Page 1 of 1

Function Not Working In Sending Inboxes [RESOLVED]

Posted: Wed Oct 01, 2014 12:48 am
by Epiales
Okay, I've messed with this all day and can't figure out what is going on. If I use the below code WITHOUT the function and ENT, then it sends the message and puts it into the database and I'm able to recall the messages from the database. But if I use a function with it (any function), it will not put the pid, suject, or message into the database... When I check the database, it only shows the date, randid, and the other fields are blank, thus not allowing the messages to be viewed in the inbox. What's wrong?

Code: Select all

if(isset($_POST['sendmessage'])) {

$message =  protect($_POST["message"], ENT_QUOTES);
$subject = protect($_POST["subject"], ENT_QUOTES);
$sendto = protect($_POST["sendto"], ENT_QUOTES);
$randid = rand(999,9999999);

$sql = "INSERT INTO `messages` (`pid`,`sender`,`message`,`subject`,`randid`) VALUES ('".$sendto."','".$user_username."','".$message."','".$subject."','".$randid."')";
$user_query3 = mysqli_query($db_conx, $sql); 
It doesn't matter if I use my custom function or even use mysql_real_escape_string before it, it won't work. The only thing I"ve been able to use is htmlentities... is that enough?

Re: Function Not Working In Sending Inboxes

Posted: Wed Oct 01, 2014 3:30 am
by KyleMassacre
I have been taught by people and everywhere else on the web that you should try to keep your data as raw as possible when inserting to the db. Now this is always open to multiple point of views, some may agree and others may not. But what I think 99% of people can agree on is that your html*() functions are best used on your output.
You can do some validations before your input to make sure your data is good to go then sanitize your output.

Re: Function Not Working In Sending Inboxes

Posted: Wed Oct 01, 2014 5:59 am
by Sim
#1: Your form text fields are not named the same as your $_POST['names'] in the php file

#2: Your form text fields are outside your form in your HTML file resulting in it not being sent to the php file at all..

#3: Your database field could not be VARCHAR or BLOG or TEXT or whatever you have it set as. Could be an INT, LONGINT
(not sure if this would convert the first letter of the string to an integer or just leave it blank. I don't think I have ever done this)
I would start with #1 ad #2

Re: Function Not Working In Sending Inboxes

Posted: Wed Oct 01, 2014 11:21 am
by Epiales
Sim wrote:#1: Your form text fields are not named the same as your $_POST['names'] in the php file

#2: Your form text fields are outside your form in your HTML file resulting in it not being sent to the php file at all..

#3: Your database field could not be VARCHAR or BLOG or TEXT or whatever you have it set as. Could be an INT, LONGINT
(not sure if this would convert the first letter of the string to an integer or just leave it blank. I don't think I have ever done this)
I would start with #1 ad #2
Here is all the code for it. As I stated earlier, if I remove the functions then it WILL send to the database, so the text names are working and do match one another. It's working, but not working with function before them. It works with htmlentities, but nothing else, not even the mysql_real_escape_string works wih it. The code below is working, but is the htmlentities enough to help keep it safe?

Code: Select all

<?php

$bypass = 0;

if(isset($_POST['sendmessage'])) {

$message =  htmlentities($_POST["message"], ENT_QUOTES);
$subject = htmlentities($_POST["subject"], ENT_QUOTES);
$sendto = htmlentities($_POST["sendto"], ENT_QUOTES);
$randid = rand(999,9999999);

$sql = "INSERT INTO `messages` (`pid`,`sender`,`message`,`subject`,`randid`) VALUES ('".$sendto."','".$user_username."','".$message."','".$subject."','".$randid."')";
$user_query3 = mysqli_query($db_conx, $sql);

echo "<br /><span id='errormess'><big><b><center><font color='red'>Message Sent Successfully!</font></center></b></big></span><br />";

}

echo "<b>----------------------Send Private Message ---------------------</b>";
echo "<div style='width:402px'>";
echo "<br><form method ='post' action = 'mafiawarskingdom.php?messages=1'>";
echo "Send To:  <input type = 'text' name = 'sendto' size = '25'>";
echo "</div>";    

echo "<div>";
echo "Subject:    <input type = 'text' name = 'subject' size = '25' maxlength='40'><br><br>";
echo "</div>";

echo "<div style='vertical-align: top';>";    
echo "Content:<textarea rows='15' cols='60' maxlength = '600' name = 'message'>";
echo "</textarea><br>";
echo "</div>";

echo "<input type = 'hidden' name = 'sendmessage' value = '1'>";
echo "<center>";
echo "<input type = 'submit' name = 'sendmessage' id = 'sendmessage' value = 'Send Message'>";
echo "</form>";

?>

Re: Function Not Working In Sending Inboxes

Posted: Wed Oct 01, 2014 2:50 pm
by Sim
post your protect function.

Re: Function Not Working In Sending Inboxes

Posted: Wed Oct 01, 2014 3:25 pm
by Epiales
Sim wrote:post your protect function.

Code: Select all

<?php

function protect($i) {
    $i = trim($i);
    $i = stripslashes($i);
    $i = htmlentities($i, ENT_COMPAT, 'UTF-8');
    $i = mysql_real_escape_string($i);
    
    return $i;
}
?>

Re: Function Not Working In Sending Inboxes

Posted: Wed Oct 01, 2014 10:13 pm
by KyleMassacre
Epiales wrote:
Sim wrote:post your protect function.

Code: Select all

<?php

function protect($i) {
    $i = trim($i);
    $i = stripslashes($i);
    $i = htmlentities($i, ENT_COMPAT, 'UTF-8');
    $i = mysql_real_escape_string($i);
    
    return $i;
}
?>
mysql_real_escape_string requires parameter 2 to be your connection string. Try adding that and see if it works. I personally don't like this function because of what I said above about the htmlentities which is generally used for output.

You can try something like this:

Code: Select all

<?php

function protect($i,$output=true) {
    global $conn;
    $i = trim($i);
    $i = stripslashes($i);
    if($output == true) {
        $i = htmlentities($i, ENT_COMPAT, 'UTF-8');
    }
    $i = mysqli_real_escape_string($i,$conn);
    
    return $i;
}

echo protect($var);
?>

Re: Function Not Working In Sending Inboxes

Posted: Wed Oct 01, 2014 10:32 pm
by Epiales
Okay, I used it and got this error... BUT

Code: Select all

 Parse error: syntax error, unexpected 'global' (T_GLOBAL), expecting '{' in C:\xampp\htdocs\login2\includes\functions.php on line 46
I added the { and it blocked my send message text boxes so I can't send message lol

Re: Function Not Working In Sending Inboxes

Posted: Wed Oct 01, 2014 10:33 pm
by KyleMassacre
My bad post updated

Re: Function Not Working In Sending Inboxes

Posted: Wed Oct 01, 2014 10:36 pm
by Epiales
KyleMassacre wrote:My bad post updated
Okay, I added u're changes and I get this now:

Code: Select all

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, string given in C:\xampp\htdocs\login2\includes\functions.php on line 48

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, string given in C:\xampp\htdocs\login2\includes\functions.php on line 48

Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, string given in C:\xampp\htdocs\login2\includes\functions.php on line 48