PDA

Click to See Complete Forum and Search --> : why does php not inject "subject"

cma
03-31-2005, 01:49 AM
i tried to solve an unbelievable problem and impossible to find a solution... and two of my friend who they are better than me and they have no idea why and what happen.

sample at http://www.narutocity.uni.cc/torrentcity/account-mail.php and just ingore language function.

log in as realone and password 123456 ( you can test send a pm to me as cwa)

you will notice subject is not there... nor from pm outbox or inbox when you recieved or send a pm i still wonder why. i would be great great appericate somone help me to find and slove this an unebelievable problem.

thank you for your time :)

slq of messages
---
CREATE TABLE `messages` (
`id` int(10) unsigned NOT NULL auto_increment,
`sender` int(10) unsigned NOT NULL default '0',
`receiver` int(10) unsigned NOT NULL default '0',
`added` datetime default NULL,
`subject` varchar(30) NOT NULL default '',
`msg` text,
`unread` enum('yes','no') NOT NULL default 'yes',
`poster` bigint(20) unsigned NOT NULL default '0',
PRIMARY KEY (`id`),
KEY `receiver` (`receiver`)
)
---

don't worry about function.php... i am sure it works fine.

account-mail.php
---
*got an error so please check attachment*
---
phpnovice
03-31-2005, 08:28 AM
If you're referring to the following SQL statement as the source of the problem:

mysql_query("INSERT INTO messages (sender, receiver, added, subject, msg) VALUES ($send, $rec, UNIX_TIMESTAMP(), $subject, $msg)")

perhaps you should code it as follows for safety's sake:

mysql_query("INSERT INTO `messages` (`sender`, `receiver`, `added`, `subject`, `msg`) VALUES ($send, $rec, UNIX_TIMESTAMP(), $subject, $msg)")

Lastly (since I'm, technically, still learning), is sqlesc() the reason why you don't have single quotes around your values in the statement above? What is the code in this function?
cma
03-31-2005, 10:22 PM
yes you are correct but i still don't understand why.

anyway about your solution. single (` .... not '[ i don't have a key of this single quote]) they are same thing if without or with single quote.

AND i test it with your solution and still same problem.

this php... should rename to account-pm.php because i kinda made a mistake but its not big deal.. anyway it is private message system.

thank you very much for your help ;)
cma
04-01-2005, 12:34 AM
alright never mind about this thread... i found a solution ( well i re-do it... not fun :rolls eyes)