Problem with notifications sent out when data added

[speckytwat]

Having an odd issue with an internal messaging system which sends a message to a member messages table (it also sends a message to the sender, so they're basically cc'd and have a copy). The messages themselves are simply copied to a mySQL table rather than sent out, users have to log in to see them. However the client also wanted a notification sent out via email to the members' email accounts, so that they are alerted when they have an internal message, and can then log into the system.

The problem is, although it works- messages are added to the db table and notifications are being sent out- rather than the notifications going ONLY to recipient and sender, they are being sent to EVERY member. So if Member 1 sends a message to Member 2, Members 1 and 2 get their notification (great) but Members 3, 4, 5, 6 etc. also get notifications even though there isn't a message waiting for them when they log in.

Checking in the db, only sender and recipient have the message logged for their user ID, so that works fine.

Any ideas as to why it's sending out notifications to all members and how I can stop it?

<?php
if($_POST['sendmessage'])
{
        foreach ($_POST['_RecipientID'] as $key => $recipientid)
            {
                $recipients .= "$recipientid, ";

            $recipientemail = $mysqli->real_escape_string($_POST['_RecipientEmail']);    
            $messagetext = $mysqli->real_escape_string($_POST['_MessageText']);    
            $sender = $mysqli->real_escape_string($_POST['_Sender']);    
            $dateadded = date('Y-m-d H:i:s');
                for ($i=0; $i<count($recipientid); $i++)
        $addmessagetotable = $mysqli->query("INSERT INTO messages (RecipientID, MessageText, Sender, DateSent) VALUES ('$recipientid','$messagetext','$sender','$dateadded')");
            }

            foreach ($_POST['_RecipientEmail'] as $key => $recipientemail)
            {
                for ($i=0; $i<count($recipientemail); $i++)
                $to = $recipientemail;
                    
$from = "noreply@domain";
$subject = 'You have a new message waiting in the Members Area.';
$separator = md5(time());
$eol = PHP_EOL;

// main header
$headers  = "From: ".$from.$eol;
$headers .= "MIME-Version: 1.0".$eol;
$headers .= "Content-Type: multipart/mixed; boundary=\"".$separator."\"";

$body = 'You have a new message waiting in the Members Area.'.$eol;
$body .= 'Log in at login.html to retrieve your message.'.$eol;

// send message
mail($to, $subject, $body, $headers);
//echo '<p>Message was successfully sent to '.$firstname.' '.$surname.'</p>';
                        }
echo '<p>Message was added to the system successfully.</p>';
}
?>

[Psycho]

The first thing you need to look at is your loops. I see some 'problems' right from the start. For example

 

$recipients .= "$recipientid, ";

The variable $recipients is not used anywhere in the script. While that is not the source of your problem, it shows that there is a lack of discipline and structure int he code. Another example, is the second loop where the email is recreated multiple times for each recipient. Instead, the code should create the email one time and then resent just changing the recipient.

 

Another huge problem is the fact that you are directly including POST data in a database query. This is a wide open door for SQL injection. You need to be using prepared statements (or at least escaping the value when used in a query).

 

And yet another issue is that you are looping over one set of data (Recipient ID) to add the records to the DB and then a different set of data (Recipient Email) to send the emails. That implies that you are including peoples emails within the HTML code. You are compromising people's data for any bots that may screen scrape your pages. You should only include the recipient IDs and the get the email addresses from the database upon submission.

 

So, the whole thing is problematic. But, as to your original question, this makes no sense to me

 

    foreach ($_POST['_RecipientEmail'] as $key => $recipientemail)
    {
        for ($i=0; $i<count($recipientemail); $i++)
                $to = $recipientemail;

You loop over what is apparently a POST value containing email addresses. What is the for() loop for? Also, how are the values in $_POST['_RecipientEmail'] sent? As in, what field type are they in the form and how does the user select them? Are you sure that you aren't passing ALL of the users?

