New Topic/Question
Reply
So I created a messaging script, but I was reading something.. probably on here about using the same URL and realised, this is something I had never done before.
So I tried it and this is the result of my efforts, mind I will be making the whole thing php eventually it was just easier for me to read as it was at the minute.
<?php
session_start();
include 'connect.php';
if (isset($_SESSION['username']))
{
$you=$_SESSION['username'];
$yourstats="SELECT * from users where userName='$you'";
$yourstats2=mysql_query($yourstats) or die("Could not Select User!");
$yourstats3=mysql_fetch_array($yourstats2);
if ($yourstats3['gender'] == '1')
{ $yourgender = 'male'; }
else
{ $yourgender = 'female'; }
}
else
{
print "Not Logged in please try again";
}
if (isset($_GET['replyMessage']))
{
$musername = $_GET['rec'];
$musername = strip_tags($musername);
$mesID = $_GET['message_ID'];
$mesID = strip_tags($mesID);
$repID = $_GET['repID'];
$repID = strip_tags($repID);
$reply = $repID - 1;
$mdata = "SELECT * from messages WHERE message_ID = '$mesID' and reply_ID = '$reply'";
$mdata2 = mysql_query($mdata) or die ("Could not connet!");
$mdata3 = mysql_fetch_array($mdata2);
}
else
{
}
if (isset($_POST['submitmessage']))
{
$musername = $_POST['username'];
$musername = strip_tags($musername);
$mtitle = $_POST['title'];
$mtitle = strip_tags($mtitle);
$mcontent = $_POST['content'];
$mcontent = strip_tags($mcontent);
}
else if (isset($_POST['submitreply']))
{
$musername = $_POST['username'];
$musername = strip_tags($musername);
$mesID = $_GET['message_ID'];
$mesId = strip_tags($mesID);
$mtitle = $_POST['title'];
$mtitle = strip_tags($mtitle);
$mcontent = $_POST['content'];
$mcontent = strip_tags($mcontent);
$repID = $_GET['repID'];
$repID = strip_tags($repID);
$lastrepID = $repID-1;
}
else
{
$musername = '';
$mtitle = '';
$mcontent = '';
}
?>
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="css/style.css">
<title>yM</title>
</head>
<body id="yM1">
<div id="container">
<div id="hcontainer">
<div id="logo">
sean<span class="color-1">Keenan</span>
</div>
<div id="details">
<ul class="menu">
<?php
print
"<li class='menu_item'><a href='search.php'>Search</a></li> |
<li class='menu_item'><a href='messages.php?ID=$yourstats3[ID]'>";
if ($yourstats3['unreadMessages'] == '0') { print "Messages"; } else { print "Messages <span class='color-1'>($yourstats3[unreadMessages])"; } print "</span></a>
</li> |
<li class='menu_item'><a href='profile.php?ID=$yourstats3[ID]'>Profile</a></li> |
<li class='menu_item'><a href='upload.php'>Upload</a></li> |
<li class='menu_item'><a href='logout.php'>Logout?</a></li>"; ?>
</ul>
</div>
</div>
<div id="content">
<div class="full_width_home">
<?php print "<h3 class='left'>Welcome, $yourstats3[firstName].</h4><span class='pl-5 right'><a href='' class='color'></a></span><br /><p>"; ?>
</p>
</div>
<?php
if (!isset($_POST['submitmessage']))
{
if (!isset($_POST['submitreply']))
{
if (isset($_GET['replyMessage']))
{
$musername = $_GET['rec'];
$musername = strip_tags($musername);
$mtitle = $mdata3['messageTitle'];
$mtitle = mysql_real_escape_string($mtitle);
$repID = $_GET['repID'];
$repID = strip_tags($repID);
$getid = "SELECT * from users WHERE userName ='$musername'";
$getid2 = mysql_query($getid) or die ("Could not get user");
$getid3 = mysql_fetch_array($getid2);
print"<div class='tasks_panel'>
<ul>
<a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
<a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
<a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
</ul>
</div>";
print"<div class='three_quarter_full_message'>
