Re: Sending a message

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Woot! Got it! There was a page in between that stored $_SESSION['user']=$user rather than other way around! Thank you! and yea I will secure it!

On Aug 04, 2011, at 10:37 PM, David Holmes <dholmes1031@xxxxxxxxx> wrote:

Your code is full of security errors .. You should use mysql escape string(google it ) to protect your database from beiÿng hacked
David Holmes
twitter @mrstanfan
owner of the exclusive StanFan.com
Whats Your StanFan?

-----Original Message-----
From: wil prim <wilprim@xxxxxx>
Date: Sat, 06 Aug 2011 04:49:32
To: PHP MAILINGLIST<php-general@xxxxxxxxxxxxx>; Philly Holbrook<pholbrook5@xxxxxxxxx>
Subject: Sending a message
Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do.


step #1 (messages.php): <--This is where the member will view the recent messages that have been posted
<div id='messages'>
<?php
include 'connect.php';
session_start();
$_SESSION['user']=$user;
//store sql queries
$sql="SELECT * FROM entries";
$result=mysql_query($sql, $con);
$count=mysql_num_rows($result);
if ($count<1){
echo 'There are no messages yet!';
}
while ($row=mysql_fetch_array($result)){
echo 'From: ' .$row['from'];
echo '<br/>';
echo 'Subject: ' .$row['subject'];
echo '<br/>';
echo 'Message: ' .$row['body'];
echo '<hr/>';

}
?>
</div>

Step #2 (create_message.php):<-- This is where the user creates a new message

<h2> Create new message</h2>
<table border='0' width='100%' cellpadding='3px' style='text-align: top;'>
<form method='post' action=''>
<tr width='100%' height='30%' style='margin-top: 0px;'>
<td> Subject </td>
<td> <input type='text' name='subject' maxlength='30'></td>
</tr>
<tr width='100%' height='30%'>
<td> Body </td>
<td><textarea name='body' style='height: 200px; width: 400px;'></textarea></td>
</tr>
<tr>
<td colspan='2' align='center'><input type='submit' name='new_message' value='Send!'/> </td>
</tr>
</form>
</table>

Step #3 (insert_message.php)<-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from'])
<?php
include 'connect.php';
session_start();
$user=$_SESSION['user'];
if ($_POST['new_message']){
include 'connect.php';
session_start();
$_SESSION['user']=$user;
$body=$_POST['body'];
$subject=$_POST['subject'];
$date=' ';
$sql="INSERT INTO `entries` (
`id` ,
`from` ,
`subject` ,
`body` ,
`date`
)
VALUES (
NULL , '$user', '$subject', '$body', '$date'
)";
if (mysql_query($sql,$con)){
echo 'Inserted!';
echo $user;

}
else
echo 'Not Inserted';

}
?>

Hope i dont piss anyone off with such a long message, I just really need help on this.

Thanks!



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux