On 8/5/2011 9:49 PM, wil prim wrote:
Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do. *step #1 *(messages.php):<--This is where the member will view the recent messages that have been posted <div id='messages'> <?php include 'connect.php';
session_start() should be called before anything else on the page is done. move this to the first line after your opening <?php tag.
session_start();
First... from one of your other emails, you explain that by the time you get to this page, your user has already logged in. But in the next line, you are AFAICT setting the $_SESSION['user'] to a null value. Try commenting this line out and see what happens.
$_SESSION['user']=$user; //store sql queries $sql="SELECT * FROM entries";
You should change this a little. I realize their isn't much to go wrong with this SQL statement, but you never know...
$result=mysql_query($sql, $con);
$result = mysql_query($sql, $con) OR die('SQL ERROR: '. mysql_errno($con) .'<br />'. mysql_error($con));
$count=mysql_num_rows($result); if ($count<1){ echo 'There are no messages yet!'; }
I think you are missing an ELSE clause here...
while ($row=mysql_fetch_array($result)){ echo 'From: ' .$row['from']; echo '<br/>'; echo 'Subject: ' .$row['subject']; echo '<br/>'; echo 'Message: ' .$row['body']; echo '<hr/>'; } ?> </div> *Step #2* (create_message.php):<-- This is where the user creates a new message <h2> Create new message</h2> <table border='0' width='100%' cellpadding='3px' style='text-align: top;'> <form method='post' action='insert_message.php'> <tr width='100%' height='30%' style='margin-top: 0px;'> <td> Subject</td> <td> <input type='text' name='subject' maxlength='30'></td> </tr> <tr width='100%' height='30%'> <td> Body</td> <td><textarea name='body' style='height: 200px; width: 400px;'></textarea></td> </tr> <tr> <td colspan='2' align='center'><input type='submit' name='new_message' value='Send!'/> </td> </tr> </form> </table> *Step #3 *(insert_message.php)<-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from'])
This script is riddled with security issues and errors.
<?php include 'connect.php';
Again with the session_start() thing. Move it to the top.
session_start();
Why do this? Just use $_SESSION['user'] where you would use $user...
$user=$_SESSION['user'];
This is going to cause a NOTICE error. Check out isset()
if ($_POST['new_message']){
You including this file for a second time. Does it need to?
include 'connect.php';
Calling this a second time, just for good measure??? Remove it.
session_start();
Again, you are clearing your $_SESSION['user'] variable.
$_SESSION['user']=$user;
If you are going to assign the values to new variables, I would suggest tossing htmlspecialchars() around each one.
$body=$_POST['body']; $subject=$_POST['subject']; $date=' ';
Also, before you go using those variables above in your SQL below, you should wrap a call to mysql_real_escape_string() around them.
$sql="INSERT INTO `entries` ( `id` , `from` , `subject` , `body` , `date` ) VALUES ( NULL , '$user', '$subject', '$body', '$date' )";
Refer to my suggestion about about adding the OR die() portion to the following command.
if (mysql_query($sql,$con)){ echo 'Inserted!'; echo $user; } else echo 'Not Inserted'; } ?> Hope i dont piss anyone off with such a long message, I just really need help on this. Thanks!
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php