[SOLVED] PM System - Reply feature

[stelthius]

Ok guys stuck with this one,,, i have this

 

<a href='../index.php?page=messages&option=reply&user=" . $sender . "&rsubject=Re:" . $subject . "'>Reply</a>

 

in my view message.php so that users can reply to a pm with a Re: $subject(of the original PM)in the subject box automaticly, but i can alter the url once im on the reply page

 

index.php?page=messages&option=reply&user=nicola&rsubject=Re:hey

 

I can change the username and i can change the pm subkect, does anyone have any advice on stopping this ? i dont want users to be able to minipulate the reply feature by editing the URL..

[ionik]

You can use the id of the PM they are responding in the url and pull the title from the database

 

// url : <a href='../index.php?page=messages&option=reply&user=" . $sender . "&pmId="'.$pmId.'"'>Reply</a>
$sql = 'SELECT `title` FROM `private_messages` WHERE `pmId` = "'.(int) $_GET['pmId'].'" LIMIT 1';
$result = mysql_query($sql);
$fetch = mysql_fetch_assoc($result);
$title = 'Re: '.$fetch['title'].';

 

[stelthius]

Hey thanks ionik, your code is sorta what i need but i cant get it to pull the PM ID from the DB to use that pm's ID to grab the subject thus the reason i took the laxy route and used the other method but then soon realised its a troublesome way to go

 

<a href='../index.php?page=messages&option=reply&user=".$sender."&id=".$id."'>Reply</a>";
$sql = 'SELECT `subject` FROM `messages` WHERE `id` = '.(int) $_GET['msg_id'].' LIMIT 1';
$result = mysql_query($sql);
$fetch = mysql_fetch_assoc($result);
$title = 'Re: '.$fetch['subject'].' ';

 

Is were im at right now everything works fine it just is not getting the PM ID can you offer any advice on this ?

[stelthius]

msg_id is already in the URL from the initial reading of the PM

[kickstart]

Hi

 

If they are doing a reply, remember to check that the message they are replying to (and possibly quoting) is one addressed to them. Otherwise you will just give everyone access to the contents of all pm's.

 

All the best

 

Keith

[stelthius]

Hey kick yes all that is fine and they can only reply to there own pm's my problem is when they press reply, they can change the username they are replying to via the url see here index.php?page=messages&option=reply&user=USERNAME&id=

 

They can change USERNAME to what ever so when there meant to reply to the user that sent them the pm they can infact change the username and reply the message to whom ever they like im unsure how to stop this, and the second thing is i use this

 

$msg_id = $_REQUEST['msg_id'];
$view_msg = mysql_query("SELECT * FROM messages WHERE id = '$msg_id'");
$msg = mysql_fetch_array($view_msg);

 

To get the message and its ID then im trying to use this for the reply button so they reply to the pm there reading with the users name and a Re: already inputted in the form..

 

<a href='../index.php?page=messages&option=reply&user=".$sender."&id=".id."'>Reply</a>";
$sql = 'SELECT `subject` FROM `messages` WHERE `id` = '.(int) $_GET['msg_id'].' LIMIT 1';
$result = mysql_query($sql);
$fetch = mysql_fetch_assoc($result);
$title = 'Re: '.$fetch['subject'].' ';

 

But it isnt working as i expected it would everything but the reply feature works wonderfully.

[stelthius]

The current code im playing with right now

 

<a href='../index.php?page=messages&option=reply&user=".$sender."&id=".$id."'>Reply</a>";
$sql = 'SELECT `subject` FROM `messages` WHERE `id` = '.(int) $_GET['id'].' LIMIT 1';
$result = mysql_query($sql);
$fetch = mysql_fetch_assoc($result);
$title = 'Re: '.$fetch['subject'].' ';

 

Ge the username but doesnt get the subject and im stuck with it now :S

[kickstart]

Hi

 

Not familiar with the particular BB that you are coding. However I would just pass over the ID of the message they are replying to, the select the details from the messages table JOINed with the users table on the id of the recipient.

