YNWA Posted March 7, 2008 Share Posted March 7, 2008 Hi, I know how to get standard hyperlinks in PHP. But what I would like to do is this: My user registers with email address, when they add a book, there email address is recorded and when you click view books, you can see the person who entered the book via a user email cell, this is shown by using POST userEmail. What I want to do is when a user clicks on the view books page, the select the book they want to view and all the cell info is shown: From the add book SQL $sql = "INSERT INTO review (userEmail, bookTitle, author, bookDescription, price) VALUES ( '$_SESSION[user]', '$_POST[bookTitle]', '$_POST[author]', '$_POST[bookDescription]', '$_POST[price]' )"; From the view book SQL: $sql = "SELECT userEmail, bookTitle, author, bookDescription, price FROM review WHERE author = '$_POST[sel_review]'"; // Execute the SQL $result = mysql_query($sql,$conn); while ($newArray = mysql_fetch_array($result)) { $userEmail = $newArray['userEmail']; $bookTitle = $newArray['bookTitle']; $author = $newArray['author']; $bookDescription = $newArray['bookDescription']; $price = $newArray['price']; } echo " <table width=\"500\" border=\"0\"> <tr> <td width=\"128\"><strong>User Email</strong></td> <td width=\"157\">$userEmail</td> </tr> <tr> <td><strong>Book Title</strong> </td> <td>$bookTitle</td> </tr> <tr> <td><strong>Author</strong> </td> <td>$author</td> </tr> <tr> <td colspan=\"2\"><strong>Book Description</strong> </td> <td width=\"500\">$bookDescription</td> </tr> <tr> <td><strong>Sale Price</strong> </td> <td>$price</td> </tr> </table> "; echo "<form method=\"POST\" action=\"$SERVER[php_SELF]\"> <input type=\"submit\" name=\"submit\" value=\"View Another\"> </form>"; } and that all works fine, but is there a way that I can make the userEmail be displayed as a mailto: hyperlink, so users can simply click the email address and email the person who submitted that book? Cheers Will Quote Link to comment Share on other sites More sharing options...
puritania Posted March 7, 2008 Share Posted March 7, 2008 I'm sorry, but your code is very unsafe. I don't see any error_reporting(E_ALL); at your first line. Even your form isn't safe for XSS and SQL Injections. I also don't understand where your problem is or don't you know how a mailto: link works? <a href="mailto:<?php echo $yourEmail; ?>">Mail me</a> Quote Link to comment Share on other sites More sharing options...
conker87 Posted March 7, 2008 Share Posted March 7, 2008 mysql_real_escape_string() your $_POST data. Quote Link to comment Share on other sites More sharing options...
YNWA Posted March 7, 2008 Author Share Posted March 7, 2008 Unsafe in what way? this is jus a uni project, does that matter? I know how to to HTML mailto, but does it work in the PHP form, when displaying the user who submitted the datas email address. Quote Link to comment Share on other sites More sharing options...
conker87 Posted March 7, 2008 Share Posted March 7, 2008 Well, if your magic quotes are off then anyone can waltz into your script add a DROP here, a table name there and a -- at the end and bam, no more table. Yes it will work if you use it in your script, echo outputs in html. Also, I think echo "<form method=\"POST\" action=\"$SERVER[php_SELF]\"> Should be: echo "<form method=\"POST\" action=\"". $_SERVER['PHP_SELF'] . "\"> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.