[Psycho]

Oh, and another problem. Based on the second loop, $_POST['_RecipientEmail'] is supposedly an array. But, inside the first loop you have ths

$recipientemail = $mysqli->real_escape_string($_POST['_RecipientEmail']);

So, it is seting the value of $recipientemail as an array? I would expect real_escape_string() to throw an error when used on an array. None of this makes any sense. I'm surprised it runs at all.

 

Not to be mean, but the whole thing is a mess.

 

EDIT: Also, you are creating a new DB record with the message for each recipient. If a user can send the same message to multiple recipients, you should have one table for the messages and a separate table to identify the recipients.

[speckytwat]

Basically I had to try setting it all as an array because in the form the user can check as many or as few users as they want, and those selected users are given the message i.e a record is added to the database with their user ID. So when they log in if they go their "Messages" page they see the message.

 

I didn't want to set it up this way either but the client insisted on an internal message system.

 

So, you've listed about 20 things that are wrong with it, but what do I need to do to fix all this? As I say it is working apart from the fact that all members are being sent the notification mail.

 

If I was going to retrieve the email addresses from the database instead of the POST query, how would I do this? Wouldn't that mean creating yet another loop along the lines of "for each recipient ID, select * from members" and then retrieve the email address for each one?

 

Anyway I edited as follows, but now it doesn't send out ANY notifications: (and yet the database INSERT works)

 

 

if($_POST['sendmessage'])
{
        foreach ($_POST['_RecipientID'] as $key => $recipientid)
            {
                
                    $getemail = $mysqli->query("SELECT * FROM members WHERE MemberID = $recipientid");
                        while ($row = $getemail->fetch_assoc()) {
                            $email = $row["Email"];
                            echo $email;
                        }
                
            //$recipientemail = $mysqli->real_escape_string($_POST['_RecipientEmail']);    
            $messagetext = $mysqli->real_escape_string($_POST['_MessageText']);    
            $sender = $mysqli->real_escape_string($_POST['_Sender']);    
            $dateadded = date('Y-m-d H:i:s');
                for ($i=0; $i<count($recipientid); $i++)
        $addmessagetotable = $mysqli->query("INSERT INTO messages (RecipientID, MessageText, Sender, DateSent) VALUES ('$recipientid','$messagetext','$sender','$dateadded')");
            }

            foreach ($email as $key => $recipientemail)
            {
                for ($i=0; $i<count($recipientemail); $i++)
                $to = $recipientemail;
                    
$from = "noreply@domain";
$subject = 'You have a new message waiting in the Members Area.';
$separator = md5(time());
$eol = PHP_EOL;

// main header
$headers  = "From: ".$from.$eol;
$headers .= "MIME-Version: 1.0".$eol;
$headers .= "Content-Type: multipart/mixed; boundary=\"".$separator."\"";

$body = 'You have a new message waiting in the Members Area.'.$eol;
$body .= 'Log in at login.html to retrieve your message.'.$eol;

// send message
mail($to, $subject, $body, $headers);
//echo '<p>Message was successfully sent to '.$firstname.' '.$surname.'</p>';
                        }
echo '<p>Message was added to the system successfully.</p>';
}

[Psycho]

Basically I had to try setting it all as an array because in the form the user can check as many or as few users as they want, and those selected users are given the message i.e a record is added to the database with their user ID. So when they log in if they go their "Messages" page they see the message.

I never said the recipient list should not be an array, but how you are using it makes no sense. In one place you are using a for() loop over a single element in the array (which should presumable be a string) and in another place you are using realescapestring() on what is presumably an array.

 

 

 

I didn't want to set it up this way either but the client insisted on an internal message system.

The fact that the customer wants an internal message system does not explain the poorly written code.

 

 

So, you've listed about 20 things that are wrong with it, but what do I need to do to fix all this? As I say it is working apart from the fact that all members are being sent the notification mail.

 

If I was going to retrieve the email addresses from the database instead of the POST query, how would I do this? Wouldn't that mean creating yet another loop along the lines of "for each recipient ID, select * from members" and then retrieve the email address for each one?

Just because something "works" does not mean it is correct. There are parts of code that do nothing or have no purpose. I suspect your problem is that your form is passing all the email addresses. I asked how the fields are passed as in what is the structure of the form. You are passing BOTH the recipient IDs and the recipient emails as separate data. So, is the user selecting both the IDs and the email address separately? Or, did you do something such as having a list of checkboxes for the user to select with the IDs as the values THEN have a series of textboxes or hidden fields with the email addresses? That would explain your problem, because the checked boxes only define the recipient IDs and the form would pass ALL of the email addresses. That is a guess on what I think is happening. But, again, you are doing it wrong. You should not put email addresses on the page (even in hidden field) at all. Just pass the IDs.

 

Here is a rewrite of your code. I did not test it, so there are probably some typos. But, the flow and logic should be clear. It is also lacking appropriate error handling (which your code also is missing). Lastly, You really should have two tables: one for the message (imessageId [primary key], sender, message & date) and a separate table for the recipients (messageId, recipientId). It is a waste to repopulate the message text many times. Plus, you can add logic later to identify if a recipient has read a message or not.

<?php
 
//Use the request method to check if form was POSTed
if($_SERVER['REQUEST_METHOD']=='POST')
{
    ##First process the 'common' data (don't do it in a loop)
    $message = trim($_POST['_MessageText']);
    $senderId = intval($_POST['_Sender']);
    ##Create content for the emails
    $eol = PHP_EOL;
    $subject = 'You have a new message waiting in the Members Area.';
    $from = "noreply@domain";
    // main header
    $headers  = "From: ".$from.$eol;
    $headers .= "MIME-Version: 1.0".$eol;
    $headers .= "Content-Type: multipart/mixed; boundary=\"".md5(time())."\"";
    // body
    $body = 'You have a new message waiting in the Members Area.'.$eol;
    $body .= 'Log in at login.html to retrieve your message.'.$eol;
    
    ##Using the recipient IDs, run query to get email address (don't use in POST data)
    //filter the values to ensure they are all valid integers, exluding others
    $recipientIds = array_filter('intval', $_POST['_RecipientID']);
    $query = "SELECT id, email FROM USERS WHERE id IN (" . implode(',', $recipientIds). ")";
    $result = mysql_query($query);
    
    //Verify there are recipients returned, else provide valid error condition
    if(!$result->num_rows($result))
    {
        echo "Error: No valid recipients";
    }
    else
    {
        ## The RIGHT way to add the records to the DB would be to add JUST the message to a 
        ## messages table (with message, sender and date) and add have a SEPARATE table for
        ## the recipients referencing the id of the message from the messages table
        ## If doing that then add the message here and the recipients in the loop below
 
        
        //Should use a prepared statement, but I am lazy right now, so just escaping the message
        $messageSafe = $mysqli->real_escape_string($message);
    
        //Iterate over the recipients to add DB record and send email
        while($row = mysql_fetch_assoc($result))
        {
            //Get id and email from the query results
            $recipientId    = $row['id'];
            $recipientEmail = $row['email'];
            //Add message to db (would be just a recipient record if done correctly)
            $query = "INSERT INTO messages
                          (RecipientID, MessageText, Sender, DateSent)
                      VALUES ($recipientid, '$messagetext', $senderId, NOW())";
            $result = mysql_query($query);
            // send message
            mail($recipientEmail, $subject, $body, $headers);
        }
 
        echo '<p>Messages were added to the system successfully.</p>';
    }
}
?>

[kicken]

It sounds like what you are doing currently is something like this:

foreach (AllMembers){
  Checkbox with member id
  Hidden field with email
  Member name
}

So you have a list of members and checkboxes to select the desired recipients and their email addresses also.

 

The problem then would be that the email's that are posted back are not restricted to just those that were checked, all emails would be posted back on form submission.

 

What you want to do instead is generate your list with only the checkboxes which have the members ID as it's value..

foreach (AllMembers){
  Checkbox with member id
  Member name
}

Then on the server take the list of selected recipients and look up their email address in your database to send out the notification.

