Re: [PHP] Sending a message

Thu, 04 Aug 2011 22:36:58 -0700 

Your code is full of security errors .. You should use mysql escape 
string(google it ) to protect your database from beiÿng hacked
David Holmes 
twitter @mrstanfan
owner of the exclusive StanFan.com
Whats Your StanFan?

-----Original Message-----
From: wil prim <wilp...@me.com>
Date: Sat, 06 Aug 2011 04:49:32 
To: PHP MAILINGLIST<php-general@lists.php.net>; Philly 
Holbrook<pholbro...@gmail.com>
Subject: [PHP] Sending a message
Ok so I have tried to create a sort of messaging system on my website and I 
have run into some problems storing who the message is from, ill try to take 
you through step by step what I am trying to do.


step #1 (messages.php): <--This is where the member will view the recent 
messages that have been posted
<div id='messages'>
            <?php
            include 'connect.php';
            session_start();
            $_SESSION['user']=$user;
            //store sql queries
            $sql="SELECT * FROM entries";
            $result=mysql_query($sql, $con);
            $count=mysql_num_rows($result);
            if ($count<1){
                echo 'There are no messages yet!';
            }
            while ($row=mysql_fetch_array($result)){
                echo 'From: ' .$row['from'];
                echo '<br/>';
                echo 'Subject: ' .$row['subject'];
                echo '<br/>';
                echo 'Message: ' .$row['body'];
                echo '<hr/>';
           
            }
            ?>
        </div>

Step #2 (create_message.php):<-- This is where the user creates a new message

<h2> Create new message</h2>
            <table border='0' width='100%'  cellpadding='3px' 
style='text-align: top;'>
                <form method='post' action='insert_message.php'>
                <tr width='100%' height='30%' style='margin-top: 0px;'>
                    <td> Subject </td>
                    <td> <input type='text' name='subject' maxlength='30'></td>
                </tr>
                <tr width='100%' height='30%'>
                    <td> Body </td>
                    <td><textarea name='body' style='height: 200px; width: 
400px;'></textarea></td>
                </tr>
                <tr>
                    <td colspan='2' align='center'><input type='submit' 
name='new_message' value='Send!'/> </td>
                </tr>
                </form>
            </table>

Step #3 (insert_message.php)<-- this is where my problem is (trying to insert 
$_SESSION['user'] into table ['from'])
<?php
include 'connect.php';
session_start();
$user=$_SESSION['user'];
if ($_POST['new_message']){
    include 'connect.php';
    session_start();
    $_SESSION['user']=$user;
    $body=$_POST['body'];
    $subject=$_POST['subject'];
    $date=' ';
    $sql="INSERT INTO `entries` (
    `id` ,
    `from` ,
    `subject` ,
    `body` ,
    `date`
    )
    VALUES (
    NULL , '$user', '$subject', '$body', '$date'
    )";
    if (mysql_query($sql,$con)){
        echo 'Inserted!';
        echo $user;
       
    }
    else
        echo 'Not Inserted';
   
}
?>

Hope i dont piss anyone off with such a long message, I just really need help 
on this.

Thanks!


Reply via email to