1 Replies - 906 Views - Last Post: 07 February 2011 - 07:00 AM Rate Topic: -----

#1 SeanKeenan  Icon User is offline

  • D.I.C Head

Reputation: 4
  • View blog
  • Posts: 74
  • Joined: 23-March 09

Using the same URL and $_GET

Posted 07 February 2011 - 06:34 AM

Ok so for my Uni assignment I'm suppose to build a site with my team (I happen to be on my own because I missed the opening 2 lessons) anyway, the idea is simple enough, it's for freshers to register with with the ultimate goal of helping them find people quickly who have the same interests. Whilst this is something that wouldn't actually be of any real use, that's what they have tasked us.

So I created a messaging script, but I was reading something.. probably on here about using the same URL and realised, this is something I had never done before.
So I tried it and this is the result of my efforts, mind I will be making the whole thing php eventually it was just easier for me to read as it was at the minute.

<?php 

session_start();

 include 'connect.php';
  if (isset($_SESSION['username']))
  {
    $you=$_SESSION['username'];
    $yourstats="SELECT * from users where userName='$you'";
    $yourstats2=mysql_query($yourstats) or die("Could not Select User!");
    $yourstats3=mysql_fetch_array($yourstats2);
    if ($yourstats3['gender'] == '1')
    { $yourgender = 'male'; }
    else
    { $yourgender = 'female'; }
  }
  else
  {
    print "Not Logged in please try again"; 
  }
  if (isset($_GET['replyMessage']))
  {
    $musername = $_GET['rec'];
    $musername = strip_tags($musername);
    $mesID = $_GET['message_ID'];
    $mesID = strip_tags($mesID);
    $repID = $_GET['repID'];
    $repID = strip_tags($repID);
    $reply = $repID - 1;
    $mdata = "SELECT * from messages WHERE message_ID = '$mesID' and reply_ID = '$reply'";
    $mdata2 = mysql_query($mdata) or die ("Could not connet!");
    $mdata3 = mysql_fetch_array($mdata2);

  }
  else
  {
    
  }
  if (isset($_POST['submitmessage']))
  {
    $musername = $_POST['username'];
    $musername = strip_tags($musername);
    $mtitle = $_POST['title'];
    $mtitle = strip_tags($mtitle);
    $mcontent = $_POST['content'];
    $mcontent = strip_tags($mcontent);
  }
  else if (isset($_POST['submitreply']))
  {
    $musername = $_POST['username'];
    $musername = strip_tags($musername);
    $mesID = $_GET['message_ID'];
    $mesId = strip_tags($mesID);
    $mtitle = $_POST['title'];
    $mtitle = strip_tags($mtitle);
    $mcontent = $_POST['content'];
    $mcontent = strip_tags($mcontent);
    $repID = $_GET['repID'];
    $repID = strip_tags($repID);
    $lastrepID = $repID-1;
  }
  else
  {
    $musername = '';
    $mtitle = '';
    $mcontent = '';
  }

?>
<!DOCTYPE HTML>
<html>
  <head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <link rel="stylesheet" type="text/css" href="css/style.css">
  <title>yM</title>
  </head>
  <body id="yM1">
    <div id="container">
      <div id="hcontainer">
        <div id="logo">
           sean<span class="color-1">Keenan</span>
        </div>
        <div id="details">
          <ul class="menu">
            <?php
            print
              "<li class='menu_item'><a href='search.php'>Search</a></li> |
              <li class='menu_item'><a href='messages.php?ID=$yourstats3[ID]'>";
              if ($yourstats3['unreadMessages'] == '0') { print "Messages"; } else { print "Messages <span class='color-1'>($yourstats3[unreadMessages])"; } print "</span></a>
              </li> |
              <li class='menu_item'><a href='profile.php?ID=$yourstats3[ID]'>Profile</a></li> |
              <li class='menu_item'><a href='upload.php'>Upload</a></li> |
              <li class='menu_item'><a href='logout.php'>Logout?</a></li>"; ?>
          </ul>
        </div>      
      </div>
      
      <div id="content">
        <div class="full_width_home">
          <?php print "<h3 class='left'>Welcome, $yourstats3[firstName].</h4><span class='pl-5 right'><a href='' class='color'></a></span><br /><p>"; ?>
          </p>
        </div>

        
        
<?php
if (!isset($_POST['submitmessage']))
{
 if (!isset($_POST['submitreply']))
 { 
  if (isset($_GET['replyMessage']))
  {
    
    $musername = $_GET['rec'];
    $musername = strip_tags($musername); 
    $mtitle = $mdata3['messageTitle'];
    $mtitle = mysql_real_escape_string($mtitle);
    
