|
PHP - General Guidance Needed, Unable To Wrap My Head Around Security Issues
I have made a classified website. it works and I am proud of it. But as far as securing it goes, I have done almost nothing and I am sure, if in case the site becomes popular, it would be compromised with ease.
So I have started reading a book ' essential php security' and am reading several articles on php security online , but am still unable to wrap my head around the whole security issue. Can someone help me ? there are a lot of unfamiliar topics, filtering, escaping , validating, session hijacking etc etc and it all goes over my head. Its a classified website , considering this on what should I concentrate on as far as security goes ? btw what I have managed to do is use mysql_real_escape_string on every var going into a mysql $query. Thanks Similar TutorialsHi I am currently mostly learning procedural PHP but had a question about security.
Are hackers able to see connections to databases in procedural programming? Would connections to databases need to be called from classes and methods instead? Or does it not matter that much? How would I redirect if the code is after the <head> tag? My code is a bit complicated and needs to go under my html code but wont redirect successfully because of <head>. I'm using Code: [Select] print("<meta http-equiv='Refresh' content='0;index.php' />"); to redirect. Hello, I am using <?=$PHP_SELF?> in a search form so it will stay on the same page. I have been advised that there are security risk to using that and that is is susceptible to sql injections and my database can be at risk. I have read about using the following code instead: htmlentities($_SERVER['PHP_SELF']) Is that more secure or are there other code that is more secure? Also could someone look at my database connection and see if there are any issues with it? Code: [Select] <?php $db_host = "localhost"; $db_user = "user"; $db_pass = "password"; $db_name = "database"; function db_connect() { global $db_host; global $db_user; global $db_pass; global $db_name; $connection = mysql_connect($db_host,$db_user,$db_pass); if (!(mysql_select_db($db_name,$connection))) { echo "Could not connect to the database"; } return $connection; } // Connect to the database db_connect(); ?> Thank you for any help you can provide. Hi everybody !
Am back with the never ending security issues, just that this time it has to do with the character set related security issues. I read the whole day on utf-8 and am still lost on certain aspects related to PHP security.
Consider the simple script below:
<?php
//error_reporting(E_ALL & ~E_NOTICE);
session_start();
if(isset($_POST['login'], $_POST['password']))
{
$login = $_POST['login'];
$password = $_POST['password'];
if(!empty($login) && !empty($password))
{
//echo "Ok";
echo "Welcome ". $login;
echo "<br> You password is.$password ";
}
}
?>
<html>
<body>
<form action="welcome2.php" method="post">
Name: <input type="text" name="login" />
Password: <input type="password" name="password" />
<input type="submit" name="submit"/>
</form>
</body>
</html>
It is not a login script, but assuming that it was one, I would like to know that if UTF-8 was the charset that was selected for this script, then :
1. how could it be exploited to pass a string that would effectively break thorugh this login. It would be great if someone can demonstrate the hack using the above script example.
2. Could the same be thwarted by the use of input filters?
3. I also read that the use of a regex to limit the use of special characters in passwords is not good . So in case the hack can be thwarted by the use of regex and that is a bad idea in the first place what should be done?
There are a few more questions that are on my mind but I would only ask those once I am clear on these that I have just asked.
Thanks all.
Hi Chaps, I'm about to start building a MySQL/PHP forum but would like to know what are the best administration steps to take. Basically it'll be open to members of a site to share info (as like many forums out there), but obviously I don't want anybody to post either harmful content or offensive material. Can someone point me in the right direction, or give me a basic outline of what I have to look out for? Many thanks Hello, I'm creating an application where a user can input there own CSS. The problem I'm having is understanding if this will open security holes if... 1. Users input is saved to a file called style.css 2. Each user is on their own a sub-domain from my reseller hosting plan. 3. The style.css file will be included in the page code like so: Code: [Select] <link type='text/css' rel='stylesheet' href='style.css' /> Any advice? Hi all, if someone of you has a little spare time i would love to hear what you find about the small code below. I combined some scattered stuff around the internet. and was hoping some guru could tell me if its ok to output without any sneaky javascript to get inserted within the tags or other nasty stuff. Its a bb code that first trims the string, applies html entities than puts newlines to breaks and finishes it of with a little bbcode in the end. I was hoping if this is secure enough to output text in this case a post var but am aiming for data from the database. Thanks in advance Code: [Select] <?php //replace stuff //bb function function bbcode($data) { $input = array( '/\[b\](.*?)\[\/b\]/is', '/\[i\](.*?)\[\/i\]/is', '/\[u\](.*?)\[\/u\]/is', '/\[img\](.*?)\[\/img\]/is', '/\[url\](.*?)\[\/url\]/is', '/\[url\=(.*?)\](.*?)\[\/url\]/is' ); $output = array( '<strong>$1</strong>', '<em>$1</em>', '<u>$1</u>', '<img src="$1" />', '<a href="$1">$1</a>', '<a href="$1">$2</a>' ); $rtrn = preg_replace ($input, $output, $data); return $rtrn; } // if(isset($_POST['submit'])&& !empty($_POST['textvar'])){ $error_message = ''; $string = trim(htmlentities($_POST['textvar'], ENT_QUOTES)); $clean = nl2br($string); $super_clean = bbcode($clean); }else{ $error_message = 'enter some text'; $clean = ''; $super_clean =''; } if i use code as follows, This is a safe way to take the value of the form ?
