Page 1 of 1

Private message system

Posted: Tue Oct 14, 2003 4:44 pm
by Rob
I've been workin on my PM system, I need some advice on how to go about viewing the PM's. First, all PMs are listed in a table, then you click the subject to view the pm..but how can I do this right...my first idea was to link it to ./viewpm.php?subject=whatever then view it that way, but if theres duplicate subjects that would mess it up should I use ID? Another thing that worrys me about this is all the users PMs are stored in a single table, is that ok?

Posted: Tue Oct 14, 2003 4:57 pm
by qads
yes u should use IDs to view PMs..

do you have a login system? if so, make use of user id, e.g.

Code: Select all

<?php
$query = mysql_query("select `message` from `pm_table` where `user_id` = '".$_SESSION['user_id']."' order by ID DESC");
$check = mysql_num_rows($query);
if($check != 0)
{
//list pms
}
else
{
echo "You have 0 messages....";
}
?>
got the idea? :D

Posted: Tue Oct 14, 2003 5:44 pm
by JAM
Preferably userid & messageid.
Userid to apply safety, messageid to skip the hazzle of duplicate subjects etc.

Code: Select all

// http://www.example.com/viewmsg.php?id=14
"select message from pm_table where user_id = '$_SESSION&#1111;userid]' and message_id = '$_GET&#1111;id]'"

Posted: Tue Oct 14, 2003 5:52 pm
by Rob
thanks, ill try it out. I never even thought of adding a message ID

Posted: Tue Oct 14, 2003 5:55 pm
by McGruff

Posted: Tue Oct 14, 2003 6:57 pm
by Rob
For sending a message im trying to make sure the user exists before its sent. This is my verification code.

$sql_username_check = mysql_query("SELECT user FROM usersys WHERE user='$_GET[user]'");
$username_check = mysql_num_rows($sql_username_check);
if($username_check < 0){
echo "<strong>Username not active.<br />";
unset($username);
exit();

It doesent work though, any ideas?

Posted: Wed Oct 15, 2003 5:23 am
by Nay

Code: Select all

$sql_username_check = mysql_query("SELECT user FROM usersys WHERE user='{$_GET['user']}'");
$username_check = mysql_num_rows($sql_username_check);
if($username_check < 0) {
echo "<strong>Username not active.</strong><br />";
unset($username);
exit();
} else {
// do the script
}
Two things. One:

Code: Select all

$_GET[user]; // BAD

$_GET['user']; // GOOD

"SELECT * FROM thetable WHERE user = '$_GET['user']'"; // BAD

"SELECT * FROM thetable WHERE use = '{$_GET['user']}'"; // GOOD
And two, you forgot the } after exit() to end the if operator.

-Nay

Posted: Wed Oct 15, 2003 5:58 am
by qads
is the user name like "qads" without the speech marks? if so then use

Code: Select all

<?php
$username = addslashes($_GET['user']);
?>
if it is a number (ID) then use:

Code: Select all

<?php
$username = (int)$_GET['user'];

?>
its more safe :D

Posted: Wed Oct 15, 2003 3:24 pm
by Rob
<?php
session_start();

if(!isset($_SESSION['loggedin']))
{
//hack attempt?
include ("login.php");
exit;
} else {
//o ok
}
$conn = mysql_connect("localhost","****","******");
$db = mysql_select_db("********");

$sql_username_check = mysql_query("SELECT user FROM usersys WHERE user='$_GET[user]'");
$username_check = mysql_num_rows($sql_username_check);
if($username_check < 0) {
echo "<strong>Username not active.</strong><br />";
unset($username);
exit();
} else {
// do the script
}

?>

Thats my full code, except SQL login info...No errors but it also doesent stop users that dont exist.

Posted: Wed Oct 15, 2003 4:52 pm
by qads
if($username_check < 0) {


should be
if($username_check == 0) {

Posted: Wed Oct 15, 2003 5:12 pm
by Rob
Thanks, ill try it out

Posted: Thu Oct 16, 2003 2:24 pm
by Rob
Thanks for all your help, it works great