Problem I can't resolve

[Mr Blockeel]

have been looking at this problem for 2 hours, and can't figure it out

i have a problem inserting data to my database
it's for a pm system

Database

CREATE TABLE IF NOT EXISTS `private` (
  `id` int(11) NOT NULL auto_increment,
  `to` varchar(100) NOT NULL,
  `from` varchar(100) default NULL,
  `subject` varchar(100) default NULL,
  `message` longtext,
  PRIMARY KEY  (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

<?php include ("../includes/db_connect.php") ; ?>
<?php 

if (isset($_POST['submit'])) { 
		
    // check if username exists in database.

    if (!get_magic_quotes_gpc()) {
        $_POST['sendto'] = addslashes($_POST['sendto']);
    }

    $qry = "SELECT username FROM users WHERE username = '".$_POST['sendto']."'";
    $name_check = $db_object->query($qry);

    if (DB::isError($name_check)) {
        die($name_check->getMessage());
    }

    $name_checkk = $name_check->numRows();

    if ($name_checkk = 0) {
        	header('Location: compose.php?error=Sorry, the user: <strong>'.$_POST['sendto'].'</strong>'
          . ' does not exist.');
		  exit;
    }
	
	    // no HTML tags in username, website, location, password

    $_POST['sendto'] = strip_tags($_POST['sendto']);
    $_POST['from'] = strip_tags($_POST['from']);
    $_POST['subject'] = strip_tags($_POST['subject']);
    $_POST['message'] = strip_tags($_POST['message']);
	
	
    if (!get_magic_quotes_gpc()) {
        $_POST['subject'] = addslashes($_POST['subject']);
        $_POST['message'] = addslashes($_POST['message']);
    }
	


    $insert = "INSERT INTO pm (
            from, 
            to, 
            subject, 
            message) 
            VALUES (
            '$_POST['from']', 
            '$_POST['sendto']', 
            '$_POST['subject']', 
            '$_POST['message']')";

    $send_message = $db_object->query($insert);

    if (DB::isError($send_message)) {
        die($send_message->getMessage());
    }

    $db_object->disconnect();
	
	header('Location: ../index.php');
	}
?>

even this won't work, with fixed values

<?php require('db_connect.php'); ?>
<?php

    $insert = "INSERT INTO pm ( from, sendto, subject, message) 
            VALUES ( '1', '2', 'test', 'message')";

    $send_message = $db_object->query($insert);

    if (DB::isError($send_message)) {
        die($send_message->getMessage());
    }

    $db_object->disconnect();
	
	header('Location: ../index.php');
	
?>

 

[pixelbypixel]

swap around the sql statement for INSERT so that it follows order of the table.

 $insert = "INSERT INTO pm (
            to,
            from,
            subject,
            message)
            VALUES (
            '$_POST['sendto']',
            '$_POST['from']',
            '$_POST['subject']',
            '$_POST['message']')";

fixed mistakes. sorry

 

[Peter]

the 2nd code snippet will not work as you are trying to insert a value in a field called sento yet there is no field called that, in fact it is called simply to.

 

[pixelbypixel]

fixed mistake on mine. :p

 

[Mr Blockeel]

is it normal that with this as a database

CREATE TABLE IF NOT EXISTS `pm` (
  `id` int(11) NOT NULL auto_increment,
  `from` varchar(100) default NULL,
  `sendto` varchar(100) default NULL,
  `subject` varchar(100) default NULL,
  `message` longtext,
  PRIMARY KEY  (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

even this won't work

$query = "INSERT INTO pm (from, sendto, subject, message)
VALUES ('from', 'sendto', 'subject', 'message')";

	mysql_query($query) or die('Error ,query failed');

it returns Error ,query failed

 

[pixelbypixel]

Ignore this a sec.

 

[Mr Blockeel]

<form action="send.php" method="post" class="register_form">

<input name="from" type="hidden" value="<?php echo $_SESSION['username']; ?>">

<label>Send to : </label> 
<input type="text" name="sendto" value="<?php print $_GET["sendto"] ; ?>" class="txtBoxWide">
<label>Subject : </label>
<input type="text" name="subject" maxlength="100" class="txtBoxWide"><br>

<label>Message :</label>
<textarea name="message" id="txtAreaWide" cols="" rows=""></textarea>

	<input type="submit" name="submit" value="Verstuur" />

<br class="spacer" />
</form>

 

[pixelbypixel]

Try changing this again to the following:

 $insert = "INSERT INTO pm (
            to,
            from,
            subject,
            message)
            VALUES (
            '$_POST["sendto"]',
            '$_POST["from"]',
            '$_POST["subject"]',
            '$_POST["message"]')";

You had single quotes between where they should be

 

[Mr Blockeel]

no; that's not necessary, because i used this script i wrote and adjusted it
and here the single quotes are no problem

<?php require('db_connect.php'); ?>
<?php

if (isset($_POST['submit'])) { // if form has been submitted


    if (!$_POST['uname'] || !$_POST['passwd'] ||
        !$_POST['passwd_again'] || !$_POST['email']) {
        	header('Location: ../register.php?error=You did not fill in a required field.');
			exit;
    }

    // check if username exists in database.

    if (!get_magic_quotes_gpc()) {
        $_POST['uname'] = addslashes($_POST['uname']);
    }

    $qry = "SELECT username FROM users WHERE username = '".$_POST['uname']."'";
    $name_check = $db_object->query($qry);

    if (DB::isError($name_check)) {
        die($name_check->getMessage());
    }

    $name_checkk = $name_check->numRows();

    if ($name_checkk != 0) {
        	header('Location: ../register.php?error=Sorry, the username: <strong>'.$_POST['uname'].'</strong>'
          . ' is already taken, please pick another one.');
		  exit;
    }

    // check passwords match

    if ($_POST['passwd'] != $_POST['passwd_again']) {
        	header('Location: ../register.php?error=Passwords did not match.');
			exit;
    }

    // check e-mail format

    if (!preg_match("/.*@.*..*/", $_POST['email']) ||
         preg_match("/(<|>)/", $_POST['email'])) {
        	header('Location: ../register.php?error=Invalid e-mail address.');
			exit;
    }

    // no HTML tags in username, website, location, password

    $_POST['uname'] = strip_tags($_POST['uname']);
    $_POST['passwd'] = strip_tags($_POST['passwd']);
    $_POST['location'] = strip_tags($_POST['location']);

    // check show_email data

    if ($_POST['show_email'] != 0 & $_POST['show_email'] != 1) {
        die('Nope');
    }


    // now we can add them to the database.
    // encrypt password

    $_POST['passwd'] = md5($_POST['passwd']);

    if (!get_magic_quotes_gpc()) {
        $_POST['passwd'] = addslashes($_POST['passwd']);
        $_POST['email'] = addslashes($_POST['email']);
        $_POST['location'] = addslashes($_POST['location']);
    }

    $regdate = date("Y-m-d"); 

    $insert = "INSERT INTO users (
            username, 
            password, 
            regdate, 
            email, 
            location, 
            show_email, 
            last_login) 
            VALUES (
            '".$_POST['uname']."', 
            '".$_POST['passwd']."', 
            '$regdate', 
            '".$_POST['email']."', 
            '".$_POST['location']."', 
            '".$_POST['show_email']."', 
            'Never')";

    $add_member = $db_object->query($insert);

    if (DB::isError($add_member)) {
        die($add_member->getMessage());
    }

    $db_object->disconnect();
	
	header('Location: ../reg_succes.php');
	}
?>

 

[pixelbypixel]

Your using ". and ." to escape the clashes in quotes in that example. Which you are not using in the problematic version.

 

[Mr Blockeel]

re-wrote it for the biggest part and now it works,
i added someting to the querry and seems that that makes a big diffrence
don't knwo why, because in the similar script it isn't necessery

    $insert = "INSERT INTO `pm` ( `id` , `from` , `to` , `subject` , `message` )
		VALUES ( NULL , '".$_POST['from']."', '".$_POST['to']."', '".$_POST['subject']."', '".$_POST['message']."'
		)";

the id >> NULL sems to make the diffrence


NVD, thanks for the help

 

[pixelbypixel]

Strange that it requires that.... but glad its working

 

[Dave]

I have noticed how you are using type varchar for the to and from field. This is poor practice. They should be foreign keys that reference the id of your members table. Also if the id of the private table is set to auto increment there is no need to include it as part of the sql query. :tu:

 

[Peter]

he is using MyISAM tables. Foerign keys are not supported in MyISAM, if he requires foreign keys he would require innodb

However I do agree the to and from should have the id's assigned to the user in the users table if such a table exists.

 

[Dave]

he is using MyISAM tables. Foerign keys are not supported in MyISAM, if he requires foreign keys he would require innodb

However I do agree the to and from should have the id's assigned to the user in the users table if such a table exists.

Ah yes well spotted Peter. :great: