button goes to blank screen

[dominic600]

so im working on building a forum and i got everything on it but when you go to add a reply to the topic and click the reply button it will just go to a blank screen Not sure why its doing this, never had this problem.

 

heres the code with the button

 

<?php require("top.php"); 

if ($username && ($_GET['cid'] == "")) {
header("Location: home.php");
exit();

}

$cid = $_GET['cid'];
$tid = $_GET['tid'];
?>

<div id='homepageright'>

<form action="post_reply_parse.php" method="post">
<p>Reply Comment</p>
<textarea name="reply_content" rows="5" cols="75"></textarea>
<br /><br />
<input type="hidden" name="cid" value="<?php echo $cid; ?>" />
<input type="hidden" name="tid" value="<?php echo $tid; ?>" />
<input type="submit" name="reply_submit" value="Reply" />


<div id='homepageleft'>

</div>
</div>
</html>
</body>

 

and code the button goes to

 

<?php

if($username){
header("Location: index.php");
}
if(isset($_POST['reply_submit'])){
include_once("scripts/connect.php");
$creator = $_SESSION['uid'];
$cid = $_POST['cid'];
$tid = $_POST['tid'];
$reply_content = $_POST['reply_content'];
$sql = "INSERT INTO post (category_id, topic_id, post_creator, post_content, post_date) VALUES ('".$cid."', '".$tid."', '".$creator."', '".$reply_content."', now())";
$res = mysql_query($sql) or die(mysql_error());
$sql2 = "UPDATE categories SET last_post_date=now(). last_user_posted='".$creator."' WHERE id='".$cid."' LIMIT 1";
$res2 = mysql_query($sql2) or die(mysql_error());
$sql3 = "UPDATE topics SET topic_reply_date=now(), topic_last_user'".$creator."' WHERE id='".$tid."' LIMIT 1";
$res3 = mysql_query($sql3) or die(mysql_error());

//email sending

if(($res) && ($res2) && ($res3)) {
echo "Your Reply Has Been Posted";

}
else{
echo "There Was A Problem Posting Your Reply";
}


}





?>

[codeprada]

A blank page means there's an error in your script. Set error reporting to E_ALL and set display errors to on and you will see them.

 

About this IF statement

if($username){
header("Location: index.php");
}

This will never evaluate to true because you never initialized $username. It's basically a waste of CPU cycles. This can also produce an E_NOTICE error since you're trying to compare a value that doesn't exist. Use either isset or empty to check variables.

 

I'm not sure if there's a session_start() within scripts/connect.php or the server automatically initializes the session but to get the value of $_SESSION['uid'] you should call session_start().

 

You never checked to verify that the required values were ever posted so you could be working with NULL values in your query.

 

Finally your script is vulnerable to SQL injections. I'd suggest stop using the MySQL API and move on to either MySQLi or PDO. Those two APIs offer prepared statements. If used properly they are immune to SQL injections.

 

 

[dominic600]

I have my session_start() in my top.php, like i have the same script almost with everything the same for creating a topic and it works perfectly, i just dont know what im missing in this one. As far as showing the errors idk how to do that E_ALL thing or how to turn it on or what ever..

 

but thanks for all the info and im just wanting to get all my functionality down then im going to work on the secruity, im new to php and mysql so im slowly learning.

[codeprada]

To show errors place this at tthe top of your code

error_reposting(E_ALL)