<html> <head></head> <body> <form method='post'> <input type='text' name='name' value='akli'> <input type='submit' name ='view' value='view'> </form> </body> </html> <?php extract($_POST); if($view) echo $name; ?>please healp me If you are a PHP expert, then I really your help. I have a question regarding PHP sessions and their security. So here is my story ... I created a login script (login.php) for my website. When a user goes to the login.php page, they see a login form that they must fill with their username and password to login to the members' area and view their profile, etc. On that login page, when the user enters their username and password and then clicks the "Login" button, my script filters the data, sends MySQL query and checks if the login is valid. If the login is NOT valid, then they get a "Login Failed" message. If the login is valid, I register their username and the password in sessions and redirect them to the members.php page. Here is some of my code for my login.php page after mysql confirms the login is valid <?php $query = mysql_query('SELECT * FROM `users` WHERE username='$user' AND password='$pass'"); $numRows = mysql_num_rows($query); if ( $numRows ) { // login is valid $_SESSION['username'] = $user; $_SESSION['pass'] = $pass; // redirect user to members area header('Location: /members.php'); } else { // login is invalid echo "Login failed"; } ?> My question is ... is this login script secured? I mean, I am not generating any session id or any cookie. I am just storing the username and the password in two session variables and those are the things that i will use to display the user's profile, etc. Can attackers attack this script? Is this secured or is there any other way I can make it stronger? It's always these seemingly simple tasks that become challenges. I got a good handle on how to watermark some photos (thanks to respondents to my previous post) and developed a script that calls a function that uses imagettftext() Essentially, I can upload multiple images and watermark them before they reach their destination folder. Good stuff. Now, I got this crazy idea of watermarking them with a sequence number, so that if I grab 12 images, each will be labeled with it's sequence number (rather than a standard text watermark). I placed $count++ in my script, and then used $count as my $watermark both inside imagettftext and as a variable. It didn't work. The closest I got was after placing $count++ inside a watermark function, but. of course, that merely labeled each photo with a "1" (bc each call of the function was a new iteration. Can someone please offer some direction here. Thanks.
I have created a script that will upload and reminder images. Now, I want to replace the timestamp with a number so that each image is listed sequentially with more easily recognized values (1,2,3,etc). My concern is the effect this could have if several uploads were coincidentally started simultaneously. I doubt the script (or directory) would allow duplicate names to be rendered, so would I lose files because of overwriting?
If 3 uploads of 10 images each were all started at exactly midnight what could go wrong? How can I best resolve the risk and ensure that I get 30 complete files sequentially numbered? Hello: I am very new to PHP. I have done a few basic feedback forms, but that's it. I have done Classic ASP for years, and am trying to switch over to PHP. I wanted to see what it would take to make a basic CMS that would allow users to update page content from an admin panel. Very much like the attached .JPG demo. Is there existing code available like what I'm trying to do? I can post the ASP version code if it will help. I assume it would need a database, but I have only used DNS-less connections with Access - not anything PHP related. I know the site is hosted on justhost.com, and justhost.com uses unix servers. Any assistance would be appreciated! I am trying to set up a class for my database connection. I have it working one way, this is a completely new method I am trying to learn. I have a file called MyClasses.php and in that file I did this. (I am following a not very well done tutorial) Code: [Select] class MySQLDatabase { private $connection; function __construct(){ $this->open_connection(); } public function open_connection(){ $this->connection = new MySQLi('localhost','MyDatabase','password','billpay') or die($mysql->error); } } $database = new MySQLDatabase(); then in my index page where I want to begin by doing a query on the database, I did this Code: [Select] <?php include MyClasses.php ?> $result = $database->query("SELECT * FROM names") or die($mysql->error); but that gives me this error Fatal error: Call to undefined method MySQLDatabase::query() in C:\wamp\www\BillPay\index.php I can't figure out how to get past it. I'm looking for some direction as I approach a new challenge. I have a table named friends_and_family and it contains name, email, and age fields. I'm planning a party and want to invite 10 of the people that are between 20 and 35 years old. The format I am considering would query the table and provide a list of those members that fit the age requirement. I would like to generate that result (which I should be capable of handling) so that each person listed has a checkbox next to their name. I imagine I will be creating a resultant form, so that I can then evaluate the result and select the checkboxes for those specific people that I want to invite. Upon submission, an email will be sent to the people with selected checkboxes. How should I approach this best? A for each loop? Implode an array? I'm not very good with AJAX, so I'm thinking along these lines.