 

All the best

 

Keith

[stelthius]

Hey kick,

 

Im relativly new to php so im unsure how to JOIN two queries? into one.. ive looked on google for several hours but couldnt really find much help on it

[jxrd]

I was just reading through...and I don't really understand why people editing the url is a problem. Unless you're actually fetching a quote from the database, which it appears you aren't.

 

The user could type in a subject surely, without modifying the url, so what does it matter if they do? Same with the recipient.

 

But ionik's idea seems good. Pass the id in the url, and then on the reply page have a query that gets the message's subject that this user owns, and has an id of whatever is in the url.

[stelthius]

there is no reason i just dont like the url showing up like this

 

/index.php?page=messages&option=reply&user=nicola&rsubject=Re:hey

 

id prefer it to be

/index.php?page=messages&option=reply&user=USERNAME&id=PMID

 

i dont want the subject of the pm to be in the url

[jxrd]

But ionik's idea seems good. Pass the id in the url, and then on the reply page have a query that gets the message's subject that this user owns, and has an id of whatever is in the url.

Do that then

[stelthius]

not to be rude but if you actaully read my full topic you'd know thats what im trying to accomplish, i cant get it to grab the pmID XD

[kickstart]

Im relativly new to php so im unsure how to JOIN two queries? into one.. ive looked on google for several hours but couldnt really find much help on it

 

Bit off topic, but here goes.

 

Say you have a table of users

Id, Name, Age

1,Bill,55

2,Ben,15

3,Joe,25

 

And a table of posts

Id,Subject, PosterId

1,Subject A,1

2,Subject B,1

3,Re Subject B,2

4,Subject C,2

 

Now if you wanted a list of posts by Bill and his age you could "SELECT Id, Age From users WHERE Name = 'Bill'", and then take the returned value from that (say put it into $User) and do a "SELECT * FROM posts WHERE PosterId = $User". Bit tortuous.

 

Doing a simple join:-

 

SELECT *

FROM users

JOIN posts

ON users.Id = posts.PosterId

WHERE users.Name = 'Bill'

 

Single query to do the same. This will bring back one row for every matching row on the users and posts table, joined up according to the ON clause. It would bring back:-

 

Id, Name, Age, Id, Subject, PosterId

1,Bill,55,1,Subject A,1

1,Bill,55,2,Subject A,1

 

This is a conventional JOIN, also known as an INNER JOIN.

 

One minor issue you might notice is if the person hadn't made any posts (like Joe in my examples). If you do 2 seperate SELECTs then the first would still get his age, but the 2nd wouldn't find any posts. With an INNER JOIN as there are no matching rows, the nothing would be returned.

 

In such a case there is the OUTER JOIN. On this you specify that you want all the rows on one side of the join (that match the WHERE condition) and if there is no matching row on the other half of the join then those fields would be NULL. So if you did a users LEFT OUTER JOIN posts then any row on users (the left hand table) would be brought back at least once, with one for each match on the right hand table.

 

Doing this for 'Bill' would bring back exactly the same as the previous JOIN.

 

SELECT *

FROM users

LEFT OUTER JOIN posts

ON users.Id = posts.PosterId

WHERE users.Name = 'Bill'

 

However do it for Joe and the first JOIN would have brought back nothing. The below:-

 

SELECT *

FROM users

LEFT OUTER JOIN posts

ON users.Id = posts.PosterId

WHERE users.Name = 'Joe'

 

would bring back:-

 

Id, Name, Age, Id, Subject, PosterId

3,Joe,25,NULL,NULL,NULL

 

Hope that very brief introduction to joins (pretty much the whole basis of a relational database) helps.

 

All the best

 

Keith

[stelthius]

Hi Keith,

 

That helps millions thanks for that, i couldnt find anything on google actually explaining the method of join and the best ways to do and accomplish it XD