php/mysql help

[uwannadonkey]

<?php
include('inc/header.php');

if(isset($_POST['submit']))
{
if ($_POST['owner'] < 1)
{
echo " You are trying to send a message to an illegal ID!";
}
elseif ($_POST['message'] = "")
{
echo " Please enter a message!";
}
else
{


Echo
" Message Sent!";


mysql_query("UPDATE `users` SET mail = mail + 1 WHERE ID = $_POST[owner]");
$query2="INSERT INTO mail(text,owner,sender,subject,time)VALUES ('$_POST[message]','$_POST[owner]', '$user->ID', '$_POST[subject]', 'now()')";
$rt=mysql_query($query2);


}
}









echo"
<form method=POST>

ID:
  <input name=owner size=12 maxlength=10 value=$_GET[iD]><br>

  Subject : <input name='subject' size=12 maxlength=25><br>

Message:<br><textarea name='message' cols=25 rows=10></textarea>


<input type=submit name=submit id=submit value=Submit>

";

include('inc/footer.php');
?>

 

this is my code, for writing a simple mail.

 

the thing is, everything gets saved in mysql, except the message itself.  why is that?

 

 

also: my timestamp comes out like 0000-00-00-000-00 or something, is the now() the right thing to use?

[Stooney]

You need two = to compare. use this:

 elseif ($_POST['message'] == "") 

 

as for NOW(), it depends on how that field in your table is set up.

[wildteen88]

When using a variable which is an array within a string you should warp them with braces {}

 

Also it is not recommended to place raw $_POST data into a query. You should atleast validate and escape/secure user input before using it within a query.

[uwannadonkey]

for timestamp: the table is named, time, field timestamp, and default 0000-00-000, etc

 

chris, thats not the problem, the thing is, when the message is sent, eevrything gets saved,EXCEPT for the message.

 

ie: the owner,sender,subject get saved, except for timestamp and message

 

 

and wild: could u explain what you mean

[uwannadonkey]

FIXED the = to ==

 

still, everything is going fine, except for the message and time

 

 

EDIT: problem solved for the message.  how about the timestamp?

[Stooney]

try this and see if anything has changed:

 

<?php
include('inc/header.php');

if(isset($_POST['submit'])){
if ($_POST['owner'] < 1)
{
	echo " You are trying to send a message to an illegal ID!";
}
elseif ($_POST['message'] == ""){
	echo " Please enter a message!";
}
else
{
	echo
	" Message Sent!";
	mysql_query("UPDATE `users` SET mail = mail + 1 WHERE ID = $_POST[owner]");
	$query2="INSERT INTO mail(text,owner,sender,subject,time)VALUES ('$_POST[message]','$_POST[owner]', '$user->ID', '$_POST[subject]', NOW())";
	$rt=mysql_query($query2);
}
}



?>

[uwannadonkey]

timestamp works!

 

thanks so much.

 

but now im worried about what wild said.  what does he mean by that?

 

im gonna:

 

$message=mysql_real_escape_string($_POST[message']);

 

[wildteen88]

About using raw user input (from $_POST/$_GET etc) in a query? If so have a read up on SQL Injection. If you use your script as it is it'll be prone to SQL Injections which will allow a malicious user to perform SQL queries from your form.

[uwannadonkey]

thx, will do