Page 1 of 1
Private message system
Posted: Tue Oct 14, 2003 4:44 pm
by Rob
I've been workin on my PM system, I need some advice on how to go about viewing the PM's. First, all PMs are listed in a table, then you click the subject to view the pm..but how can I do this right...my first idea was to link it to ./viewpm.php?subject=whatever then view it that way, but if theres duplicate subjects that would mess it up should I use ID? Another thing that worrys me about this is all the users PMs are stored in a single table, is that ok?
Posted: Tue Oct 14, 2003 4:57 pm
by qads
yes u should use IDs to view PMs..
do you have a login system? if so, make use of user id, e.g.
Code: Select all
<?php
$query = mysql_query("select `message` from `pm_table` where `user_id` = '".$_SESSION['user_id']."' order by ID DESC");
$check = mysql_num_rows($query);
if($check != 0)
{
//list pms
}
else
{
echo "You have 0 messages....";
}
?>
got the idea?

Posted: Tue Oct 14, 2003 5:44 pm
by JAM
Preferably userid & messageid.
Userid to apply safety, messageid to skip the hazzle of duplicate subjects etc.
Code: Select all
// http://www.example.com/viewmsg.php?id=14
"select message from pm_table where user_id = '$_SESSIONїuserid]' and message_id = '$_GETїid]'"
Posted: Tue Oct 14, 2003 5:52 pm
by Rob
thanks, ill try it out. I never even thought of adding a message ID
Posted: Tue Oct 14, 2003 5:55 pm
by McGruff
Posted: Tue Oct 14, 2003 6:57 pm
by Rob
For sending a message im trying to make sure the user exists before its sent. This is my verification code.
$sql_username_check = mysql_query("SELECT user FROM usersys WHERE user='$_GET[user]'");
$username_check = mysql_num_rows($sql_username_check);
if($username_check < 0){
echo "<strong>Username not active.<br />";
unset($username);
exit();
It doesent work though, any ideas?
Posted: Wed Oct 15, 2003 5:23 am
by Nay
Code: Select all
$sql_username_check = mysql_query("SELECT user FROM usersys WHERE user='{$_GET['user']}'");
$username_check = mysql_num_rows($sql_username_check);
if($username_check < 0) {
echo "<strong>Username not active.</strong><br />";
unset($username);
exit();
} else {
// do the script
}
Two things. One:
Code: Select all
$_GET[user]; // BAD
$_GET['user']; // GOOD
"SELECT * FROM thetable WHERE user = '$_GET['user']'"; // BAD
"SELECT * FROM thetable WHERE use = '{$_GET['user']}'"; // GOOD
And two, you forgot the } after exit() to end the if operator.
-Nay
Posted: Wed Oct 15, 2003 5:58 am
by qads
is the user name like "qads" without the speech marks? if so then use
Code: Select all
<?php
$username = addslashes($_GET['user']);
?>
if it is a number (ID) then use:
Code: Select all
<?php
$username = (int)$_GET['user'];
?>
its more safe

Posted: Wed Oct 15, 2003 3:24 pm
by Rob
<?php
session_start();
if(!isset($_SESSION['loggedin']))
{
//hack attempt?
include ("login.php");
exit;
} else {
//o ok
}
$conn = mysql_connect("localhost","****","******");
$db = mysql_select_db("********");
$sql_username_check = mysql_query("SELECT user FROM usersys WHERE user='$_GET[user]'");
$username_check = mysql_num_rows($sql_username_check);
if($username_check < 0) {
echo "<strong>Username not active.</strong><br />";
unset($username);
exit();
} else {
// do the script
}
?>
Thats my full code, except SQL login info...No errors but it also doesent stop users that dont exist.
Posted: Wed Oct 15, 2003 4:52 pm
by qads
if($username_check < 0) {
should be
if($username_check == 0) {
Posted: Wed Oct 15, 2003 5:12 pm
by Rob
Thanks, ill try it out
Posted: Thu Oct 16, 2003 2:24 pm
by Rob
Thanks for all your help, it works great