0

Please whats wrong with this code?

Im using it to add some data to database but im getting empty $toid and $toname when trying to insert.

This is the form. The variables $toid and $toname are ok here.

//write new message
if (isset($_GET['action']) && $_GET['action'] == compose) { 
        if (isset($_GET['toid'])) {
            $toid = $_GET['toid'];
            $tosql = "select * from authors where id =".$toid.""; 
            $toquery = mysql_query($tosql,$connection) or die(mysql_error());
            $torow = mysql_fetch_array($toquery);   
            $toname = $torow['displayname'];
        if (isset($_GET['subject'])) { $subject = $_GET['subject']; }
        if (isset($_GET['message'])) { 
            $message = $_GET['message']; 
            echo "<h3>Replying</h3>
            <table>
                <tr>
                    <td colspan='2'>Replying to ".$toname.".</td>
                </tr>
                <tr>
                    <td colspan='2'>".$subject."".nl2br($message)."<br />
                    </td>
                </tr>
            </table><br />Type your answer:<br /><br />";
        } else { echo "New message"; }
        echo "<form action=\"mail.php?action=send\" method=post>
            <table>
                <tr>
                    <td>To:</td><td><input type=\"text\" name=\"to\" size=\"50\" value=\"".$toname."\"></td>
                </tr>
                <tr>
                    <td>Title:</td><td><input type=text name=subject size=50 value=".$subject."></td>
                </tr>
                <tr>
                    <td valign=\"top\">Message:</td><td><textarea  rows=\"10\" cols=\"70\" name=\"message\"></textarea></td>
                </tr>
                <tr>
                    <td align=\"right\" colspan=\"2\"><input id=\"submitstyle\" type=\"submit\" value=\"Enviar Mensagem\"></td>
                </tr>
            </table>
        </form>"; 
        }
}

Here is the code to insert the message to databse, the $toid and $toname are empty here. Its suposed to being retrieved from the form above, right?

//send message  
if (isset($_GET['action']) && $_GET['action'] == send) { 

    if ($subject == "" || $message == "") {
        header('Location: mail.php?action=compose&toid='.$toid.'&subject=\''.$subject.'\'&sendpm=false');
        exit(); 
    }

    $date = DATE(YmdHis); 

    echo $userid."from<br />to".$toid."<br />toname".$toname;

    $sendsql = "INSERT INTO mail (sender, reciever, subject, message, created_at, status, sender_deleted, reciever_deleted) 
                        VALUES (".$userid.", ".$toid.", ".$subject.", ".$message.", ".$date.",unread, 0, 0)"; 
    $sendquery = mysql_query($sendsql,$connection) or die(mysql_error());

    echo "<div class=\"alert\" style=\"text-align: center; margin-top: 13px;\"><b>Mensagem particular enviada com sucesso!</b></div>
            <br /><table align=\"center\" width=\"75%\" class=\"sortable\">
                <tr>
                    <td colspan='2' style=\"text-align:center;font-weight:normal;\">Mensagem particular enviada para ".$toname.".</td>
                </tr>
                <tr>
                    <td colspan='2'>
                        Title: ".$subject."
                        Message: ".nl2br($message)."

                    </td>
                </tr>
            </table>";
}

Im also getting this sql error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' RE: assunto3, 3, 20121017023723,unread, 0, 0)' at line 2 wich i think its because of the empty variables mentioned.

Improve this question

3 Answers 3

Reset to default
1

First, you need to pass those variables as hidden form values: http://www.echoecho.com/htmlforms07.htm

Then you need to get the variables from the form via $_POST.

Try $toid = $_POST['toid'] and $toname = $_POST['toname']. But be wary about SQL injection: http://php.net/manual/en/security.database.sql-injection.php

Don't just accept values blindly from $_POST. Be sure to validate and filter them first.

Or if toid/toname aren't changable by the user, why not just requery for them?

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

toname is being retrieved from another table... i will try using the hidden values. thanks.
worked, thanks, the vars are being passed ok now.. the sql error was persisting because of quotes problems, wich i solved following the other answers. Since your answer solved the major issue i will accept it. Thanks to you all.
1

You need to escape the INSERT values, and put strings in quotes:

$sendsql = 'INSERT INTO mail (sender, reciever, subject, message, created_at, status, sender_deleted, reciever_deleted) 
            VALUES ("'.mysql_real_escape_string($userid).'", "'.mysql_real_escape_string($toid).'", "'.mysql_real_escape_string($subject).'", "'.mysql_real_escape_string($message).'", "'.mysql_real_escape_string($date).'","unread", 0, 0)';

Also, be sure you always escape the values that are immediately used in SQL queries from $_GET or $_POST. Otherwise, you are most likely to experience SQL injection

Improve this answer

Comments

1

You need to write SQL Statement in php like that:

 $tosql = "select * from authors where id ='$toid'";

and 

 $sendsql = "INSERT INTO mail (sender, reciever, subject, message, created_at, status, sender_deleted, reciever_deleted) 
                    VALUES ('$userid', '$toid', '$subject', '$message', '$date', 'unread', 0, 0)";

i think this will be help you.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.