[speckytwat]

Thanks both for these, I will try and get it working using the examples.

[speckytwat]

Ok, well I've tried using a modified version of the suggested code but I always get the Error: No valid recipients message even though I make sure I check a few members in the form. It looks as if it's not picking up the posted RecipientIDs. Modified code is below, changed to match fields in my db and I'm also using mysqli: (you'll see I tried echoing $recipientid but that didn't display anything)... any ideas?

 

 

<?php

//Use the request method to check if form was POSTed
if($_SERVER['REQUEST_METHOD']=='POST')
{
    ##First process the 'common' data (don't do it in a loop)
    $message = trim($_POST['_MessageText']);
    $senderid = intval($_POST['_Sender']);
    ##Create content for the emails
    $eol = PHP_EOL;
    $subject = 'You have a new message waiting in the Members Area.';
    $from = "noreply@domain";
    // main header
    $headers  = "From: ".$from.$eol;
    $headers .= "MIME-Version: 1.0".$eol;
    $headers .= "Content-Type: multipart/mixed; boundary=\"".md5(time())."\"";
    // body
    $body = 'You have a new message waiting in the Members Area.'.$eol;
    $body .= 'Log in to retrieve your message.'.$eol;
    
    ##Using the recipient IDs, run query to get email address (don't use in POST data)
    //filter the values to ensure they are all valid integers, exluding others
    $recipientids = array_filter('intval', $_POST['_RecipientID']);
    echo $recipientids;
    $getmembers = $mysqli->query("SELECT MemberID, Email FROM members WHERE MemberID IN (" . implode(',', $recipientids). ")");
    //$result = mysqli_query($query);
    
    //Verify there are recipients returned, else provide valid error condition
    if ($getmembers->num_rows == 0)
    {
        echo "Error: No valid recipients";
    }
    else
    {
        ## The RIGHT way to add the records to the DB would be to add JUST the message to a
        ## messages table (with message, sender and date) and add have a SEPARATE table for
        ## the recipients referencing the id of the message from the messages table
        ## If doing that then add the message here and the recipients in the loop below
   
        //Should use a prepared statement, but I am lazy right now, so just escaping the message
        //$messageSafe = $mysqli->real_escape_string($message);
        $messagetext = $mysqli->real_escape_string($message);    
        $senderid = $mysqli->real_escape_string($senderid);    
        
        //Iterate over the recipients to add DB record and send email
        while ($row = $getmembers->fetch_assoc()) {
        
            //Get id and email from the query results
            $recipientid    = $row['MemberID'];
            $recipientemail = $row['Email'];
            //Add message to db (would be just a recipient record if done correctly)
            $addmessagetotable = $mysqli->query("INSERT INTO messages (RecipientID, MessageText, Sender, DateSent) VALUES ($recipientid, '$messagetext', $senderid, NOW())");
            $result = mysqli_query($addmessagetotable);
            // send message
            mail($recipientemail, $subject, $body, $headers);
        }
        echo '<p>Messages were added to the system successfully.</p>';
    }
}
?>

[Barand]

echo $recipientids

Echo won't work with an array, try

echo '<pre>' . print_r($recipientids, 1) . '</pre>';

[mac_gyver]

you need to do some basic troubleshooting to find out what is happening.

 

1) do you have php's error_reporting set to E_ALL and display_errors set to ON, so that php will help you by reporting and displaying all the errors it detects?

 

there should be at least some errors at the array_filter() statement, due to the parameter order, which perhaps was supposed to be array_map().