    $repID = $_GET['repID'];
    $repID = strip_tags($repID);
    $getid = "SELECT * from users WHERE userName ='$musername'";
    $getid2 = mysql_query($getid) or die ("Could not get user");
    $getid3 = mysql_fetch_array($getid2); 
    print"<div class='tasks_panel'>
            <ul>
                <a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
                <a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
                <a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
            </ul>
          </div>";
    print"<div class='three_quarter_full_message'>
          <table class='mt-10 left'><form action='messages.php?writeReply&username=$musername&title=RE;$mtitle&content=$mcontent&message_ID=$mesID&repID=$repID' method='post' class='mt-25'>
              <tr><td class='tar'>Username:</td>&nbsp;<td> <input type='text' name='username' size='30' value='$musername' /><td></tr>
              <tr><td class='tar'>Message Title:</td>&nbsp;<td> <input type='text' name='title' size='30' value='RE;$mtitle' /></td></tr><br />
          </table>
          <div class='right'>";
            $getimage = "SELECT * from people WHERE user_ID = '$getid3[ID]' and profile_image ='1'";
				    $resultim = mysql_query($getimage) or die ("Could not access DB: " . mysql_error());
				    while ($row = mysql_fetch_assoc($resultim))
				    {
					   echo "<img src=\"images/" . $row['filename'] . "\" alt=\"\" class='mt-13 mr-6' id='smallimg' />";
				    }
    print"</div><br/><br /> <br />
              <span class='clear'>Message</span><br /> 
              <textarea rows='37' cols='76' name='content'>Insert your message here, note the more detailed and more effort you put into a message, the more likely it is that you recieve a response.</textarea><br />
              <input type='submit' size='15' value='Submit' name='submitreply' class='subsea right' /><br />
            </form>
          </div>";        
  }
  else
  {
    if (isset($_GET['readMessage']))
    { 
      $u_NM = $_GET['sender'];
      $u_NM = strip_tags($u_NM);
      $m_ID = $_GET['message_ID'];
      $m_ID = strip_tags($m_ID);
      $r_ID = $_GET['repID'];
      $r_ID = strip_tags($r_ID);
      $getusers = "SELECT * from users WHERE userName = '$u_NM'";
      $getusers2 = mysql_query($getusers) or die ("could not query");
      $getusers3 = mysql_fetch_array($getusers2);
      $rrepID = $r_ID - 1;
      $myID = $yourstats3['ID'];
                  
      $checkmsg = "SELECT * from messages WHERE message_ID = '$m_ID' and reply_ID = '$rrepID'";
      $checkmsg2 = mysql_query($checkmsg) or die ("Can not check");
      $checkmsg3 = mysql_fetch_array($checkmsg2);
      if ($checkmsg3['beenread'] == 'no' && $checkmsg3['user_ID'] == $myID)
      {
      $updmmsg = "UPDATE messages set beenread = 'yes' WHERE message_ID = '$m_ID' and reply_ID = '$rrepID'";
      $updumsg = "UPDATE users set unreadMessages = unreadMessages-'1' WHERE ID = '$myID'";
      mysql_query($updmmsg) or die("error");
      mysql_query($updumsg) or die ("prob");
      header("refresh:1;url=messages.php?readMessage&message_ID=$m_ID&sender=$u_NM&repID=$r_ID");
      }
      
          
      print"<div class='tasks_panel'>
              <ul>
                <a href='messages.php?replyMessage&message_ID=$m_ID&rec=$u_NM&repID=$r_ID'><li class='message_tasks active'>Reply to This?</li></a>
                <a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
                <a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
                <a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
              </ul>
            </div>";
      print "<div class='three_quarter_info'>
              <b>Conversation between you and <a href='profile.php?ID=$getusers3[ID]'>$u_NM</a>.</b>
              </div>";
      $getmessage="SELECT * from messages WHERE  message_ID = '$m_ID' order by setTime desc limit 0,10";
      $getmessage2=mysql_query($getmessage) or die("Could not fetch ranks");
      while($getmessage3=mysql_fetch_assoc($getmessage2))
      { 
        print"<div class='three_quarter_full_message'>";				      
				$getsender = "SELECT userName from users WHERE ID = '$getmessage3[fromUser]'";
				$getsender2 = mysql_query($getsender) or die ("Could not get sender details");
				$getsender3 = mysql_fetch_array($getsender2);
				