Hi guys, I need some help from you pro's please with converting code from a TPL template file to PHP. My client has payment gateway scripts in an ecommerce site that he wants to offer to other merchants. The code currently is in numerous TPL files (currently being used in Opencart). What is involved in converting to plain ol' PHP? Do I need the TPL files at all? Can I rename the TPL extension to PHP as it looks like they contain PHP code?? Example of one of the TPL's is below: <form action="<?php echo $action; ?>" method="post" id="checkout"> <input type="hidden" name="instId" value="<?php echo $merchant; ?>" /> <input type="hidden" name="cartId" value="<?php echo $order_id; ?>" /> <input type="hidden" name="amount" value="<?php echo $amount; ?>" /> <input type="hidden" name="currency" value="<?php echo $currency; ?>" /> <input type="hidden" name="desc" value="<?php echo $description; ?>" /> <input type="hidden" name="name" value="<?php echo $name; ?>" /> <input type="hidden" name="address" value="<?php echo $address; ?>" /> <input type="hidden" name="postcode" value="<?php echo $postcode; ?>" /> <input type="hidden" name="country" value="<?php echo $country; ?>" /> <input type="hidden" name="tel" value="<?php echo $telephone; ?>" /> <input type="hidden" name="email" value="<?php echo $email; ?>" /> <input type="hidden" name="testMode" value="<?php echo $test; ?>" /> </form> <div class="buttons"> <table> <tr> <td align="left"><a onclick="location = '<?php echo $back; ?>'" class="button"><span><?php echo $button_back; ?></span></a></td> <td align="right"><a onclick="$('#checkout').submit();" class="button"><span><?php echo $button_confirm; ?></span></a></td> </tr> </table> </div> I also have 3 PHP files as well, which look like (example): <?php class ControllerPaymentOnlineVoucher extends Controller { protected function index() { $this->data['button_confirm'] = $this->language->get('button_confirm'); $this->data['button_back'] = $this->language->get('button_back'); $this->load->model('checkout/order'); $order_info = $this->model_checkout_order->getOrder($this->session->data['order_id']); $this->load->library('encryption'); $this->data['action'] = 'https://www.domain-removed.com/purchaseAndRedeem.php'; $this->data['merchant'] = $this->config->get('onlineVoucher_merchant'); $this->data['order_id'] = $order_info['order_id']; $this->data['amount'] = $order_info['total']; $this->data['currency'] = $order_info['currency']; $this->data['description'] = $this->config->get('config_store') . ' - #' . $order_info['order_id']; $this->data['name'] = $order_info['payment_firstname'] . ' ' . $order_info['payment_lastname']; if (!$order_info['payment_address_2']) { $this->data['address'] = $order_info['payment_address_1'] . ', ' . $order_info['payment_city'] . ', ' . $order_info['payment_zone']; } else { $this->data['address'] = $order_info['payment_address_1'] . ', ' . $order_info['payment_address_2'] . ', ' . $order_info['payment_city'] . ', ' . $order_info['payment_zone']; } $this->data['postcode'] = $order_info['payment_postcode']; $payment_address = $this->customer->getAddress($this->session->data['payment_address_id']); $this->data['country'] = $payment_address['iso_code_2']; $this->data['telephone'] = $order_info['telephone']; $this->data['email'] = $order_info['email']; $this->data['test'] = $this->config->get('onlineVoucher_test'); $this->data['back'] = $this->url->https('checkout/payment'); $this->id = 'payment'; $this->template = $this->config->get('config_template') . 'payment/onlineVoucher.tpl'; $this->render(); } public function callback() { if (isset($this->request->post['callbackPW']) && ($this->request->post['callbackPW'] == $this->config->get('onlineVoucher_password'))) { $this->language->load('payment/onlineVoucher'); $this->data['title'] = sprintf($this->language->get('heading_title'), $this->config->get('config_store')); if (!isset($this->request->server['HTTPS']) || ($this->request->server['HTTPS'] != 'on')) { $this->data['base'] = HTTP_SERVER; } else { $this->data['base'] = HTTPS_SERVER; } $this->data['charset'] = $this->language->get('charset'); $this->data['language'] = $this->language->get('code'); $this->data['direction'] = $this->language->get('direction'); $this->data['heading_title'] = sprintf($this->language->get('heading_title'), $this->config->get('config_store')); $this->data['text_response'] = $this->language->get('text_response'); $this->data['text_success'] = $this->language->get('text_success'); $this->data['text_success_wait'] = sprintf($this->language->get('text_success_wait'), $this->url->https('checkout/success')); $this->data['text_failure'] = $this->language->get('text_failure'); $this->data['text_failure_wait'] = sprintf($this->language->get('text_failure_wait'), $this->url->https('checkout/payment')); $this->data['button_continue'] = $this->language->get('button_continue'); if (isset($this->request->post['transStatus']) && $this->request->post['transStatus'] == 'Y') { $this->load->model('checkout/order'); $this->model_checkout_order->confirm($this->request->post['cartId'], $this->config->get('onlineVoucher_order_status_id')); $message = ''; if (isset($this->request->post['transId'])) { $message .= 'transId: ' . $this->request->post['transId'] . "\n"; } if (isset($this->request->post['transStatus'])) { $message .= 'transStatus: ' . $this->request->post['transStatus'] . "\n"; } if (isset($this->request->post['countryMatch'])) { $message .= 'countryMatch: ' . $this->request->post['countryMatch'] . "\n"; } if (isset($this->request->post['AVS'])) { $message .= 'AVS: ' . $this->request->post['AVS'] . "\n"; } if (isset($this->request->post['rawAuthCode'])) { $message .= 'rawAuthCode: ' . $this->request->post['rawAuthCode'] . "\n"; } if (isset($this->request->post['authMode'])) { $message .= 'authMode: ' . $this->request->post['authMode'] . "\n"; } if (isset($this->request->post['rawAuthMessage'])) { $message .= 'rawAuthMessage: ' . $this->request->post['rawAuthMessage'] . "\n"; } if (isset($this->request->post['wafMerchMessage'])) { $message .= 'wafMerchMessage: ' . $this->request->post['wafMerchMessage'] . "\n"; } $this->model_checkout_order->update($this->request->post['cartId'], $this->config->get('onlineVoucher_order_status_id'), $message, FALSE); $this->data['continue'] = $this->url->https('checkout/success'); $this->template = $this->config->get('config_template') . 'payment/onlineVoucher_success.tpl'; $this->render(); } else { $this->data['continue'] = $this->url->https('checkout/payment'); $this->template = $this->config->get('config_template') . 'payment/onlineVoucher_failure.tpl'; $this->render(); } } } } ?> Any guidance would be highly appreciated... Phil This topic has been moved to Other. http://www.phpfreaks.com/forums/index.php?topic=314445.0 Helo - Total newbie here, so please keep that in mind. I'd really appreciate some wisdom from someone here as to how you would improve this form: <?php $email = $_POST['email']; $message = $_REQUEST['message']; $message = $_POST['date']; $message .= $_POST['location']; $message .= $_POST ['comments']; mail( "testing@gmail.com, 5602346789@metropcs.com", "General Inquiry", $message, "From: $email" ); header( "Location: thankyou.html" ); ?> *******************************html****************************** <HEAD><title>Hi</title<HEAD><BODY BGCOLOR="lightgray"><br><br><center><br><br><form method="post" action="sendmail2.php"><table cellspacing="5" cellpadding="5" border="0"> <tr> <td valign="top"><font face="arial"> <strong>Contact email:</strong><br> </td> <td valign="top"><font face="arial"> <input type="text" name="email" size="50" value="" /> </td> </tr><tr><td valign="top"><font face="arial"> <strong>Date:</strong> </td> <td valign="top"><font face="arial"> <input type="text" name="date" size="50" value="" /> </td> </tr> <tr><td valign="top"><font face="arial"> <strong>location:</strong><br> </td> <td valign="top"> <input type="text" name="location" size="50" value="" /> </td> </tr> <tr> <td valign="top"><font face="arial"> <strong>Comments:</strong><br><font color="black"> </td> <td valign="top"> <textarea name="comments" rows="6" cols="40"></textarea> </td> </tr> <tr> <td colspan="2" align="center"> <input type="submit" value=" Submit Form " /> </td> </tr> </table> </form></center></body> Gday, I'm trying to add a contact form on my site using a PHP script I downloaded from the web. I have tweaked the script, but I have never used PHP before and haven't got the time to learn it yet. Could