 

 

2) are you sure there is input data and since we haven't seen what your form is or what your data looks like, what does adding the following show? - 

var_dump($_POST);

3) do you have any error handling for the database statements that would tell you if the query is failing? the easiest way of adding error handling for all the database statements is to use exceptions and let php catch and handle the error, where it will use it's error_reporting, display_errors, and log_errors settings to determine what happens with the actual error information. for the mysqli extension, add the following before the point where you make the database connection - 

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

[speckytwat]

Ok - error output was already set up, total content of the errors is:

 

"Notice: Trying to get property of non-object in (link to file...) on line 40 Error: No valid recipients"

 

The var_dump produces this array output:

array(4) { ["_RecipientID"]=> array(2) { [0]=> string(2) "17" [1]=> string(2) "65" } ["_Sender"]=> string(5) "LucyD" ["_MessageText"]=> string(4) "TEST" ["sendmessage"]=> string(12) "Send Message" }

17 and 65 are the correct IDs of the sender and recipient I chose. LucyD is the username of the logged-in user who is sending the message. "TEST" is the message text I put in the textbox in the form.

 

Finally the print_r doesn't display anything to screen:

echo '<pre>' . print_r($recipientids, 1) . '</pre>';

 -produces no output.

[Barand]

Putting the array_filter() parameters in the correct order should fix the print_r() problem.

[mac_gyver]

your error_reporting is set to something, but it's not set to E_ALL. php warnings are not being reported.

 

the code is producing the following two warnings -

 

Warning: array_filter() expects parameter 1 to be array, string given in your_file at the array_filter statement.

 

Warning: implode(): Invalid arguments passed in your_file at the implode statement.

 

wherever you are setting error_reporting, go and fix it so that it is set to either E_ALL or even better a -1

 

the reason for the first error is because the array_filter() parameters are reversed or this should have been array_map().

 

the second error is due to the first problem, but will also occur if no check-boxes are checked. code needs to validate all input data before using it. if the input array is empty, your code should set up an error message to be output to the visitor and not even attempt to run the code that's dependent on having the input data.

 

the Notice: ... error you are getting is because the query is failing due to a syntax error, the IN() is empty, which will be corrected once you supply a non-empty array to the implode() statement.

 

and i forgot to mention it before, the sender should not be passed through the form, for the same reason why you should not passing email addresses through the form, anyone can manipulate the value. the sender value you use in the posted code should come from your login system and you should only be running the code being shown in this thread if there is a valid logged in user.

[speckytwat]

Ok, well the error reporting was set at the very top of the page and I did have E_ALL set, however I changed it to -1 so the error reporting is as follows:

 

 

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(-1);

 

However when I tried sending the message I got the same output:

 

 

array(4) { ["_RecipientID"]=> array(2) { [0]=> string(2) "17" [1]=> string(2) "65" } ["_Sender"]=> string(5) "LucyD" ["_MessageText"]=> string(4) "TEST" ["sendmessage"]=> string(12) "Send Message" } Notice: Trying to get property of non-object in (file link...) on line 40 Error: No valid recipients

 

I can confirm that this page is in a restricted area for logged-in users only.

 

When I changed array_filter to array_map it DOES input the values into the db table, except that it inputs the sender as "0" instead of the username (LucyD in this case). Also, no email notification is sent out... although when I echo $recipientemail just after $recipientemail = $row['Email']; it correctly outputs the email address of the recipient....???

[Barand]

You are supposed to be applying array_filter() to $_POST['_recipientID'] only.

[speckytwat]

That's what I'm doing (although using array_map instead) on this line:

 

$recipientids = array_map('intval', $_POST['_RecipientID']);

[Barand]

And you're not applying intval to the username also? That would give 0 instead of LucyD.

[speckytwat]

I removed the intval from the POST, i.e changed it to just:

 

$senderid = $_POST['_Sender'];

But now it doesn't input anything into the db table at all...

[Barand]

Instead of us playing "Twenty Questions" why don't you post the code you have now?

[speckytwat]

 

if($_SERVER['REQUEST_METHOD']=='POST')
{
    ##First process the 'common' data (don't do it in a loop)
    $message = trim($_POST['_MessageText']);
    $senderid = intval($_POST['_Sender']);
    ##Create content for the emails
    $eol = PHP_EOL;
    $subject = 'You have a new message waiting in the Members Area.';
    $from = "noreply@domain";
    // main header
    $headers  = "From: ".$from.$eol;
    $headers .= "MIME-Version: 1.0".$eol;
    $headers .= "Content-Type: multipart/mixed; boundary=\"".md5(time())."\"";
    // body
    $body = 'You have a new message waiting in the Members Area.'.$eol;
    $body .= 'Log in to retrieve your message.'.$eol;
    
    ##Using the recipient IDs, run query to get email address (don't use in POST data)
    //filter the values to ensure they are all valid integers, exluding others
    $recipientids = array_map('intval', $_POST['_RecipientID']);
    echo '<pre>' . print_r($recipientids, 1) . '</pre>';
    $getmembers = $mysqli->query("SELECT MemberID, Email FROM members WHERE MemberID IN (" . implode(',', $recipientids). ")");
    //$result = mysqli_query($query);
    var_dump($_POST);
    //Verify there are recipients returned, else provide valid error condition
    if ($getmembers->num_rows == 0)
    {
        echo "Error: No valid recipients";
    }
    else
    {
        ## The RIGHT way to add the records to the DB would be to add JUST the message to a
        ## messages table (with message, sender and date) and add have a SEPARATE table for
        ## the recipients referencing the id of the message from the messages table
        ## If doing that then add the message here and the recipients in the loop below
   
        //Should use a prepared statement, but I am lazy right now, so just escaping the message
        //$messageSafe = $mysqli->real_escape_string($message);
        $messagetext = $mysqli->real_escape_string($message);    
        $senderid = $mysqli->real_escape_string($senderid);    
        
        //Iterate over the recipients to add DB record and send email
        while ($row = $getmembers->fetch_assoc()) {
        
            //Get id and email from the query results
            $recipientid    = $row['MemberID'];
            $recipientemail = $row['Email'];
            echo $recipientemail;
            //Add message to db (would be just a recipient record if done correctly)
            $addmessagetotable = $mysqli->query("INSERT INTO messages (RecipientID, MessageText, Sender, DateSent) VALUES ($recipientid, '$messagetext', $senderid, NOW())");
            $result = mysqli_query($addmessagetotable);
            // send message
            mail($recipientemail, $subject, $body, $headers);
        }
        echo '<p>Messages were added to the system successfully.</p>';
    }
}

[Barand]

What des the var_dump($_POST) now produce?

 

Did you out the mysqli_report() code before your mysqli connection call as mac_gyver suggested?

[speckytwat]

The var_dump now produces:

 

Array
(
    [0] => 17
    [1] => 65
)
array(4) { ["_RecipientID"]=> array(2) { [0]=> string(2) "17" [1]=> string(2) "65" } ["_Sender"]=> string(5) "LucyD" ["_MessageText"]=> string(4) "Test" ["sendmessage"]=> string(12) "Send Message" } myemail@mydomain.com

Messages were added to the system successfully.

I added mysqli_report(); just before my connection string but that doesn't output anything.

[mac_gyver]

firstly, when debugging problems, you need to make one change at a time, and if you want us to help, since we are not sitting there with you, you need to communicate exactly what result you are getting as the result of that change. the last code you posted has the intval() around $_POST['_Sender'], but you had stated you had removed that. we cannot help you if we are not getting matching code change and result information from you.

 

are you getting the "Messages were added to the system successfully." message at the same time the intval() has been removed from this line - $senderid = intval($_POST['_Sender']); and messages are NOT being inserted at all OR are you getting that message at the same time that intval() is in the code (matching the last posted code) and the messages ARE being inserted but with a zero for the sender?

because the error_reporting and the mysqli_report are apparently not having any effect, either you have some code between the point where the settings you showed us are at and this problem code, that's modifying the error_reporting value OR you are doing this on a cheep/free web host that has disabled the error_reporting() and possibly the mysqli_report() statements.
 
so, where are you running this code at and could there be some code you haven't shown that could contain a statement that's modifying the error_reporting setting? this could be either in the form of an error_reporting() or an ini_set() statement.
 
what does adding - echo error_reporting(); at the same point as the var_dump($_POST) statement show?

