Re: Sending a message

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Your code is full of security errors .. You should use mysql escape string(google it ) to protect your database from beiÿng hacked
David Holmes 
twitter @mrstanfan
owner of the exclusive StanFan.com
Whats Your StanFan?

-----Original Message-----
From: wil prim <wilprim@xxxxxx>
Date: Sat, 06 Aug 2011 04:49:32 
To: PHP MAILINGLIST<php-general@xxxxxxxxxxxxx>; Philly Holbrook<pholbrook5@xxxxxxxxx>
Subject:  Sending a message
Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do.


step #1 (messages.php): <--This is where the member will view the recent messages that have been posted
<div id='messages'>
            <?php
            include 'connect.php';
            session_start();
            $_SESSION['user']=$user;
            //store sql queries
            $sql="SELECT * FROM entries";
            $result=mysql_query($sql, $con);
            $count=mysql_num_rows($result);
            if ($count<1){
                echo 'There are no messages yet!';
            }
            while ($row=mysql_fetch_array($result)){
                echo 'From: ' .$row['from'];
                echo '<br/>';
                echo 'Subject: ' .$row['subject'];
                echo '<br/>';
                echo 'Message: ' .$row['body'];
                echo '<hr/>';
           
            }
            ?>
        </div>

Step #2 (create_message.php):<-- This is where the user creates a new message

<h2> Create new message</h2>
            <table border='0' width='100%'  cellpadding='3px' style='text-align: top;'>
                <form method='post' action='insert_message.php'>
                <tr width='100%' height='30%' style='margin-top: 0px;'>
                    <td> Subject </td>
                    <td> <input type='text' name='subject' maxlength='30'></td>
                </tr>
                <tr width='100%' height='30%'>
                    <td> Body </td>
                    <td><textarea name='body' style='height: 200px; width: 400px;'></textarea></td>
                </tr>
                <tr>
                    <td colspan='2' align='center'><input type='submit' name='new_message' value='Send!'/> </td>
                </tr>
                </form>
            </table>

Step #3 (insert_message.php)<-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from'])
<?php
include 'connect.php';
session_start();
$user=$_SESSION['user'];
if ($_POST['new_message']){
    include 'connect.php';
    session_start();
    $_SESSION['user']=$user;
    $body=$_POST['body'];
    $subject=$_POST['subject'];
    $date=' ';
    $sql="INSERT INTO `entries` (
    `id` ,
    `from` ,
    `subject` ,
    `body` ,
    `date`
    )
    VALUES (
    NULL , '$user', '$subject', '$body', '$date'
    )";
    if (mysql_query($sql,$con)){
        echo 'Inserted!';
        echo $user;
       
    }
    else
        echo 'Not Inserted';
   
}
?>

Hope i dont piss anyone off with such a long message, I just really need help on this.

Thanks!





[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux