reply to message: update mysql table where id matches? - php

I have a messaging system on my site that allows users to send and receive messages to each other.
the bit I am working on now is if a user sends another user a message and the user reads this message, they can reply to it.
at the moment my html form is set up with the message content echoing out in the text area, the user can then remove this content from the text area and re type what they want in it.
then as soon as they hit submit this then should go to message_reply.php and this should insert the new message content where the original message id exists and send it back to the user it came from so this means again update message content where the id, user_to_id and user_from_id is matched and it should insert the original subject with a :reply suffix and also update 'read_message' and set the enum value from 1 back to 0 (as in unread).
I'm struggling with this because I'm new to php and mysql. please can someone show me what I need to do.
my mysql table is called 'ptb_messages' and its laid out like so:
id | from_user_id(the person who sent msg) | to_user_id (recipient) | content | date_sent | read_message | deleted_to | deleted_from |
here's my html form:
<form action="message_reply.php?to=<?php echo "$profile_id"; ?>" method="post">
<textarea name="textarea" id="textarea">
<?php echo "{$message['content']}"; ?>
</textarea>
<?php
}
?>
<input type="image" src="assets/img/icons/email_send.png"
width="50" height="34" name="send_button" id="send_button">
</form>
mysql function (message_reply.php)
<?php
//We check if the form has been sent
if(isset($_POST['textarea'])) {
$textarea = $_POST['textarea'];
//We remove slashes depending on the configuration
if(get_magic_quotes_gpc()) {
$textarea = stripslashes($textarea);
}
//We check if all the fields are filled
if($_POST['textarea']!='') {
$sql = "UPDATE ptb_messages SET (id, from_user_id, to_user_id, textarea) VALUES (NULL, '".$_SESSION['user_id']."', '".$message['from_user_id']."', '".$textarea."');";
mysql_query($sql, $connection);
echo "<div class=\"infobox1\">The message has successfully been sent.</div>";
}
}
?>


In your HTML code, the image is not going to submit the form, so nothing will happen when you click it. You need to either add an onclick or use a submit button (you can use CSS to show an image in the submit button):
onclick example:
<form id="need_an_id_here"
action="message_reply.php?to=<?php echo "$profile_id"; ?>"
method="post">
... your textarea
<input type="image" src="assets/img/icons/email_send.png"
width="50" height="34" name="send_button" id="send_button"
onclick="document.getElementById('need_an_id_here').submit();">
</form>
Also, though it is not your immediate question, your code is prone to security issues (SQL injection, XSS...). You should lookup some tutorials on Prepared Statements and apply it in your code.

Related

Wont delete db row (message) in Colorbox

I'm using colorbox for my PM system. I added a trash-btn so users can delete their messages whenever they like. When the user opened his PM (colorbox) and clicks the trash-btn to delete a message, it does not delete it. While whenever I browse directly to a message and hit the button, it does work. So it only doenst work when colorbox has been opened.
Since I'm a new to this and dont know much of javascript, I would like it if anyone could help me out abit. Here's my EDITED code
read_message.php form (this opens in the colorbox)
echo '
<div class="inboxMessage">
<div class="inboxMessageImg NoNewMsg"></div>
<div class="inboxMessageHeader">
<a id="ajax" class="inboxMessageLink" onclick="showMessage('.$row['message_id'].')">'.$row['message_title'].'</a>
<p class="inboxMessageStatus Read">'.$inboxMessageStatus_Read.'</p>
</div>
<div class="inboxMessageDescription">'.$inboxMessageDescription.'</div>
<div class="inboxMessageActions">
<form method="post" action="message/delete_message.php">
<input type="hidden" value="'.$row['message_title'].'" name="message_title">
<input type="hidden" value="'.$row['message_id'].'" name="message_id">
<input type="submit" class="deleteMessageIcon" value="" name="deleteMessage">
</form>
</div>
</div>';
This is delete_message.php page
<?php
include '../../includes/db_connect.php';
sec_session_start();
//Delete bericht uit db
if (isset($_POST['deleteMessage'])) {
$msgID = $POST['message_id'];
$msgTitle = $POST['message_title'];
$deleteMessage = mysqli_query($mysqli,"DELETE FROM messages WHERE message_title = '$msgTitle' AND message_id = '$msgID'") OR die(mysql_error($mysqli));
if($deleteMessage) {
echo "Deleted";
}else{
echo "Error - Try again";
}
}
?>
If you need more information, please let me know so.
Thanks in advance!
PS - I know anyone is able to change the message id and title in the form so he's able to delete messages. First of all, the user needs to know the whole title of anyone elses message. Besides that, I'll create a random number which will be the message_id so its not easy to get/find the message id - IM WORKING ON IT. First, the delete function needs to work properly.