        $getimage = "SELECT * from people WHERE user_ID = '$getmessage3[fromUser]' and profile_image ='1'";
				$resultim = mysql_query($getimage) or die ("Could not access DB: " . mysql_error());
				while ($row = mysql_fetch_assoc($resultim))
				{
					echo "<div class='fullspace'><img src=\"images/" . $row['filename'] . "\" alt=\"\" /></div>";
				}
				echo "<div class='fulspace'><h3>$getmessage3[messageTitle]</h3><small>From: <a href='profile.php?ID=$getmessage3[fromUser]'>$getsender3[userName]</a></small>";
        if ($getmessage3['reply_ID'] != '0' )
        {
          print "<div class='view_button_replycount'>Response $getmessage3[reply_ID]</div><br /><br />";
        }
        else 
        { 
          print "<div class='view_button_replycount'>First Message</div><br /><br />"; 
        }               
        echo "$getmessage3[content]</div>";
        print '</div>';           
      }
    }

    else if (isset($_GET['sentMessage']))
    {
      print"<div class='tasks_panel'>
              <ul>
                <a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
                <a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
                <li class='message_tasks active'>Sent Messages</li>
              </ul>
            </div>";
      $getmessage="SELECT * from messages WHERE fromUser = '$yourstats3[ID]' and toUser != '$yourstats3[ID]' order by setTime desc limit 0,10";
      $getmessage2=mysql_query($getmessage) or die("Could not fetch ranks");
      while($getmessage3=mysql_fetch_assoc($getmessage2))
      { 
        $repID = '0';
				$getrep = "SELECT * from messages WHERE message_ID='$getmessage3[message_ID]'";
				$getrep2 = mysql_query($getrep) or die ("cc");
				while($getrep3=mysql_fetch_assoc($getrep2))
				{
          $repID++;
        }      
        print"<div class='three_quarter_message'>";
        $getsender = "SELECT * from users WHERE ID = '$getmessage3[toUser]'";
				$getsender2 = mysql_query($getsender) or die ("Could not get sender details");
				$getsender3 = mysql_fetch_array($getsender2);
				
        $getrecep = "SELECT * from users WHERE ID = '$getmessage3[fromUser]'";
				$getrecep2 = mysql_query($getrecep) or die ("Could not get recepient details");
				$getrecep3 = mysql_fetch_array($getrecep2);
				if ( $getmessage3['fromUser'] == $yourstats3['ID'] )
				{ 
          $getimage = "SELECT * from people WHERE user_ID = '$getmessage3[toUser]' and profile_image ='1'"; 
        }
				else
				{ 
          $getimage = "SELECT * from people WHERE user_ID = '$getmessage3[fromUser]' and profile_image ='1'"; 
        }
				$resultim = mysql_query($getimage) or die ("Could not access DB: " . mysql_error());
				while ($row = mysql_fetch_assoc($resultim))
				{
					echo "<div class='fullspace'><img src=\"images/" . $row['filename'] . "\" alt=\"\" /></div>";
				}  
        echo "<div class='fulspace'><h3>$getmessage3[messageTitle]</h3><small>Between you and <a href='profile.php?ID=$getmessage3[toUser]'>$getsender3[userName]</a></small>";  
        print "<a href='messages.php?readMessage&message_ID=$getmessage3[message_ID]&sender=$getsender3[userName]&repID=$repID'><div class='view_button_replycount'>Read Message</div></a><br /><br />";
        echo substr($getmessage3['content'], 0 ,120 ); print "...<br /><br />";
               
        if ($getmessage3['replied'] == 'yes' )
        {
          print "<small class='metRequirement right'><b>&radic; - $getsender3[userName] has replied.</b></small></div>"; 
        }
        else
        {
          print "<small class='failRequirement right'><b>X - $getsender3[userName] has not replied.</b></small></div>"; 
        }     
        print '</div>';      
      }
    }

    else if (isset($_GET['writeMessage']))
    {
      print"<div class='tasks_panel'>
              <ul>
                <a href='messages.php?writeMessage'><li class='message_tasks active'>New Message</li></a>
                <a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
                <a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
              </ul>
            </div>";
      print"<div class='three_quarter_full_message'>
            <table class='mt-25'><form action='messages.php?writeNew&username=$musername&title=$mtitle&content=$mcontent' method='post' class='mt-25'>
                <tr><td class='tar'>Username:</td>&nbsp;<td> <input type='text' name='username' size='30' /><td></tr><br />
                <tr><td class='tar'>Message Title:</td>&nbsp;<td> <input type='text' name='title' size='30' /></td></tr><br />
                </table>
              Message<br /> 
              <textarea rows='37' cols='76' name='content'>Insert your message here, note the more detailed and more effort you put into a message, the more likely it is that you recieve a response.</textarea><br />
              <input type='submit' size='15' value='Submit' name='submitmessage' class='subsea right' /><br />
            </form>
            </div>";
    }
    
