see how they work before going any further

hmm why? it works fine, just I'm not very good with all this. It's just a basic system;

http://img593.imageshack.us/img593/130/61020030.png

and I am attaching other features to it...

Shouldn't every order have a user id it's linked to?

Otherwise as a user, how can I get a list of my orders for example?

yeah it is now, that entity diagram is very old, right from the start when i decided that login was too hard.

but then changed my mind :P

Right... now I need a bit of help with require_once. I am using it to effectively 'embed' other php pages in, and link certain function files to the others. At the minute, I am just adding a captcha image to my register page. This page is stored here;



home/admin/register.php
This code then links, using require_once, to



home/admin/library/functions.php
which processes and checks the register name, and adds it to the database.

Now, this all works fine. But I downloaded SECURIMAGE, which looks very good, but I have to get it working! The readme says this;



SYNOPSIS:

require_once 'securimage.php';

$image = new Securimage();

$image->show();

// Code Validation

$image = new Securimage();
if ($image->check($_POST['code']) == true) {
echo "Correct!";
} else {
echo "Sorry, wrong code.";
}
Fine, I am sure that all works ok, BUT... it's getting stuck in functions.php, which is not where securimage is located.

Securimage is located in



home/admin/library/securimage/
So. My question is, why is this error appearing?



Warning: require_once(/home/library/securimage/securimage.php) [function.require_once] failed to open stream: No such file or directory in home/admin/library/functions.php on line 46

It's like it is stuck inside the functions.php file... Is this because it is in the register form? This is perhaps linked exclusively to the function file? This confuses me a lot...

any help greatly appreciated!

sorted it! cant tell you how I have forgotten...

Whoops, only just saw this mate,

My bad.

Smifis why are you doing his homework for him?

Smifis why are you doing his homework for him?
... ¬¬

It's nice to help people who are learning, he's a bit of a erm.. twont.. to taks such a big project on in a language he doesn't know so he really could do with the help. Plus, he'll owe us one. ;)

He owes you at least 2 i think.

LOL! Ditto for Peter.

This is true.. though it isn't really homework. It's a project, so it's actually coursework (which makes it sound even worse!). My point is, it's good to help!

Honestly though, have learn so much since Christmas, it's unreal... PHP is actually quite easy now. Still hate headers though! :D

I do appreciate all your help, very much so.

hate headers? why may I ask? html headers are essential!

yes but they annoy me!! cannot output any HTML before the headers are sent, all this faff!! just confuses me, is all. I am easily confused.

If you get errors like that, you're doing something wrong!

well. yes. but everyone gets errors! that is how you learn! and I am definitley still learning...

Being able to set headers is great!