I think I saw your error:
if the query is returning and doing nothing is because the condition is Wrong. If you try the query in PHPMyAdmin the Query is OK, the only thing I can think is in this part:
$msgID = $POST['message_id'];
$msgTitle = $POST['message_title'];
it should be:
$msgID = $_POST['message_id'];
$msgTitle = $_POST['message_title'];
if it doesn't work make:
print_r("DELETE FROM messages WHERE message_title = '$msgTitle' AND message_id = '$msgID'");
and let us know the output

Can't get form to update mysql record

I have a three part form that works like this, the first form is called create_ticket.php and it's basically a form with a customers contact info and what they want done. When the ticket is filled out it get's submitted to MySQL then when a search is done of the db you can select the ticket you want by clicking on the select link associated with that ticket in the search result and the browser will open a new window with the 2nd part of the form but it will pass the id associated with that MySQL record in the browser so you see at the end of the url ?id=10 now the 2nd part of the form is what a technician will use to fill out what they did and when they click get signature on the bottom of the page it will pop up the 3rd part of the form which allows the customer to sign on the tech's ipad or Toughbook and when they click accept it should update that record in MySQL associated with that id passed in the url. My issue is it's not working. so you can view the form at http://jemtechnv.com/test/ticket_results.php and see when you click on select it brings you to the technicians form to be filled out.
Here is my code that processes the 2nd part of the form:
<?php
// database connection //
include 'db/db_connect.php';
//This gets all the other information from the form
// start of form inputs //
$work_performed=$_POST['work_performed'];
$item_qty1=$_POST['item_qty1'];
$item_qty2=($_POST['item_qty2']);
$item_qty3=$_POST['item_qty1'];
$item_qty4=($_POST['item_qty2']);
$item_qty5=$_POST['item_qty1'];
$manuf_1=$_POST['manuf_1'];
$manuf_2=$_POST['manuf_2'];
$manuf_3=$_POST['manuf_3'];
$manuf_4=$_POST['manuf_4'];
$manuf_5=$_POST['manuf_5'];
$part_number1=$_POST['part_number1'];
$part_number2=$_POST['part_number2'];
$part_number3=$_POST['part_number3'];
$part_number4=$_POST['part_number4'];
$part_number5=$_POST['part_number5'];
$part_description1=$_POST['part_description1'];
$part_description2=$_POST['part_description2'];
$part_description3=$_POST['part_description3'];
$part_description4=$_POST['part_description4'];
$part_description5=$_POST['part_description5'];
$part1_price=$_POST['part_price1'];
$part2_price=$_POST['part_price2'];
$part3_price=$_POST['part_price3'];
$part4_price=$_POST['part_price4'];
$part5_price=$_POST['part_price5'];
$price_extension1=$_POST['price_extension1'];
$price_extension2=$_POST['price_extension2'];
$price_extension3=$_POST['price_extension3'];
$price_extension4=$_POST['price_extension4'];
$price_extension5=$_POST['price_extension5'];
$material_total=$_POST['material_total'];
$sales_tax=$_POST['sales_tax'];
$shipping_cost=$_POST['shipping_cost'];
$work_date1=$_POST['work_date1'];
$work_date2=$_POST['work_date2'];
$work_date3=$_POST['work_date3'];
$work_date4=$_POST['work_date4'];
$work_date5=$_POST['work_date5'];
$tech_name1=$_POST['tech_name1'];
$tech_name2=$_POST['tech_name2'];
$tech_name3=$_POST['tech_name3'];
$tech_name4=$_POST['tech_name4'];
$tech_name5=$_POST['tech_name5'];
$cost_code1=$_POST['cost_code1'];
$cost_code2=$_POST['cost_code2'];
$cost_code3=$_POST['cost_code3'];
$cost_code4=$_POST['cost_code4'];
$cost_code5=$_POST['cost_code5'];
$pay_rate1=$_POST['pay_rate1'];
$pay_rate2=$_POST['pay_rate2'];
$pay_rate3=$_POST['pay_rate3'];
$pay_rate4=$_POST['pay_rate4'];
$pay_rate5=$_POST['pay_rate5'];
$total_hours1=$_POST['total_hours1'];
$total_hours2=$_POST['total_hours2'];
$total_hours3=$_POST['total_hours3'];
$total_hours4=$_POST['total_hours4'];
$total_hours5=$_POST['total_hours5'];
$hours_subtotal1=$_POST['hours_subtotal1'];
$hours_subtotal2=$_POST['hours_subtotal2'];
$hours_subtotal3=$_POST['hours_subtotal3'];
$hours_subtotal4=$_POST['hours_subtotal4'];
$hours_subtotal5=$_POST['hours_subtotal5'];
$total_hours=$_POST['total_hours'];
$material_total=$_POST['material_total'];
$labor_cost=$_POST['labor_cost'];
$grand_total=$_POST['grand_total'];
//Writes the information to the database
mysql_query("UPDATE INTO tickets WHERE id=$id (work_performed, item_qty1, item_qty2, item_qty3, item_qty4, item_qty5,manuf_1, manuf_2, manuf_3, manuf_4, manuf_5, part_number1, part_number2, part_number3, part_number4, part_number5, part_description1, part_description2, part_description3, part_description_4, part_description_5, part1_price, part2_price, part3_price, part4_price, part5_price, price_extension1, price_extension2, price_extension3, price_extension4, price_extension5, material_total, sales_tax, shipping_cost, work_date1, work_date2, work_date3, work_date4, work_date5, tech_name1, tech_name2, tech_name3, tech_name4, tech_name5, cost_code1, cost_code2, cost_code3, cost_code4, cost_code5, pay_rate1, pay_rate2, pay_rate3, pay_rate4, pay_rate5, total_hours1, total_hours2, total_hours3, total_hours4, total_hours5, hours_subtotal1, hours_subtotal2, hours_subtotal3, hours_subtotal4, hours_subtotal5, total_hours, material_total, labor_cost, grand_total,)
VALUES ('$work_performed','$item_qty1','$item_qty2','$item_qty3','$item_qty4','$item_qty5','$mauf_1','$manuf_2','$manuf_3','$manuf_4','$manuf_5','$part_number1','$part_number2','$part_number3','$part_number4','$part_number5','$part_description1','$part_description2','$part_description3','$part_description_4',
'$part_description5','$part1_price','$part2_price','$part3_price','$part4_price','$part5_price','$price_extension1','$price_extension2','$price_extension3','$price_extension4','$price_extension5','$material_total','$sales_tax','$shipping_cost','$work_date1','$work_date2','$work_date3','$work_date4','$work_date5','$tech_name1','$tech_name2','$tech_name3','$tech_name4','$tech_name5','$cost_code1','$cost_code2','$cost_code3','$cost_code4','$cost_code5','$pay_rate1','$pay_rate2','$pay_rate3','$pay_rate4','$pay_rate5',
'$total_hours1','$total_hours2','$total_hours3','$total_hours4','$total_hours5','$hours_subtotal1','$hours_subtotal2','$hours_subtotal3','$hours_subtotal4','$hours_subtotal5','$total_hours','$material_total','$labor_cost','$grand_total',)") ;
mysql_affected_rows();
?>
<html>
<body>
<center>
<br><br><br>
<form name="results" method="post" action="ticket_results.php" enctype="multipart/form-data" id="ticketresult">
<input type="submit" class="submit" id="ticketresult" style="width: 165px" value="Do Something">
</form>
</center>
</body>
</html>
I'm also aware I need to take MySQL injection precautions but honestly at the moment that's not a priority as I just want to get the form working first then I will go back and clean up the code. Thanks for your help! I've disabled the signature portion of the form so clicking on get signature on the 2nd form will process the form and do the updates for that record, well it's supposed to but doesn't!
UPDATE: I have changed the query syntax as suggested below to this:
mysql_query("UPDATE tickets SET (work_performed, item_qty1, item_qty2, item_qty3, item_qty4, item_qty5,manuf_1, manuf_2, manuf_3, manuf_4, manuf_5, part_number1, part_number2, part_number3, part_number4, part_number5, part_description1, part_description2, part_description3, part_description_4, part_description_5, part1_price, part2_price, part3_price, part4_price, part5_price, price_extension1, price_extension2, price_extension3, price_extension4, price_extension5, material_total, sales_tax, shipping_cost, work_date1, work_date2, work_date3, work_date4, work_date5, tech_name1, tech_name2, tech_name3, tech_name4, tech_name5, cost_code1, cost_code2, cost_code3, cost_code4, cost_code5, pay_rate1, pay_rate2, pay_rate3, pay_rate4, pay_rate5, total_hours1, total_hours2, total_hours3, total_hours4, total_hours5, hours_subtotal1, hours_subtotal2, hours_subtotal3, hours_subtotal4, hours_subtotal5, total_hours, material_total, labor_cost, grand_total,)WHERE id=$id
VALUES ('$work_performed','$item_qty1','$item_qty2','$item_qty3','$item_qty4','$item_qty5','$mauf_1','$manuf_2','$manuf_3','$manuf_4','$manuf_5','$part_number1','$part_number2','$part_number3','$part_number4','$part_number5','$part_description1','$part_description2','$part_description3','$part_description_4',
'$part_description5','$part1_price','$part2_price','$part3_price','$part4_price','$part5_price','$price_extension1','$price_extension2','$price_extension3','$price_extension4','$price_extension5','$material_total','$sales_tax','$shipping_cost','$work_date1','$work_date2','$work_date3','$work_date4','$work_date5','$tech_name1','$tech_name2','$tech_name3','$tech_name4','$tech_name5','$cost_code1','$cost_code2','$cost_code3','$cost_code4','$cost_code5','$pay_rate1','$pay_rate2','$pay_rate3','$pay_rate4','$pay_rate5',
'$total_hours1','$total_hours2','$total_hours3','$total_hours4','$total_hours5','$hours_subtotal1','$hours_subtotal2','$hours_subtotal3','$hours_subtotal4','$hours_subtotal5','$total_hours','$material_total','$labor_cost','$grand_total',)");
but now I get the following error when I submit the form to update the database,
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(work_performed, item_qty1, item_qty2, item_qty3, item_qty4, item_qty5,manuf_1, ' at line 1

Your query is wrong. The query should be
UPDATE tickets SET work_performed = something, item_qty1 = something .... WHERE id=$id

How to input data and use get variable

I'm trying to write a page that allows users to type a post and, when submitted, opens a new page with the post on it. This means that the post must be inputted in a database first before it can be retrieved on another page. This is similar to when someone asks a question on stackoverflow. the question appears on a new page and the page is given a unique id, except i would like this unique id to be in a get variable.
HTML of current page (ask.php):
<form method=POST' action='ask.php?q<php echo $id ?>'>
<input type='text' id='post'>
<input type='submit' value='submit' name='submit'>
PHP:
$post=$_POST['post'];
//then run query to input data into database
}
$result=mysql_query("SELECT * FROM questions WHERE user='$user' AND time='$time'");
while ($row = mysql_fetch_assoc($result)){
$id=$row['id'];
}
ask_action.php:
<?php header("Location: http://localhost/biology/question.php?q=$id"); ?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>
<?php
include '../connect.php';
if (isset($_POST['questionSubmit'])){
$question=mysql_real_escape_string($_POST['question']);
$detail=mysql_real_escape_string($_POST['detail']);
$date=date("d M Y");
$time=time();
$user=$_SESSION['id'];
$put=mysql_query("INSERT INTO questions VALUES ('','$question','$detail','$date','$time','$user','biology','0')");
$id=mysql_insert_id();
}
?>
</body>
</html>

