Re: Sending a message

wil prim <wilprim@xxxxxx> · Sat, 06 Aug 2011 05:40:42 +0000 (GMT)

Woot! Got it! There was a page in between that stored $_SESSION['user']=$user rather than other way around! Thank you! and yea I will secure it!

On Aug 04, 2011, at 10:37 PM, David Holmes <dholmes1031@xxxxxxxxx> wrote:

Your code is full of security errors .. You should use mysql escape string(google it ) to protect your database from beiÿng hacked

David Holmes 

twitter @mrstanfan

owner of the exclusive StanFan.com

Whats Your StanFan?

-----Original Message-----

From: wil prim <wilprim@xxxxxx>

Date: Sat, 06 Aug 2011 04:49:32 

To: PHP MAILINGLIST<php-general@xxxxxxxxxxxxx>; Philly Holbrook<pholbrook5@xxxxxxxxx>

Subject:  Sending a message

Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do.

step #1 (messages.php): <--This is where the member will view the recent messages that have been posted

<div id='messages'>

            <?php

            include 'connect.php';

            session_start();

            $_SESSION['user']=$user;

            //store sql queries

            $sql="SELECT * FROM entries";

            $result=mysql_query($sql, $con);

            $count=mysql_num_rows($result);

            if ($count<1){

                echo 'There are no messages yet!';

            }

            while ($row=mysql_fetch_array($result)){

                echo 'From: ' .$row['from'];

                echo '<br/>';

                echo 'Subject: ' .$row['subject'];

                echo '<br/>';

                echo 'Message: ' .$row['body'];

                echo '<hr/>';

            }

            ?>

        </div>

Step #2 (create_message.php):<-- This is where the user creates a new message

<h2> Create new message</h2>

            <table border='0' width='100%'  cellpadding='3px' style='text-align: top;'>

                <form method='post' action=''>

                <tr width='100%' height='30%' style='margin-top: 0px;'>

                    <td> Subject </td>

                    <td> <input type='text' name='subject' maxlength='30'></td>

                </tr>

                <tr width='100%' height='30%'>

                    <td> Body </td>

                    <td><textarea name='body' style='height: 200px; width: 400px;'></textarea></td>

                </tr>

                <tr>

                    <td colspan='2' align='center'><input type='submit' name='new_message' value='Send!'/> </td>

                </tr>

                </form>

            </table>

Step #3 (insert_message.php)<-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from'])

<?php

include 'connect.php';

session_start();

$user=$_SESSION['user'];

if ($_POST['new_message']){

    include 'connect.php';

    session_start();

    $_SESSION['user']=$user;

    $body=$_POST['body'];

    $subject=$_POST['subject'];

    $date=' ';

    $sql="INSERT INTO `entries` (

    `id` ,

    `from` ,

    `subject` ,

    `body` ,

    `date`

    )

    VALUES (

    NULL , '$user', '$subject', '$body', '$date'

    )";

    if (mysql_query($sql,$con)){

        echo 'Inserted!';

        echo $user;

    }

    else

        echo 'Not Inserted';

}

?>

Hope i dont piss anyone off with such a long message, I just really need help on this.

Thanks!