someone please help me to get this working, I have added a subject drop down field that I would like to add validation to force the user to choose one, and I'd like the subject they choose to appear in the subject field of the resulting email. Once the PHP script has run and the email has been sent I'd like the text at the bottom to appear on the original page. At the moment when i click submit it just goes to the php page and shows three lines of the error message text. Here is the relevant code: This form is placed within a static html page: Code: [Select] <form name="contactform" method="post" action="send_form_email.php" style="text-align:left;"> <label for="first_name">First name <span class="red">*</span></label> <input name="first_name" type="text" value="please enter your first name" size="30" maxlength="75" onclick="document.contactform.first_name.value='';" /> <br/> <label for="last_name">Last name <span class="red">*</span></label> <input name="last_name" type="text" value="please enter your last name" size="30" maxlength="75" onclick="document.contactform.last_name.value='';" /> <br/> <label for="email" style="margin-right:32px;">Email <span class="red">*</span></label> <input name="email" type="text" value="please enter your email address" size="30" maxlength="75" onclick="document.contactform.email.value='';" /> <br/> <label for="phone_number" style="margin-right:34px;">Phone</label> <input name="phone_number" type="text" value="please enter your phone number" size="30" maxlength="75" onclick="document.contactform.phone_number.value='';" /> <br/> <label for="email_subject" style="margin-right:19px;">Subject <span class="red">*</span></label> <select name="email_subject" style="margin-bottom:10px;"> <option value="Choose one">Choose one</option> <option value="Lost my password">Lost my password</option> <option value="Gardening advice">Gardening advice</option> <option value="Order status">Order status</option> <option value="Web feedback">Web feedback</option> <option value="Customer Service">Customer Service</option> <option value="Product feedback">Product feedback</option> <option value="Other">Other</option> </select> <br/> <label for="comments">Queries/Comments <span class="red">*</span></label> <textarea rows="10" cols="50" wrap="virtual" name="comments" onclick="document.contactform.comments.value='';" style="margin-bottom:5px;">Please type your query or comments here</textarea> <input type="submit" value="Submit" /> </form> and here is the seperate php script that is used: <?php if(isset($_POST['email'])) { // EDIT THE 2 LINES BELOW AS REQUIRED $email_to = "johnc@diggers.com.au"; $email_subject = $_REQUEST['email_subject']; function died($error) { // your error code can go here echo "We are very sorry, but there were error(s) found with the form you submitted. "; echo "These errors appear below.<br /><br />"; echo $error."<br /><br />"; echo "Please go back and fix these errors.<br /><br />"; die(); } // validation expected data exists if(!isset($_POST['first_name']) || !isset($_POST['last_name']) || !isset($_POST['email']) || !isset($_POST['telephone']) || !isset($_POST['email_subject']) || !isset($_POST['comments'])) { died('We are sorry, but there appears to be a problem with the form you submitted.'); } $first_name = $_POST['first_name']; // required $last_name = $_POST['last_name']; // required $email_from = $_POST['email']; // required $telephone = $_POST['telephone']; // not required $telephone = $_POST['email_subject']; // required $comments = $_POST['comments']; // required $error_message = ""; $email_exp = "^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$"; if(!eregi($email_exp,$email_from)) { $error_message .= 'The Email Address you entered does not appear to be valid.<br />'; } $string_exp = "^[a-z .'-]+$"; if(!eregi($string_exp,$first_name)) { $error_message .= 'The First Name you entered does not appear to be valid.<br />'; } if(!eregi($string_exp,$last_name)) { $error_message .= 'The Last Name you entered does not appear to be valid.<br />'; } if(strlen($comments) < 2) { $error_message .= 'The Comments you entered do not appear to be valid.<br />'; } $string_exp = "^[0-9 .-]+$"; if(!eregi($string_exp,$telephone)) { $error_message .