 

lastly, the sender value you use in the INSERT query should be the sender id, for a proper database design, which is why the code Psycho gave is treating it as an integer. you should not be inserting the sender's name/username and you should not be passing any sender value through the form. the form, which you have not posted (recently/at all), should only be submitting the message text and an array of check-box based recipient ids and you should be getting the sender id from your login system, as i have already stated in a previous reply.

[speckytwat]

Yes, I'm getting the success message when the intval is in the code for POST Sender, and I can confirm that the records are added into the db, except that Sender is inputted as zero instead of the username. If I take the intval out of the POST Sender it doesn't work at all.

 

I have other sites on the same host where error reporting does work so I don't think it's a host issue.

 

I added in the echo error_reporting and ran the script again. The complete code is:

if($_SERVER['REQUEST_METHOD']=='POST')
{
    ##First process the 'common' data (don't do it in a loop)
    $message = trim($_POST['_MessageText']);
    $senderid = intval($_POST['_Sender']);
    ##Create content for the emails
    $eol = PHP_EOL;
    $subject = 'You have a new message waiting in the Members Area.';
    $from = "noreply@domain";
    // main header
    $headers  = "From: ".$from.$eol;
    $headers .= "MIME-Version: 1.0".$eol;
    $headers .= "Content-Type: multipart/mixed; boundary=\"".md5(time())."\"";
    // body
    $body = 'You have a new message waiting in the Members Area.'.$eol;
    $body .= 'Log in to retrieve your message.'.$eol;
    
    ##Using the recipient IDs, run query to get email address (don't use in POST data)
    //filter the values to ensure they are all valid integers, exluding others
    $recipientids = array_map('intval', $_POST['_RecipientID']);
    echo '<pre>' . print_r($recipientids, 1) . '</pre>';
    $getmembers = $mysqli->query("SELECT MemberID, Email FROM members WHERE MemberID IN (" . implode(',', $recipientids). ")");
    //$result = mysqli_query($query);
    var_dump($_POST);
    echo error_reporting();
    //Verify there are recipients returned, else provide valid error condition
    if ($getmembers->num_rows == 0)
    {
        echo "Error: No valid recipients";
    }
    else
    {
        ## The RIGHT way to add the records to the DB would be to add JUST the message to a
        ## messages table (with message, sender and date) and add have a SEPARATE table for
        ## the recipients referencing the id of the message from the messages table
        ## If doing that then add the message here and the recipients in the loop below
   
        //Should use a prepared statement, but I am lazy right now, so just escaping the message
        //$messageSafe = $mysqli->real_escape_string($message);
        $messagetext = $mysqli->real_escape_string($message);    
        $senderid = $mysqli->real_escape_string($senderid);    
        
        //Iterate over the recipients to add DB record and send email
        while ($row = $getmembers->fetch_assoc()) {
        
            //Get id and email from the query results
            $recipientid    = $row['MemberID'];
            $recipientemail = $row['Email'];
            echo $recipientemail;
            //Add message to db (would be just a recipient record if done correctly)
            $addmessagetotable = $mysqli->query("INSERT INTO messages (RecipientID, MessageText, Sender, DateSent) VALUES ($recipientid, '$messagetext', $senderid, NOW())");
            $result = mysqli_query($addmessagetotable);
            // send message
            mail($recipientemail, $subject, $body, $headers);
        }
        echo '<p>Messages were added to the system successfully.</p>';
    }
}
?>

The array that's outputted is the same except that there's a -1 just before the email address.

[Barand]

The -1 is most likely the error_reporting value that you echoed prior to echoing $recipientemail.

 

Now that you removed the intval from the sender it should now contain "Lucy", which is a string value. Because the $sender in your insert values is not in single quotes then sql will interpret this as a column name (you should be getting an unknown column error). It worked when it was 0 because numbers are not quoted in sql.