On 8/5/2011 9:49 PM, wil prim wrote:
Ok so I have tried to create a sort of messaging system on my website and I have
run into some problems storing who the message is from, ill try to take you
through step by step what I am trying to do.
*step #1 *(messages.php):<--This is where the member will view the recent
messages that have been posted
<div id='messages'>
<?php
include 'connect.php';
session_start() should be called before anything else on the page is
done. move this to the first line after your opening <?php tag.
session_start();
First... from one of your other emails, you explain that by the time you
get to this page, your user has already logged in. But in the next
line, you are AFAICT setting the $_SESSION['user'] to a null value. Try
commenting this line out and see what happens.
$_SESSION['user']=$user;
//store sql queries
$sql="SELECT * FROM entries";
You should change this a little. I realize their isn't much to go wrong
with this SQL statement, but you never know...
$result=mysql_query($sql, $con);
$result = mysql_query($sql, $con) OR
die('SQL ERROR: '. mysql_errno($con) .'<br />'. mysql_error($con));
$count=mysql_num_rows($result);
if ($count<1){
echo 'There are no messages yet!';
}
I think you are missing an ELSE clause here...
while ($row=mysql_fetch_array($result)){
echo 'From: ' .$row['from'];
echo '<br/>';
echo 'Subject: ' .$row['subject'];
echo '<br/>';
echo 'Message: ' .$row['body'];
echo '<hr/>';
}
?>
</div>
*Step #2* (create_message.php):<-- This is where the user creates a new message
<h2> Create new message</h2>
<table border='0' width='100%' cellpadding='3px' style='text-align: top;'>
<form method='post' action='insert_message.php'>
<tr width='100%' height='30%' style='margin-top: 0px;'>
<td> Subject</td>
<td> <input type='text' name='subject' maxlength='30'></td>
</tr>
<tr width='100%' height='30%'>
<td> Body</td>
<td><textarea name='body' style='height: 200px; width: 400px;'></textarea></td>
</tr>
<tr>
<td colspan='2' align='center'><input type='submit' name='new_message'
value='Send!'/> </td>
</tr>
</form>
</table>
*Step #3 *(insert_message.php)<-- this is where my problem is (trying to insert
$_SESSION['user'] into table ['from'])
This script is riddled with security issues and errors.
<?php
include 'connect.php';
Again with the session_start() thing. Move it to the top.
session_start();
Why do this? Just use $_SESSION['user'] where you would use $user...
$user=$_SESSION['user'];
This is going to cause a NOTICE error. Check out isset()
if ($_POST['new_message']){
You including this file for a second time. Does it need to?
include 'connect.php';
Calling this a second time, just for good measure??? Remove it.
session_start();
Again, you are clearing your $_SESSION['user'] variable.
$_SESSION['user']=$user;
If you are going to assign the values to new variables, I would suggest
tossing htmlspecialchars() around each one.
$body=$_POST['body'];
$subject=$_POST['subject'];
$date=' ';
Also, before you go using those variables above in your SQL below, you
should wrap a call to mysql_real_escape_string() around them.
$sql="INSERT INTO `entries` (
`id` ,
`from` ,
`subject` ,
`body` ,
`date`
)
VALUES (
NULL , '$user', '$subject', '$body', '$date'
)";
Refer to my suggestion about about adding the OR die() portion to the
following command.
if (mysql_query($sql,$con)){
echo 'Inserted!';
echo $user;
}
else
echo 'Not Inserted';
}
?>
Hope i dont piss anyone off with such a long message, I just really need help on
this.
Thanks!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