= 'The Telephone Number you entered does not appear to be valid.<br />'; } if(strlen($error_message) > 0) { died($error_message); } $email_message = "Form details below.\n\n"; function clean_string($string) { $bad = array("content-type","bcc:","to:","cc:","href"); return str_replace($bad,"",$string); } $email_message .= "First Name: ".clean_string($first_name)."\n"; $email_message .= "Last Name: ".clean_string($last_name)."\n"; $email_message .= "Email: ".clean_string($email_from)."\n"; $email_message .= "Telephone: ".clean_string($telephone)."\n"; $email_message .= "Comments: ".clean_string($comments)."\n"; // create email headers $headers = 'From: '.$email_from."\r\n". 'Reply-To: '.$email_from."\r\n" . 'X-Mailer: PHP/' . phpversion(); @mail($email_to, $email_subject, $email_message, $headers); ?> <!-- include your own success html here --> Thank you for contacting us. We will be in touch within 72 hours of the next working day. <? } ?> Any help on how to get this going would be greatly appreciated, thanks Ok, so I've read a few tutorials of OOP and have a basic understanding of how it works but where is it generally handy? I have a basic site created with PHP that consists of a form that submits data to MySQL and then lists the data from the MySQL database on another page. Kind of like a little online planner. I don't see how me converting my site to use OOP would help here. Maybe it's best for more complex situations such as a shopping cart where data needs to be shared across multiple pages? how you doing guys. I'm having a little bit of a problem right now, with this thing call view-profile.php, i hope you guys know what it is, I'm new to php, so please try to help. it says the same thing everytime. Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in C:\xampp\htdocs\siteS\viewprofile.php on line 26 There was a problem accessing your profile <h3>Mismatch - View Profile</h3> <?php require_once('appvars.php'); require_once('connectvars.php'); // Connect to the database $dbc = mysqli_connect('localhost', '***', '*****', '*****'); // Grab the profile data from the database if (!isset($_GET['user_id'])) { $query = "SELECT username, first_name, last_name, gender, birthdate, city, state, picture FROM mismatch_user WHERE user_id = '$user_id'"; } else { $query = "SELECT username, first_name, last_name, gender, birthdate, city, state, picture FROM mismatch_user WHERE user_id = '" . $_GET['user_id'] . "'"; } $data = mysqli_query($dbc, $query); line26-----------> if (mysqli_num_rows($data) == 1) { // The user row was found so display the user data $row = mysqli_fetch_array($data); echo '<table>'; if (!empty($row['username'])) { echo '<tr><td class="label">Username:</td><td>' . $row['username'] . '</td></tr>'; } if (!empty($row['first_name'])) { echo '<tr><td class="label">First name:</td><td>' . $row['first_name'] . '</td></tr>'; } if (!empty($row['last_name'])) { echo '<tr><td class="label">Last name:</td><td>' . $row['last_name'] . '</td></tr>'; } if (!empty($row['gender'])) { echo '<tr><td class="label">Gender:</td><td>'; if ($row['gender'] == 'M') { echo 'Male'; } else if ($row['gender'] == 'F') { echo 'Female'; } else { echo '?'; } echo '</td></tr>'; } if (!empty($row['birthdate'])) { if (!isset($_GET['user_id']) || ($user_id == $_GET['user_id'])) { // Show the user their own birthdate echo '<tr><td class="label">Birthdate:</td><td>' . $row['birthdate'] . '</td></tr>'; } else { // Show only the birth year for everyone else list($year, $month, $day) = explode('-', $row['birthdate']); echo '<tr><td class="label">Year born:</td><td>' . $year . '</td></tr>'; } } if (!empty($row['city']) || !empty($row['state'])) { echo '<tr><td class="label">Location:</td><td>' . $row['city'] . ', ' . $row['state'] . '</td></tr>'; } if (!empty($row['picture'])) { echo '<tr><td class="label">Pictu </td><td><img src="' . MM_UPLOADPATH . $row['picture'] . '" alt="Profile Picture" /></td></tr>'; } echo '</table>'; if (!isset($_GET['user_id']) || ($user_id == $_GET['user_id'])) { echo '<p>Would you like to <a href="editprofile.php">edit your profile</a>?</p>'; } } // End of check for a single row of user results else { echo '<p class="error">There was a problem accessing your profile.</p>'; } mysqli_close($dbc); ?> |
|||||||