php/mysql help

uwannadonkey · February 17, 2008

<?php
include('inc/header.php');

if(isset($_POST['submit']))
{
if ($_POST['owner'] < 1)
{
echo " You are trying to send a message to an illegal ID!";
}
elseif ($_POST['message'] = "")
{
echo " Please enter a message!";
}
else
{


Echo
" Message Sent!";


mysql_query("UPDATE `users` SET mail = mail + 1 WHERE ID = $_POST[owner]");
$query2="INSERT INTO mail(text,owner,sender,subject,time)VALUES ('$_POST[message]','$_POST[owner]', '$user->ID', '$_POST[subject]', 'now()')";
$rt=mysql_query($query2);


}
}









echo"
<form method=POST>

ID:
  <input name=owner size=12 maxlength=10 value=$_GET[iD]><br>

  Subject : <input name='subject' size=12 maxlength=25><br>

Message:<br><textarea name='message' cols=25 rows=10></textarea>


<input type=submit name=submit id=submit value=Submit>

";

include('inc/footer.php');
?>

this is my code, for writing a simple mail.

the thing is, everything gets saved in mysql, except the message itself. why is that?

also: my timestamp comes out like 0000-00-00-000-00 or something, is the now() the right thing to use?

Stooney · February 17, 2008

You need two = to compare. use this:

 elseif ($_POST['message'] == "")

as for NOW(), it depends on how that field in your table is set up.

wildteen88 · February 17, 2008

When using a variable which is an array within a string you should warp them with braces {}

Also it is not recommended to place raw $_POST data into a query. You should atleast validate and escape/secure user input before using it within a query.

uwannadonkey · February 17, 2008

for timestamp: the table is named, time, field timestamp, and default 0000-00-000, etc

chris, thats not the problem, the thing is, when the message is sent, eevrything gets saved,EXCEPT for the message.

ie: the owner,sender,subject get saved, except for timestamp and message

and wild: could u explain what you mean

uwannadonkey · February 17, 2008

FIXED the = to ==

still, everything is going fine, except for the message and time

EDIT: problem solved for the message. how about the timestamp?

Stooney · February 17, 2008

try this and see if anything has changed:

<?php
include('inc/header.php');

if(isset($_POST['submit'])){
if ($_POST['owner'] < 1)
{
	echo " You are trying to send a message to an illegal ID!";
}
elseif ($_POST['message'] == ""){
	echo " Please enter a message!";
}
else
{
	echo
	" Message Sent!";
	mysql_query("UPDATE `users` SET mail = mail + 1 WHERE ID = $_POST[owner]");
	$query2="INSERT INTO mail(text,owner,sender,subject,time)VALUES ('$_POST[message]','$_POST[owner]', '$user->ID', '$_POST[subject]', NOW())";
	$rt=mysql_query($query2);
}
}



?>

uwannadonkey · February 17, 2008

timestamp works!

thanks so much.

but now im worried about what wild said. what does he mean by that?

im gonna:

$message=mysql_real_escape_string($_POST[message']);

wildteen88 · February 17, 2008

About using raw user input (from $_POST/$_GET etc) in a query? If so have a read up on SQL Injection. If you use your script as it is it'll be prone to SQL Injections which will allow a malicious user to perform SQL queries from your form.

uwannadonkey · February 17, 2008

thx, will do

Sign In

php/mysql help

Recommended Posts

uwannadonkey

Link to comment

Share on other sites

Stooney

Link to comment

Share on other sites

wildteen88

Link to comment

Share on other sites

uwannadonkey

Link to comment

Share on other sites

uwannadonkey

Link to comment

Share on other sites

Stooney

Link to comment

Share on other sites

uwannadonkey

Link to comment

Share on other sites

wildteen88

Link to comment

Share on other sites

uwannadonkey

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information