<table class='mt-10 left'><form action='messages.php?writeReply&username=$musername&title=RE;$mtitle&content=$mcontent&message_ID=$mesID&repID=$repID' method='post' class='mt-25'>
<tr><td class='tar'>Username:</td> <td> <input type='text' name='username' size='30' value='$musername' /><td></tr>
<tr><td class='tar'>Message Title:</td> <td> <input type='text' name='title' size='30' value='RE;$mtitle' /></td></tr><br />
</table>
<div class='right'>";
$getimage = "SELECT * from people WHERE user_ID = '$getid3[ID]' and profile_image ='1'";
$resultim = mysql_query($getimage) or die ("Could not access DB: " . mysql_error());
while ($row = mysql_fetch_assoc($resultim))
{
echo "<img src=\"images/" . $row['filename'] . "\" alt=\"\" class='mt-13 mr-6' id='smallimg' />";
}
print"</div><br/><br /> <br />
<span class='clear'>Message</span><br />
<textarea rows='37' cols='76' name='content'>Insert your message here, note the more detailed and more effort you put into a message, the more likely it is that you recieve a response.</textarea><br />
<input type='submit' size='15' value='Submit' name='submitreply' class='subsea right' /><br />
</form>
</div>";
}
else
{
if (isset($_GET['readMessage']))
{
$u_NM = $_GET['sender'];
$u_NM = strip_tags($u_NM);
$m_ID = $_GET['message_ID'];
$m_ID = strip_tags($m_ID);
$r_ID = $_GET['repID'];
$r_ID = strip_tags($r_ID);
$getusers = "SELECT * from users WHERE userName = '$u_NM'";
$getusers2 = mysql_query($getusers) or die ("could not query");
$getusers3 = mysql_fetch_array($getusers2);
$rrepID = $r_ID - 1;
$myID = $yourstats3['ID'];
$checkmsg = "SELECT * from messages WHERE message_ID = '$m_ID' and reply_ID = '$rrepID'";
$checkmsg2 = mysql_query($checkmsg) or die ("Can not check");
$checkmsg3 = mysql_fetch_array($checkmsg2);
if ($checkmsg3['beenread'] == 'no' && $checkmsg3['user_ID'] == $myID)
{
$updmmsg = "UPDATE messages set beenread = 'yes' WHERE message_ID = '$m_ID' and reply_ID = '$rrepID'";
$updumsg = "UPDATE users set unreadMessages = unreadMessages-'1' WHERE ID = '$myID'";
mysql_query($updmmsg) or die("error");
mysql_query($updumsg) or die ("prob");
header("refresh:1;url=messages.php?readMessage&message_ID=$m_ID&sender=$u_NM&repID=$r_ID");
}
print"<div class='tasks_panel'>
<ul>
<a href='messages.php?replyMessage&message_ID=$m_ID&rec=$u_NM&repID=$r_ID'><li class='message_tasks active'>Reply to This?</li></a>
<a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
<a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
<a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
</ul>
</div>";
print "<div class='three_quarter_info'>
<b>Conversation between you and <a href='profile.php?ID=$getusers3[ID]'>$u_NM</a>.</b>
</div>";
$getmessage="SELECT * from messages WHERE message_ID = '$m_ID' order by setTime desc limit 0,10";
$getmessage2=mysql_query($getmessage) or die("Could not fetch ranks");
while($getmessage3=mysql_fetch_assoc($getmessage2))
{
print"<div class='three_quarter_full_message'>";
$getsender = "SELECT userName from users WHERE ID = '$getmessage3[fromUser]'";
$getsender2 = mysql_query($getsender) or die ("Could not get sender details");
$getsender3 = mysql_fetch_array($getsender2);
$getimage = "SELECT * from people WHERE user_ID = '$getmessage3[fromUser]' and profile_image ='1'";
$resultim = mysql_query($getimage) or die ("Could not access DB: " . mysql_error());
while ($row = mysql_fetch_assoc($resultim))
{
echo "<div class='fullspace'><img src=\"images/" . $row['filename'] . "\" alt=\"\" /></div>";
}
echo "<div class='fulspace'><h3>$getmessage3[messageTitle]</h3><small>From: <a href='profile.php?ID=$getmessage3[fromUser]'>$getsender3[userName]</a></small>";