If you don't want the "ask" page to be on the same page that you view the post, you can split this in to three pages.
Page 1:
The page with the form where people writes their post and submits. Page 2 will be in the action part of the form.
Page 2:
The page that retrieves the POST data. Here you'll verify all the information and submit it to the database. You then retrieve the insert id and redirect the user to the page where you want to display the results. You use the id from the insert query in the redirecting.
Page 3:
Where the users see the submitted information.
I notice that you've tried this approached somehow, but you've got a few mistakes that needs correcting. First of all your ask.php page needs improvement.
You're missing one apostrophe ( ' ) before the POST in method, and your action needs correcting. Remember that the form action is supposed to go to the page that verifies and handles the data from the form. In this case it would be the *ask_action.php* page. Therefore the ask.php page should be like this:
<form method='POST' action='ask_action.php'>
<input type='text' name='question' />
<input type='text' name='detail' />
<input type='submit'> value='submit' name='submit' />
</form>
*ask_action.php* will handle the data, verify it and redirect to the page that views it. There is no need for html on the page that verifies it.
<?php
include('../connect.php'); // your database connection etc.
if(isset($_POST['submit'])) { // only react if the submit button is pressed
$question = mysql_real_escape_string($_POST['question']);
$detail = mysql_real_escape_string($_POST['detail']);
$date = date("d M Y");
$time = time();
$user = $_SESSION['id'];
mysql_query("INSERT INTO questions VALUES('', '$question', '$date', '$time', '$user', 'biology', 0)");
$id = mysql_insert_id();
header("Location: view_page.php?id=$id");
} else {
echo "Nothing submitted.";
}
?>
Then you'd have a third page where you display the data that you get from the database. If you notice the header function that I've used, it's redirecting the user to view_page.php. This is where you'll display the data by the id number that is supplied. To get the id number you simply use $id = $_GET['id'];.
I also noticed that you're using both time() and date("d M y"). That is not necessary. If you read about time on php.net you'll see that the time function generates the current unix timestamp. You can use that to output a date in the way that you want to. For instance: if you'd like to display both the date and time that the question was submitted you can use this date("d M y H:i", $time) where $time is the time-column in your database table.
This can all be combined in one single page, but I kept them separated so it's easier for you to see the difference.

The first problem here is in your opening form tag. It should read:
<form method='post' action='ask.php?q=<?php echo $id ?>'>
or
<form method='post' action='ask.php?q=<?= $id ?>'>
Your input tag should read:
<input type='text' name='post' id='post' />
I think the functionality you're looking for is provided by mysql_insert_id, as long as your id column is auto-incremented. If you're not auto-incrementing your id column, could you provide more info about your db table?

You have a few problems here. First and foremost you NEED to synthesize your incoming code with something like mysql_escape_string($_POST). You also need to name your text field, currently you're trying to pull it based on ID and that won't work
Change: <input type='text' id='post'> into <input type='text' name='post' id='post'>
Your order is backwards as well. Without using AJAX the best way to do this is to load your posts & id's using PHP at the top of the page, then have the actual writing to the database happen on the resulting page.

On your "submit" page, you need to have the PHP code do the insert into the database then retrieve the ID of that new post using mysql_insert_id. Then that page could redirect the user to the appropriate page using the just-retrieved ID as a GET parameter (using the header function)

how to show error message if someone left a field blank

So I created this page where a user can send data to a msql database but when they leave a field blank and they click submit I want an error to show up saying "You left a field blank".
This is the code:
<?php
$hostname = "";
$db_user = "";
$db_password = "";
$database = "";
$db_table = "";
# STOP HERE
####################################################################
# THIS CODE IS USED TO CONNECT TO THE MYSQL DATABASE
$db = mysql_connect($hostname, $db_user, $db_password);
mysql_select_db($database,$db);
?>
<html>
<head>
<title>Add your url to out database</title>
</head>
<body>
<?php
if (isset($_REQUEST['Submit'])) {
# THIS CODE TELL MYSQL TO INSERT THE DATA FROM THE FORM INTO YOUR MYSQL TABLE
$sql = "INSERT INTO $db_table(title,description,url,keywords) values ('".mysql_real_escape_string(stripslashes($_REQUEST['title']))."','".mysql_real_escape_string(stripslashes($_REQUEST['description']))."','".mysql_real_escape_string(stripslashes($_REQUEST['url']))."','".mysql_real_escape_string(stripslashes($_REQUEST['keywords']))."')";
if($result = mysql_query($sql ,$db)) {
echo '<h1>Thank you</h1>Your information has been entered into our database<br><br>';
} else {
echo "ERROR: ".mysql_error();
}
} else {
?>
<h1><center><img src='addalink.png'><center></h1>
<hr>
<center>
<form method="post" action="">
Name of the song:<br>
<input type="text" name="title"><br>
Artist: <br>
<input type="text" name="description"><br>
Download link: <br>
<font color="#0000FF">http://</font><input type="text" name="url"><br>
<input type="submit" name="Submit" value="Submit">
</form></br>
<?php
}
?> <center>
</body>
</html>

