JamesB

I'm having problems doing this in one query.

I have these tables:

[table: users]user_id user_name1 somename[table: updates]user_id stat_id xp time_seen1 0 100 14106209341 0 120 14106209351 1 50 14106209362 0 80 1410620937

The query should return rows from table `updates` for 1 user, with 1 returned row per unique stat_id, where the xp is the highest xp for that user for that stat.

So for user id 1, this should be returned:stat_id xp0 1202 80So for user id 2, this should be returned:stat_id xp0 80

I've tried this:

$result = $this->db->query('SELECT updates.stat_id, updates.xp FROM updatesLEFT JOIN users ON users.user_id = updates.user_idWHERE users.user_name = '.$this->db->escape($user).' AND xp == MAX(xp)');

But the MAX(xp) will be the max xp of all stat_id's instead of per stat_id.

that might be a string containing the text NULL, anyway you should probably be checking the row count before fetching the row in case the row doesn;t exist. something like:

if(mysql_num_rows() == 0){$DB_vote = NULL;}else{$row = mysqli_fetch_array($sql);$DB_vote = $row['vote'];}

Maybe your javascript code is running before your document html has loaded.

Try wrapping your javascript initial code into an onload event:

window.addEventListener('load', function() {    var tl = document.getElementById('id');    alert(tl);});

2 characters is the difference, look closer.

Try changing

ajax.onreadystatechange() = function(){

to

ajax.onreadystatechange = function(){

Functions don't have to return a value.

You need quotes around some SQL values.

$sql = "SELECT rate_type,good_rate,bad_rate FROM rate WHERE username = '$username' && file_name = '$file_name'"; $sql = "UPATE rate SET rate_type = '$rate_type' && good_rate = $DB_good_rate && bad_rate = $DB_bad_rate";

Also try to use MySQLi or PDO for the database code, as the mysql_ functions are very old.

I agree that it would be very difficult to prevent against every xss attack in specialist situations like a HTML editor. But I still think with enough time and thought spent on something it can be 100% hack free.

You can go through the list of ways and find places where your application is vulnerable and fix them, sure, but you wouldn't necessarily use the same fix in every situation.

Fair enough.

You can't guarantee that there's something you didn't think about.

Well I sort of disagree. I mean I know its very easy to forget a htmlspecialchars() hear and there, but say if someone was making an API, they could check the SGML/XML spec and make sure every byte code is valid in it's place.

Interesting, but I'm sure its possible to protect against every type of xss attack somehow.

The only way to guarantee no XSS attacks is to not show any user-submitted data on your site.

Surely one could use htmlspecialchars() for user submitted data to guarantee no xss attacks too right?

What is this code suppose to do?

stdid =='EMPTY_ROLE'

You don't have a local variable called stdid.

Also please post your relevant html code.

Notepad++ for almost every language.

mIRC program for mIRC.

Microsoft Visual C++ for c++.

Apache, PHP & MySQL installed individually, starts when my computer turns on, I didn't compile them though.

phpmyadmin for database gui.

FileZilla for FTP client.

google chrome / opera for browser tools.

My server-side language for the web is PHP. Although I don't know any others, but PHP is enough for me.

Does alert(roleValue) work?

Can you show the code for your form?

This was your PHP page never sees any empty field in the first place.

Keep in mind server-side (PHP) input validation is still required, as one can send a packet directly to the server containing blank fields to bypass javascript.

Can you show your code that opens the window?

try changing:

if ($_SERVER["REQUEST_METHOD"] == "POST") {

to

if ($_SERVER["REQUEST_METHOD"] != "POST") {$isError = true;}else {

that should stop sending the email when the page is accessed.

works for me.

http://stackoverflow.com/questions/7935689/what-is-the-difference-between-children-and-childnodes-in-javascript

$isError = false;if ($_SERVER["REQUEST_METHOD"] == "POST") {if (empty($_POST["name"])) {$isError = true;$nameErr = "Name is required";}...if (empty($_POST["phone"])) {$isError = true;$contact_methodErr = "Phone number is required";}...if(IsInjected($customer_email)){$isError = true;echo "Bad email value!";}if(!$isError){$email_from = 'sales@speedyspares.com';//<== update the email address$email_subject = "Online Enquiry";...}

I also thought json_encode was used in a loop lol, a bracket must have fooled us both.

Your salt should be unique for every user, you should not use a hard-coded salt for every user.

Very interesting, thanks for the info.

Here's another clue:

The error says $appdata is undefined, so we must define it before it is used.

When not using a salt:

If the hacker gains access to your database and sees the encrypted password, they can use public encryption look up tables to find one or many possibilities of what the password is.

When using a salt:

If the hacker gains access to your database and sees the encrypted password, they cannot use public encryption look up tables to find the password.

If the hacker gains access to your database and also access to your PHP file containing the salt, they still cannot use public encryption look up tables to find the password, however they can attempt to reverse it themself which will probably take a very long time to find as they would need to brute force millions probably well above trillions of combinations of text concatenated to the salt to find the matching encrypted string.

<?phpfunction get_appointments($connection,$email){$connection->set_charset("utf8");$result=$connection->query('select appointments.name,appointments.apID,staffID,appointments.apps_origin,FROM_UNIXTIME( startDate ) as startDate ,FROM_UNIXTIME( endDate ) as endDatefrom appointments,userswhere users.email="'.$email.'"and appointments.bookedfor=users.user_ID');if(!$result){printf("Errormessage for result: %sn", $connection->error);return false;}elseif($result->num_rows>0){$mapApIDToRowIndex = []; // int apID => row indexwhile ($appdetails = $result->fetch_object()){$mapApIDToRowIndex[$appdetails->apID] = count($appdata);$appdata[]=['name'=>$appdetails->name,'apID'=>$appdetails->apID,'start'=>$appdetails->startDate,'end'=>$appdetails->endDate,'staffID'=>$appdetails->staffID,'origin'=>$appdetails->apps_origin];}}for($i=0;$i < count($appdata);++$i){$result1 = $connection->query('select serviceID from services_list,appoint_servi_chosenwhere services_list.serviceID=appoint_servi_chosen.service_IDand appoint_servi_chosen.app_ID="'. $appdata[$i]['apID'].'"');if(!$result1){printf("Errormessage for result1: %sn", $connection->error);return false;}elseif($result1->num_rows>0){while($service = $result1->fetch_object()){$rowIndex = $mapApIDToRowIndex[$appdata[$i]['apID']];$appdata[$rowIndex]['service'][] = $service->serviceID;}}}return $appdata; // should be 3 dimensional}

sorry for the indentation, it gets unindented automatically for me :/