if ($getmessage3['reply_ID'] != '0' )
{
print "<div class='view_button_replycount'>Response $getmessage3[reply_ID]</div><br /><br />";
}
else
{
print "<div class='view_button_replycount'>First Message</div><br /><br />";
}
echo "$getmessage3[content]</div>";
print '</div>';
}
}
else if (isset($_GET['sentMessage']))
{
print"<div class='tasks_panel'>
<ul>
<a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
<a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
<li class='message_tasks active'>Sent Messages</li>
</ul>
</div>";
$getmessage="SELECT * from messages WHERE fromUser = '$yourstats3[ID]' and toUser != '$yourstats3[ID]' order by setTime desc limit 0,10";
$getmessage2=mysql_query($getmessage) or die("Could not fetch ranks");
while($getmessage3=mysql_fetch_assoc($getmessage2))
{
$repID = '0';
$getrep = "SELECT * from messages WHERE message_ID='$getmessage3[message_ID]'";
$getrep2 = mysql_query($getrep) or die ("cc");
while($getrep3=mysql_fetch_assoc($getrep2))
{
$repID++;
}
print"<div class='three_quarter_message'>";
$getsender = "SELECT * from users WHERE ID = '$getmessage3[toUser]'";
$getsender2 = mysql_query($getsender) or die ("Could not get sender details");
$getsender3 = mysql_fetch_array($getsender2);
$getrecep = "SELECT * from users WHERE ID = '$getmessage3[fromUser]'";
$getrecep2 = mysql_query($getrecep) or die ("Could not get recepient details");
$getrecep3 = mysql_fetch_array($getrecep2);
if ( $getmessage3['fromUser'] == $yourstats3['ID'] )
{
$getimage = "SELECT * from people WHERE user_ID = '$getmessage3[toUser]' and profile_image ='1'";
}
else
{
$getimage = "SELECT * from people WHERE user_ID = '$getmessage3[fromUser]' and profile_image ='1'";
}
$resultim = mysql_query($getimage) or die ("Could not access DB: " . mysql_error());
while ($row = mysql_fetch_assoc($resultim))
{
echo "<div class='fullspace'><img src=\"images/" . $row['filename'] . "\" alt=\"\" /></div>";
}
echo "<div class='fulspace'><h3>$getmessage3[messageTitle]</h3><small>Between you and <a href='profile.php?ID=$getmessage3[toUser]'>$getsender3[userName]</a></small>";
print "<a href='messages.php?readMessage&message_ID=$getmessage3[message_ID]&sender=$getsender3[userName]&repID=$repID'><div class='view_button_replycount'>Read Message</div></a><br /><br />";
echo substr($getmessage3['content'], 0 ,120 ); print "...<br /><br />";
if ($getmessage3['replied'] == 'yes' )
{
print "<small class='metRequirement right'><b>√ - $getsender3[userName] has replied.</b></small></div>";
}
else
{
print "<small class='failRequirement right'><b>X - $getsender3[userName] has not replied.</b></small></div>";
}
print '</div>';
}
}
else if (isset($_GET['writeMessage']))
{
print"<div class='tasks_panel'>
<ul>
<a href='messages.php?writeMessage'><li class='message_tasks active'>New Message</li></a>
<a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
<a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
</ul>
</div>";
print"<div class='three_quarter_full_message'>
<table class='mt-25'><form action='messages.php?writeNew&username=$musername&title=$mtitle&content=$mcontent' method='post' class='mt-25'>
<tr><td class='tar'>Username:</td> <td> <input type='text' name='username' size='30' /><td></tr><br />
<tr><td class='tar'>Message Title:</td> <td> <input type='text' name='title' size='30' /></td></tr><br />
</table>
Message<br />
<textarea rows='37' cols='76' name='content'>Insert your message here, note the more detailed and more effort you put into a message, the more likely it is that you recieve a response.</textarea><br />
<input type='submit' size='15' value='Submit' name='submitmessage' class='subsea right' /><br />
