Jump to content

mailing...


grlayouts

Recommended Posts

ok i have a game www.pimpdominion.co.uk and im trying to set up the mail feature which write the message to the database (mysql) then relates it to the player. however when i send a message everyone gets it? can some one look at the code and see anything wrong?
[code]
<?php $title = "Mailbox"; include("header.php")?>

<br><br>
<?php
if (!$_GET[view] && !$_GET[step] && !$_GET[read]) {
print "<table width=500 border=0 cellspacing=1 cellpadding=2 bgcolor=#676767> <tr bgcolor=#676767>";
print "<td width=120 height=25><b>From:</b></td>";
print "<td width=100><b><center>ID:</b></td>";
print "<td width=300><b>Subject:</b></td>";
print "<td width=60><b><center>Options</center></b></td></tr>  ";
$msel = mysql_query("select * from mail where owner=$stat[id] order by id desc");
while ($mail = mysql_fetch_array($msel)) {
print " <tr onMouseOver=\"style.backgroundColor='#333333';\" onMouseOut=\"style.backgroundColor='white';\" bgcolor=white>";
print "<td width=120><a href=view.php?view=$mail[senderid]>$mail[sender]</a></td>";
print "<td width=100><center>$mail[senderid]</a></td>";
print "<td width=300><a href=mail.php?read=$mail[id]>$mail[subject]</a></td>";
print "<td align=center width=60><a href=mail.php?step=selectclear&id=$mail[id]>Trash</a></td></tr>";

}
print "</table><br><table width=500 bgcolor=#676767 cellpadding=1 cellspacing=2><tr height=20 bgcolor=white><td align=center width=50%><a href=mail.php?step=clear>Trash All</a> </tD><td width=50%> <a href=mail.php?view=write><center>Compose</a></td></tr>";
print "</table></center>";
}
if ($_GET[step] == clear) {
print "<br>Mail cleared. (<a href=mail.php>refresh</a>)";
mysql_query("delete from mail where owner=$stat[id]");
}
if ($_GET[step] == selectclear) {
print "<br>Mail cleared. (<a href=mail.php>refresh</a>)";
mysql_query("delete from mail where owner=$stat[id] and id=$_GET[id]");
}



if ($_GET[view] == write) {
print "[<a href=mail.php>Inbox</a>]<br><br>";
print "<table>";
print "<form method=post action=mail.php?view=write&re=$_GET[re]&to=$_GET[to]&step=send>";
print "<tr><td>To (ID Number):</td><td><input type=text name=to maxsize=10 size=25 value=$_GET[to]></td></tr>";
print "<tr><td>Subject:</td><td><input type=text name=subject size=25 value=$_GET[re]></td></tr>";
print "<tr><td valign=top>Body:</td><td><textarea name=body rows=10 cols=50>$_POST[body]</textarea></td></tr>";
print "<tr><td colspan=2 align=center><input type=submit value=Send></td></tr>";
print "</form></table>";

if ($_GET[step] == send) {
$_POST[to] = strip_tags($_POST[to]);
$_POST[subject] = strip_tags($_POST[subject]);
$_POST[body] = str_replace($remove,"", $_POST[body]);
$_POST[subject] = str_replace($remove,"", $_POST[subject]);
$_POST[body] = nl2br(strip_tags($_POST[body]));
if (empty ($_POST[to]) || empty ($_POST[body]) || empty ($_POST[subject])) {
print "Please fill out all fields.";
include("footer.php");
exit;
}

$values=explode(" ", $_POST[body]);$longest=0;foreach($values as $value)
{if (strlen($value)>$longest) {$longest = strlen($value);}}
if ($longest > 100) { print "Your largest word is too long, it's $longest characters, it can't be more than 100 characters."; include("footer.php"); exit; }

$size=strlen($_POST[body]);
if ($size > 2000) { print "Your message is too long, it can't be larger than 2000 characters, yours is $size characters"; include("footer.php"); exit; }

$size=strlen($_POST[subject]);
if ($size > 100) { print "Your subject is too long, it can't be larger than 100 characters, yours is $size"; include("footer.php"); exit; }
$rec = mysql_fetch_array(mysql_query("select * from players where id=$_POST[to]"));
if (empty ($rec[id])) {
print "No such player.";
include("footer.php");
exit;
}
print "You sent mail to $rec[id].";
}
$get = mysql_query("select * from players");
               
mysql_query("insert into mail (sender,owner,subject,body) values('$to','$list[id]','$subject','$body')") or die("Could not send mail.");
}

if ($_GET[read]) {
$mail = mysql_fetch_array(mysql_query("select * from mail where id=$_GET[read]"));
if (empty ($mail[id])) {
print "No such mail.";
include("footer.php");
exit;
}
if ($mail[owner] != $stat[id]) {
print "That's not your mail.";
include("footer.php");
exit;
}
mysql_query("update mail set unread='F' where id=$mail[id]");
print "<table width=99% bgcolor=#676767 cellpadding=2 cellspacing=1><tr height=30><td bgcolor=white><b>$mail[sender]</b> says... $mail[subject]</td></tr>
<tR bgcolor=white height=100 valign=top><td>
$mail[body]<br><br></tD></tR></table><bR><table bgcolor=#676767 cellpadding=2 cellspacing=1 width=99%><tr bgcolor=white align=center><td width=33%><center><a href=mail.php>Inbox</a></td><td width=34%><Center><a href=mail.php?view=write>Compose</a></tD><td height=25 width=33%><a href=mail.php?view=write&to=$mail[senderid]&re=RE:$mail[subject]>Reply</a></td></tR>";
}


?>




<?php include("footer.php"); ?>

[/code]
Link to comment
Share on other sites

Something comes to mind after a glance at the code.

Your code to prevent looking at other people's mail could be wrong:

You check against $stat[id], but I don't see a place where you set $stat[id].  If you haven't set it, then PHP treats it like ''.  Your security compares $mail[owner] against $stat[id] (or '')  That could be the problem.

However, since you use that variable all through the code, you may have other bugs waiting to happen.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.