First of all, use a CSS style to style your form's inputs. It's a lot easier to read, and it means if you need to change anything in the future it's quick.
What you're wanting to do is run a script on submit that checks whether or not the values in the required fields are what you expect.
The jQuery Validation Plugin - http://bassistance.de/jquery-plugins/jquery-plugin-validation/ takes care of what you want.
If you want to write your own, it's a process of attaching the validation function to the click event of the submit button (or the onSubmit event of the form) and checking the data that's in the form.
If the data is missing, you add a class to show this. If the data is valid, you remove the previous class.
Finally, you only return true (to submit the form) in the case everything validates.
Keep in mind this is only client side, you still need to validate your data server side for security.

So, the common response is "do this on the front-end". If anything you are posting has security implications then I'd also recommend you check your form data on the back-end.
Also if you're going to go through the process of using mysql_real_escape, you might as well use mysqli and parameterized queries see: http://us2.php.net/manual/en/mysqli-stmt.prepare.php.
If you choose to go the back-end route, especially if you are using AJAX for the post, you can throw an Exception that actually outputs a 500 error along with the message you want to display, and then use Javascript to handle the "error case", so you can provide really nice validation methods that still do the validation on the server side.

implement a button to send information to another php file?

I've got the following php code printing out the contents of a SQL table.
$query="select * from TABLE";
$rt=mysql_query($query);
echo mysql_error();
mysql_close();
?>
<i>Name, Message, Type, Lat, Lng, File </i><br/><br/>
<?php
while($nt=mysql_fetch_array($rt)){
if($nt[name] != null){
echo "$nt[id] $nt[name] $nt[message] $nt[type] $nt[lat] $nt[lng] $nt[file]";
}
}
?>
How would I implement a button so for each "row" if the button is clicked on that row it'll submit the information of that row to another php file?
I want it looking something like...
details details2 details3 BUTTON
details4 details5 details6 BUTTON
details7 details8 details9 BUTTON
details10 details11 details12 BUTTON
Where if BUTTON was hit on row 1 details1,2,3 would be sent to a php file, on row 2 detals 4,5,6 would be sent etc. How would I do this?
Thanks.

it's going to be something like that, depending on the data you need to send:
while($nt = mysql_fetch_array($rt)) {
if($nt[name] != null){
echo "$nt[id] $nt[name] $nt[message] $nt[type] $nt[lat] $nt[lng] $nt[file] ".'send request<br/>';
}
}

You can either use GET method and send a query string to the second php page and receive the variables there, like
next.php?variable1=value1&variable2=value2&...
or use POST method by making a hidden form for each row and assign a hidden field for each variable you want to send.
<form method="post" action"next.php">
<input type="hidden" name="variable1" value="value1" />
<input type="hidden" name="variable2" value="value2" />
.
.
.
</form>
or instead of sending all the values, just send the row ID (if any) using any of these two methods and run another query in next.php to get the information you need from database.

Instead of submitting the entire data, just send the ID and fetch the results from the database in the other script. If you want to have an input button, you can do
<form action="/other-script.php" method="GET">
<?php printf('<input type="submit" name="id" value="%s" />', $nt["id"]); ?>
</form>
but you could also just add a link, e.g.
printf('Submit ID', $nt["id"]);
If you really want to send the entire row values over again, you have to make them into form inputs. In that case, I'd send them via POST though.

Categories