</form>
</div>";
}
else
{
print"<div class='tasks_panel'>
<ul>
<a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
<li class='message_tasks active'>Your Inbox</li>
<a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
</ul>
</div>";
$getmessage="SELECT * from messages WHERE user_ID = '$yourstats3[ID]' OR toUser = '$yourstats3[ID]' order by setTime desc limit 0,10";
$getmessage2=mysql_query($getmessage) or die("Could not fetch ranks");
while($getmessage3=mysql_fetch_assoc($getmessage2))
{
print"<div class='three_quarter_message'>";
$getsender = "SELECT * from users WHERE ID = '$getmessage3[toUser]'";
$getsender2 = mysql_query($getsender) or die ("Could not get sender details");
$getsender3 = mysql_fetch_array($getsender2);
$getrecep = "SELECT * from users WHERE ID = '$getmessage3[fromUser]'";
$getrecep2 = mysql_query($getrecep) or die ("Could not get recepient details");
$getrecep3 = mysql_fetch_array($getrecep2);
$repID = '0';
$getrep = "SELECT * from messages WHERE message_ID='$getmessage3[message_ID]'";
$getrep2 = mysql_query($getrep) or die ("cc");
while($getrep3=mysql_fetch_assoc($getrep2))
{
$repID++;
}
if ( $getmessage3['fromUser'] == $yourstats3['ID'] )
{
$getimage = "SELECT * from people WHERE user_ID = '$getmessage3[toUser]' and profile_image ='1'";
}
else
{
$getimage = "SELECT * from people WHERE user_ID = '$getmessage3[fromUser]' and profile_image ='1'";
}
$resultim = mysql_query($getimage) or die ("Could not access DB: " . mysql_error());
while ($row = mysql_fetch_assoc($resultim))
{
echo "<div class='fullspace'><img src=\"images/" . $row['filename'] . "\" alt=\"\" /></div>";
}
if ( $getmessage3['fromUser'] != $yourstats3['ID'] )
{
echo "<div class='fulspace'><h3>$getmessage3[messageTitle]</h3><small>Between you and <a href='profile.php?ID=$getmessage3[fromUser]'>$getrecep3[userName]</a></small>";
}
else
{
echo "<div class='fulspace'><h3>$getmessage3[messageTitle]</h3><small>Between you and <a href='profile.php?ID=$getmessage3[toUser]'>$getrecep3[userName]</a></small>";
}
print "<a href='messages.php?readMessage&message_ID=$getmessage3[message_ID]&sender=$getrecep3[userName]&repID=$repID'><div class='view_button_replycount'>Read Message</div></a><br /><br />";
echo substr($getmessage3['content'], 0 ,120 ); print "...<br /><br />";
if ($getmessage3['beenread'] == 'yes')
{
print "<small class='metRequirement right' id='mt-10'><b>√ - Read.</b></small><br />";
}
else
{
print "<small class='failRequirement right' id='mt-10'><b>X - Unread.</b></small><br />";
}
if ($getmessage3['replied'] == 'yes' )
{
print "<small class='metRequirement right' id='mt-10'><b>√ - You have replied.</b></small></div>";
}
else
{
print "<small class='failRequirement right' id='mt-10'><b>X - You have not replied.</b></small></div>";
}
print '</div>';
}
}
}
}
else
{
print"<div class='tasks_panel'>
<ul>
<a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
<a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
<a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
</ul>
</div>";
$getusers = "SELECT * from users WHERE userName = '$musername'";
$getusers2 = mysql_query($getusers) or die ("could not query");
$getusers3 = mysql_fetch_array($getusers2);
if (!$getusers3)
{
print"<div class='three_quarter_message'>
<small class='center'>Message not sent as there is no user of that name.</small>
</div>";
}
else
{
if (!$_POST['username'] || !$_POST['title'] || !$_POST['content'] )
{
print "<div class='three_quarter_message'>
<small class='center'>All fields must be completed.</small>
</div>";
}
else
{