    else
    {
      print"<div class='tasks_panel'>
              <ul>
                <a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
                <li class='message_tasks active'>Your Inbox</li>
                <a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
              </ul>
            </div>";
      $getmessage="SELECT * from messages WHERE user_ID = '$yourstats3[ID]' OR toUser = '$yourstats3[ID]' order by setTime desc limit 0,10";
      $getmessage2=mysql_query($getmessage) or die("Could not fetch ranks");
      while($getmessage3=mysql_fetch_assoc($getmessage2))
      { 
        print"<div class='three_quarter_message'>";
        $getsender = "SELECT * from users WHERE ID = '$getmessage3[toUser]'";
				$getsender2 = mysql_query($getsender) or die ("Could not get sender details");
				$getsender3 = mysql_fetch_array($getsender2);
				
        $getrecep = "SELECT * from users WHERE ID = '$getmessage3[fromUser]'";
				$getrecep2 = mysql_query($getrecep) or die ("Could not get recepient details");
				$getrecep3 = mysql_fetch_array($getrecep2);

        $repID = '0';
				$getrep = "SELECT * from messages WHERE message_ID='$getmessage3[message_ID]'";
				$getrep2 = mysql_query($getrep) or die ("cc");
				while($getrep3=mysql_fetch_assoc($getrep2))
				{
          $repID++;
        }

				if ( $getmessage3['fromUser'] == $yourstats3['ID'] )
				{ 
          $getimage = "SELECT * from people WHERE user_ID = '$getmessage3[toUser]' and profile_image ='1'"; 
        }
				else
				{ 
          $getimage = "SELECT * from people WHERE user_ID = '$getmessage3[fromUser]' and profile_image ='1'"; 
        }
				$resultim = mysql_query($getimage) or die ("Could not access DB: " . mysql_error());
				while ($row = mysql_fetch_assoc($resultim))
				{
					echo "<div class='fullspace'><img src=\"images/" . $row['filename'] . "\" alt=\"\" /></div>";
				}
				if ( $getmessage3['fromUser'] != $yourstats3['ID'] )
				{ 
          echo "<div class='fulspace'><h3>$getmessage3[messageTitle]</h3><small>Between you and <a href='profile.php?ID=$getmessage3[fromUser]'>$getrecep3[userName]</a></small>";  
        }
				else
				{ 
          echo "<div class='fulspace'><h3>$getmessage3[messageTitle]</h3><small>Between you and <a href='profile.php?ID=$getmessage3[toUser]'>$getrecep3[userName]</a></small>";  
        }
        print "<a href='messages.php?readMessage&message_ID=$getmessage3[message_ID]&sender=$getrecep3[userName]&repID=$repID'><div class='view_button_replycount'>Read Message</div></a><br /><br />";
        echo substr($getmessage3['content'], 0 ,120 ); print "...<br /><br />";
        if ($getmessage3['beenread'] == 'yes')
        {
          print "<small class='metRequirement right' id='mt-10'><b>&radic; - Read.</b></small><br />";
        }
        else
        {
          print "<small class='failRequirement right' id='mt-10'><b>X - Unread.</b></small><br />"; 
        }       
        if ($getmessage3['replied'] == 'yes' )
        {
          print "<small class='metRequirement right' id='mt-10'><b>&radic; - You have replied.</b></small></div>"; 
        }
        else
        {
          print "<small class='failRequirement right' id='mt-10'><b>X - You have not replied.</b></small></div>"; 
        }     
        print '</div>';      
      }
    }
  }   
 }
 else
 {
   print"<div class='tasks_panel'>
           <ul>
                <a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
                <a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
                <a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
           </ul>
         </div>";
   $getusers = "SELECT * from users WHERE userName = '$musername'";
   $getusers2 = mysql_query($getusers) or die ("could not query");
   $getusers3 = mysql_fetch_array($getusers2);
   if (!$getusers3)
   {
    print"<div class='three_quarter_message'>
          <small class='center'>Message not sent as there is no user of that name.</small>    
          </div>";
   }
   else 
   { 
    if (!$_POST['username'] || !$_POST['title'] || !$_POST['content'] )
    {
      print "<div class='three_quarter_message'>
              <small class='center'>All fields must be completed.</small>    
            </div>";
    }
    else
    {      
      $MSQL = "INSERT into messages(user_ID, message_ID, content, messageTitle, fromUser, toUser, reply_ID, replied) VALUES ('$getusers3[ID]','$mesID','$mcontent','$mtitle','$yourstats3[ID]','$getusers3[ID]','$repID','no')";
      $USQL = "UPDATE messages SET replied = 'yes' WHERE message_ID = '$mesID' and reply_ID<='$lastrepID'";
      $updustats = "UPDATE users set unreadMessages = unreadMessages+'1' WHERE ID = '$getusers3[ID]'";
      mysql_query($MSQL) or die("Could not send");
      mysql_query($USQL) or die("Could not update");
      mysql_query($updustats) or die ("Coulr not update user");
      print"<div class='three_quarter_full_message'>  
              <small class='success_M'>Reply successfully sent, $yourstats3[firstName] <br><br>
              Your browser should re-direct you automatically<br /> If it does not, click <a href='messages.php?'>here</a></small></a>";
              header( 'refresh:5;url=messages.php' );
      print"</div>";

    }
  }
 }            

}
else
{
  print"<div class='tasks_panel'>
              <ul>
                <a href='messages.php?writeMessage'><li class='message_tasks'>New Message</li></a>
                <a href='messages.php?'><li class='message_tasks'>Your Inbox</li></a>
                <a href='messages.php?sentMessage'><li class='message_tasks'>Sent Messages</li></a>
              </ul>
            </div>";
  $getusers = "SELECT * from users WHERE userName = '$musername'";
  $getusers2 = mysql_query($getusers) or die ("could not query");
  $getusers3 = mysql_fetch_array($getusers2);
  if (!$getusers3)
  {
    print"<div class='three_quarter_message'>
          <small class='center'>Message not Sent There is no user of that name. $musername</small>    
          </div>";
  }
  else 
  { 
    if (!$_POST['username'] || !$_POST['title'] || !$_POST['content'] )
    {
      print "<div class='three_quarter_message'>
              <small class='center'>All fields must be completed.</small>    
            </div>";
    }
    else
    { 
      $var1= rand(1,14172);
      $vaa1= rand(218,8713);
      $var2= rand(22,12315);
      $vaa2= rand(2358,6479);
      $randA = $vaa1.$var1;
      $randB = $vaa2.$var2;
      $randC = "$randA"+"$randB";
      
      $JSQL = "INSERT into messages(user_ID, message_ID, content, messageTitle, fromUser, toUser, reply_ID, replied) VALUES ('$getusers3[ID]','$randC','$mcontent','$mtitle','$yourstats3[ID]','$getusers3[ID]','0','no')";
      $updustats = "UPDATE users set unreadMessages = unreadMessages+'1' WHERE ID = '$getusers3[ID]'";
      mysql_query($JSQL) or die("Could not send");
      mysql_query($updustats) or die ("Couldnt update");
      print"<div class='three_quarter_full_message'>
            <small class='success_M'>Reply successfully sent, $yourstats3[firstName] <br><br>
            Your browser should re-direct you automatically <br /> If it does not, click <a href='messages.php?'>here</a></small></a>";
            header( 'refresh:3;url=messages.php' );
      print"</div>";

    }
  }
}           

    
    
?>
      </div>
      <div id="clear"></div>
    </div>
    <div id="cont">
      <span class="left">&copy; sean<span class="color-1">Keenan</span> 2011<br /> 
      <?php print "<small><a href='upload.php'>Upload</a> | <a href='login.php'>Login</a> | <a href='profile.php?ID=$yourstats3[ID]'>Profile</a> | <a href='search.php'>Search</a></small>"; ?><br /><br /></span>
      <span class="right"><small>Powered by </small>s<span class="color-1">K</span><i class="smallitalic">.CMS</i></span>
    </div>
  </body>
</html>



My actual question is, although my code may not be perfect it does work so.. is this a method I should continue using as apposed to external forms?

Also another question that has been plaguing my mind is: Is it better to use echo or print, because I tend to just write what I think of first! Is there a real difference?
You might think you get taught this stuff, but you don't.
EDIT: Can anyone link me to a tutorial on how to escape, and secure my code because right now I don't believe I am doing anything to protect it from malicious code.
As always thanks for any help!

This post has been edited by SeanKeenan: 07 February 2011 - 06:37 AM


Is This A Good Question/Topic? 0
  • +

Replies To: Using the same URL and $_GET

#2 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2834
  • View blog
  • Posts: 9,738
  • Joined: 08-August 08

Re: Using the same URL and $_GET

Posted 07 February 2011 - 07:00 AM

See these:
http://www.dreaminco...ode-separation/
http://www.dreaminco...1&#entry1142191

http://en.wikipedia....View–Controller
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1