Mod-Jay Posted February 20, 2011 Share Posted February 20, 2011 Hello, I want this to Block NULLS and When its not there own. Please help. <?php if($_GET['usercp'] == 'vinbox' && $_GET['id']) { ?> <?php $id="{$_GET['id']}"; if($_GET['id'] == null or $_GET['id'] == 0){ die("You have reached a Null Page. <a href=\"index.php\">Go back home</a>"); } $view_a = mysql_query("SELECT * FROM notifications WHERE id='$id'"); while($view_b = mysql_fetch_array($view_a)){ $msgid = $view_b['id']; $msgname = $view_b['title']; $msgdate = $view_b['sent']; $msgsender = $view_b['senderid']; $msgreciever = $view_b['msgreciever']; $msgtext = $view_b['text']; $msgread = $view_b['read']; } $msgdatee = date('D, M d, Y h:i A', strtotime($msgdate)); $recieverfind = mysql_query("SELECT * FROM users WHERE id='$msgsender'"); While($recieverfound = mysql_fetch_assoc($recieverfind)) { $username = $recieverfound['username']; $userid = $recieverfound['id']; } if($userid == $msgreciever) { if($msgread <= 0){ mysql_query("UPDATE notifications SET `read`='1' WHERE `id`='".$id."'"); } ?> <div class="usercp_body"><!-- UserCP Notification Sent Start --> <div id="dash_chart" class="notifications" style="width:100%;margin: 0 auto;"> <div class="notifications-header"> <h4><center>Viewing Message: <?php echo ucfirst($msgname); ?></center></h4> </div> <div class="notifications-content" style="padding:10px 10px 10px 10px;"> <i><b>Sent From: </b></i><?php echo $username; ?><br> <i><b>Date Sent: </b></i><?php echo $msgdatee ;?><br> <i><b>Message: </b></i><br><hr><?php echo ucfirst($msgtext); ?> <br><hr><br> <i><b>Reply: </b></i><textarea> </textarea> </div></div></div><!-- UserCP Notification Sent End --> <?php } else { echo "This Message does not Belong to you"; } } Sorry for short explanation. I'm very tired Quote Link to comment Share on other sites More sharing options...
trq Posted February 20, 2011 Share Posted February 20, 2011 Sorry for short explanation. I'm very tired Me too. Quote Link to comment Share on other sites More sharing options...
Mod-Jay Posted February 20, 2011 Author Share Posted February 20, 2011 Lol =P, This is my Notification script for viewing a notification. Okay The lines of code should block Nulls Unfortunately it doesn't. I don't know what's wrong with it. if($_GET['id'] == null or $_GET['id'] == 0){ die("You have reached a Null Page. <a href=\"index.php\">Go back home</a>"); } Now, When its not their own I have, The following lines, It does not work efficiently. It should block them from seeing the users Notification if the $userid doesn't equal to $msgreciever. However that doesn't work either. if($userid == $msgreciever) { //The code in side it } else { echo "This Message does not Belong to you"; } Quote Link to comment Share on other sites More sharing options...
Skepsis Posted February 20, 2011 Share Posted February 20, 2011 There is a better way to check if your data is null, what you're doing is checking if the $_GET variable 'id' is put in, so unless somebody types in id=0 or id= they will not see that message. We first need to check and see if if that specific id being searched for is in the database. Also, before I start producing code, I noticed you did this $id="{$_GET['id']}"; This converts your id into a string, when it should be an integer, so take out the {} and quotes. I've changed your code a little bit and explained what i've done. Sorry I didn't break down the code and detail it but i've been having problems with the page parser. Anyhow, this code below should get the job done. <?php // getting the id and storing it in a shorter varible $id = (int)$_GET['id']; // running the query where the notification must match the id in the link $view_a = mysql_query("SELECT * FROM notifications WHERE id='$id'"); // count how many rows we have $rows = mysql_num_rows($view_a); // if we 0 rows, return an error if ( $rows < 1 ) { die('we counted less than one row, meaning that we did not find your result.'); } while($view_b = mysql_fetch_array($view_a)) { $msgid = $view_b['id']; $msgname = $view_b['title']; $msgdate = $view_b['sent']; $msgsender = $view_b['senderid']; $msgreciever = $view_b['msgreciever']; $msgtext = $view_b['text']; $msgread = $view_b['read']; } ?> Any questions let me know. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted February 20, 2011 Share Posted February 20, 2011 Also, before I start producing code, I noticed you did this $id="{$_GET['id']}"; This converts your id into a string, when it should be an integer, so take out the {} and quotes. $_GET['id'] is already a string value, as is all form data by default. Braces and quotes won't change that. What needs to be done is first validate that all characters in the value are numeric, and if so cast it as an integer. if( !empty($_GET['id']) && ctype_digit($_GET['id']) ) { $id = (int) $_GET['id']; } else { // Value is empty or does not validate; show error message, halt script, take whatever action you need to take . . . } Quote Link to comment Share on other sites More sharing options...
Mod-Jay Posted February 20, 2011 Author Share Posted February 20, 2011 Skep, what do the Rows mean. Pika, You confused me Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted February 20, 2011 Share Posted February 20, 2011 Checking a $_GET var for a null value is pretty pointless. If the url contains id=, it isn't null, it's an empty string. If id= isn't even present in the url, it will be null, but it will also be unset. Using if( !empty($_GET['id']) ) { will cover both of those scenarios, whereas ctype_digit($_GET['id']) makes sure that the value is numeric before you cast it as an integer, to protect against SQL injection. Does that help clear it up, or did I just make it worse? Quote Link to comment Share on other sites More sharing options...
Mod-Jay Posted February 20, 2011 Author Share Posted February 20, 2011 Cleared it up. So according yo skeps, script where would i add you lines. Your script dont check is the id= is empty And about the Making sure if the notification is yours. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted February 20, 2011 Share Posted February 20, 2011 Regarding making sure the notification belongs to the user, how do you log them in? Do you store user id or username or some other credentials in a session var or . . . ? Quote Link to comment Share on other sites More sharing options...
Mod-Jay Posted February 20, 2011 Author Share Posted February 20, 2011 Session var, $_SESSION['id']; Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted February 20, 2011 Share Posted February 20, 2011 Give this a try. You'll obviously need to edit the query string where it says, "AND `field_that_indicates_user_id_of_message_owner` =" . . . <?php // This assumes you've already checked that the user is logged in, and your DB connection is established. if( !empty($_GET['id']) && ctype_digit($_GTE['id']) ) { $id = (int)$_GET['id']; $query = "SELECT * FROM notifications WHERE id=$id AND `field_that_indicates_user_id_of_message_owner` = {$_SESSION['id']}"; if( !$result = mysql_query($query) ) { echo "<br>Query string: $query<br>Caused error: " . mysql_error() . '<br>'; } $rows = mysql_num_rows($view_a); if ( $rows < 1 ) { echo 'No notifications seem to exist for you.'; } else { // notifications exist, and are associated with the logged in user. while( $view_b = mysql_fetch_assoc($view_a) ) { // ***** you still need to echo the variables in the proper format below. ***** $msgid = $view_b['id']; $msgname = $view_b['title']; $msgdate = $view_b['sent']; $msgsender = $view_b['senderid']; $msgreciever = $view_b['msgreciever']; $msgtext = $view_b['text']; $msgread = $view_b['read']; } } } else { // This is the error if the id variable is empty or malformed. echo 'Invalid id value supplied.'; } ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.