$MSQL = "INSERT into messages(user_ID, message_ID, content, messageTitle, fromUser, toUser, reply_ID, replied) VALUES ('$getusers3[ID]','$mesID','$mcontent','$mtitle','$yourstats3[ID]','$getusers3[ID]','$repID','no')";
$USQL = "UPDATE messages SET replied = 'yes' WHERE message_ID = '$mesID' and reply_ID<='$lastrepID'";
$updustats = "UPDATE users set unreadMessages = unreadMessages+'1' WHERE ID = '$getusers3[ID]'";
mysql_query($MSQL) or die("Could not send");
mysql_query($USQL) or die("Could not update");
mysql_query($updustats) or die ("Coulr not update user");
print"<div class='three_quarter_full_message'>
<small class='success_M'>Reply successfully sent, $yourstats3[firstName] <br><br>
Your browser should re-direct you automatically<br /> If it does not, click <a href='messages.php?'>here</a></small></a>";
header( 'refresh:5;url=messages.php' );
print"</div>";
}
}
}
}
else
{
print"<div class='tasks_panel'>
<ul>
<a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
<a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
<a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
</ul>
</div>";
$getusers = "SELECT * from users WHERE userName = '$musername'";
$getusers2 = mysql_query($getusers) or die ("could not query");
$getusers3 = mysql_fetch_array($getusers2);
if (!$getusers3)
{
print"<div class='three_quarter_message'>
<small class='center'>Message not Sent There is no user of that name. $musername</small>
</div>";
}
else
{
if (!$_POST['username'] || !$_POST['title'] || !$_POST['content'] )
{
print "<div class='three_quarter_message'>
<small class='center'>All fields must be completed.</small>
</div>";
}
else
{
$var1= rand(1,14172);
$vaa1= rand(218,8713);
$var2= rand(22,12315);
$vaa2= rand(2358,6479);
$randA = $vaa1.$var1;
$randB = $vaa2.$var2;
$randC = "$randA"+"$randB";
$JSQL = "INSERT into messages(user_ID, message_ID, content, messageTitle, fromUser, toUser, reply_ID, replied) VALUES ('$getusers3[ID]','$randC','$mcontent','$mtitle','$yourstats3[ID]','$getusers3[ID]','0','no')";
$updustats = "UPDATE users set unreadMessages = unreadMessages+'1' WHERE ID = '$getusers3[ID]'";
mysql_query($JSQL) or die("Could not send");
mysql_query($updustats) or die ("Couldnt update");
print"<div class='three_quarter_full_message'>
<small class='success_M'>Reply successfully sent, $yourstats3[firstName] <br><br>
Your browser should re-direct you automatically <br /> If it does not, click <a href='messages.php?'>here</a></small></a>";
header( 'refresh:3;url=messages.php' );
print"</div>";
}
}
}
?>
</div>
<div id="clear"></div>
</div>
<div id="cont">
<span class="left">© sean<span class="color-1">Keenan</span> 2011<br />
<?php print "<small><a href='upload.php'>Upload</a> | <a href='login.php'>Login</a> | <a href='profile.php?ID=$yourstats3[ID]'>Profile</a> | <a href='search.php'>Search</a></small>"; ?><br /><br /></span>
<span class="right"><small>Powered by </small>s<span class="color-1">K</span><i class="smallitalic">.CMS</i></span>
</div>
</body>
</html>
My actual question is, although my code may not be perfect it does work so.. is this a method I should continue using as apposed to external forms?
Also another question that has been plaguing my mind is: Is it better to use echo or print, because I tend to just write what I think of first! Is there a real difference?
You might think you get taught this stuff, but you don't.
EDIT: Can anyone link me to a tutorial on how to escape, and secure my code because right now I don't believe I am doing anything to protect it from malicious code.
As always thanks for any help!
This post has been edited by SeanKeenan: 07 February 2011 - 06:37 AM
MultiQuote
| 