CODEWITHSUNDEEP
phpmysql
Jason B
Jason B

Reputation: 33

php, sql INSERT TO not working when ACTION links to another page

My player message system isn't working. You start on the Diplomacy page which lists the player nations. Once a player nation is selected they are sent to the send message page which shows any messages between themselves and the nation selected. It also gives them a message box to write their own message to send. Here is the code.

if(isset($_POST['message']) && !empty($_POST['message'])){
    $sender = $_GET['nation'];
    $receiver = $_GET['receiver'];
    $random_number = rand();
    $message = $_POST['message'];
    $type = $_GET['type'];

    $check_con = mysql_query("SELECT `hash` FROM `message_group` WHERE (`user_one`='$sender' AND `user_two`='$receiver') OR (`user_one`='$receiver' AND `user_two`='$sender')");

    if(mysql_num_rows($check_con) ===1){
        $get_hash = mysql_fetch_assoc($check_con);

        $hash = $get_hash['hash'];
        mysql_query("INSERT INTO messages (group_hash, from_id, message, seen) VALUES('$hash','$sender','$message','0')");
        echo "<p>Message Sent!</p>";
   }else{   
        mysql_query("INSERT INTO message_group (user_one, user_two, hash) VALUES('$sender','$receiver','$random_number')");
        mysql_query("INSERT INTO messages (group_hash, from_id, message, seen) VALUES('$random_number','$sender','$message','0')");
        echo "<p>Conversation Started!</p>"; 
    }
    }
    ?>
    <form method="POST" action="index.php?page=gc3025/send_beta.php&game=<?php echo $game; ?>&type=<?php echo $type; ?>&nation=<?php echo $nations_id; ?>&user=<?php echo $user_id; ?>&receiver=<?php echo $receiver_id; ?>">
    <table>
    Enter Message:
    <tr>
   <td></td>
   <td><textarea name='message' rows='7' cols='60'></textarea></td>
   </tr>
    <td><input type='submit' value="Send Message" /></td>
    </table>
    </form>

If under FORM ACTION I link the page to itself it works but you have to refresh the page to see the new message which also resends the message. If the FORM ACTION goes to the previous page then it does not INSERT the message into the table on the server.

Upvotes: 0

Views: 72

Answers (1)

Petr Hejda
Petr Hejda

Reputation: 43481

You can use AJAX to load data dynamically into page without reloading. I'm going to post an example using jQuery.

Your current page with the form, lets name it form.php. Removed the posting message logic, kept the form, added ajax request.

<div id="messages"></div>    

<form id="message_form" method="POST" action="#">
  <table>
  <p>Enter Message:</p>
  <tr>
    <td></td>
    <td><textarea name='message' rows='7' cols='60'></textarea></td>
  </tr>
  <tr>
    <td colspan="2"><input type='submit' value="Send Message" /></td>
  </tr>
  </table>
</form>

<script type="text/javascript">
$("#message_form").submit(function(){
  var url = "./send.php";
  var send_data = { game: "<?php echo $game; ?>", type: "<?php echo $type; ?>", nation: "<?php echo $nations_id; ?>", user: "<?php echo $user_id; ?>", receiver: "<?php echo $receiver_id; ?>" };
  $.post(url, send_data).done(function(received_data){
    reload_messages();
  });
});

function reload_messages(){
   var url = "./read_messages.php";
   var send_data = { ... }; // add data you want to send to the reading script, such as filtering or limit numbers
   $.post(url, send_data).done(function(received_data){
    $("#messages").html(received_data);
  });
}
<script>

Now send.php. Here's your original posting message logic, repaired SQL injection vulnerability (read notes in the bottom of the answer).

if(isset($_POST['message']) && !empty($_POST['message'])){
  $sender = mysql_real_escape_string($_GET['nation']);
  $receiver = mysql_real_escape_string($_GET['receiver']);
  $random_number = rand();
  $message = mysql_real_escape_string($_POST['message']);
  $type = mysql_real_escape_string($_GET['type']);

  $check_con = mysql_query("SELECT `hash` FROM `message_group` WHERE (`user_one`='".$sender."' AND `user_two`='".$receiver."') OR (`user_one`='."$receiver."' AND `user_two`='."$sender."')");

  if(mysql_num_rows($check_con) ===1){
    $get_hash = mysql_fetch_assoc($check_con);

    $hash = $get_hash['hash'];
    mysql_query("INSERT INTO messages (group_hash, from_id, message, seen) VALUES('$hash','$sender','$message','0')");
    echo "<p>Message Sent!</p>";
  }else{   
    mysql_query("INSERT INTO message_group (user_one, user_two, hash) VALUES('".$sender."','".$receiver."','".$random_number."')");
    mysql_query("INSERT INTO messages (group_hash, from_id, message, seen) VALUES('".$random_number."','".$sender."','".$message."','0')");
    echo "<p>Conversation Started!</p>"; 
  }
}

Your code doesn't show reading messages logic, so I'm just going to put simple select query here.

$query = mysql_query("SELECT ... ");
while($row = mysql_fetch_assoc($query)){
  echo $row[...];
}

By the way, just few notes to your code:

1.Original code is vulnerable to SQL injection. Use mysql_real_escape_string() to escape input values to the queries or better prepared statements.

2.If you don't have same number of <td> columns in <tr> rows, use colspan attribute.

3.The "Enter message" (or any other text) should be at least in <p>, within a table cell, or outside table.

4.The last <td> wasn't wrapped in any <tr>

Upvotes: 1

Related Questions