Weird query bug

Deposeni

I'm creating a forum, for my site... And well... it doesn't exactly work...
Heres the code:

<?
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
include("../config.php");
$a = new database();
$a->connect();
if (!isset($_SESSION['user'])) {
print "You must be logged in, in order to access this area.";
print "<meta http-equiv=\"refresh\" content=\"3;URL=../index.php\">";
}
else {

//check for required fields from the form
if (!isset($_POST['id'])) {
print "This field MUST be filled in, go back to the forum and click 'New Topic' again.";
print "<meta http-equiv=\"refresh\" content=\"3;URL=../newtopic.php\">";
exit;
}
if (!isset($_POST['title'])) {
print "You can't make a post without a title, please go back and create one";
print "<meta http-equiv=\"refresh\" content=\"3;URL=../newtopic.php\">";
}
if (!isset($_POST['text'])) {
print "You can't make a post without a message, please go back and create one";
print "<meta http-equiv=\"refresh\" content=\"3;URL=../newtopic.php\">";
}
?>
<html>
<head>
<title>Posting Topic</title>
<body bgcolor="#504533" text="#ffffff" link="#ffffff" vlink="#ffffff" alink="#ffffff">
</head>

<body>
<?
$user = $_SESSION['user'];
$getname = mysql_query("SELECT * FROM login WHERE user='$user'");
while ($namer = mysql_fetch_array($getname, MYSQL_ASSOC)){

$postid2 = mysql_query("SELECT * FROM fmessages WHERE message='".$_POST['title']."'");
while ($postid = mysql_fetch_array($postid2, MYSQL_ASSOC)) {
$posterid = $postid['msg_id'];
$postedid = $postid['member_id'];




$add_post = "INSERT INTO fmessages (msg_date
, title, message, forum_id, member_id, stick
y, locked, type) VALUES ('".time()."', '".$_POST['
title']."', '".$_POST['text'].
"', '".$_POST['id']."', '".$namer['id']."
', '".$_POST['sticky']."', '".$
_POST['locked']."', '".$_POST['type']."')";
mysql_query($add_post) or die(mysql_error());
$useron = $_SESSION['user'];


mysql_query("UPDATE login SET posts=posts+1 WHERE user='$useron'");
mysql_query("UPDATE f

forums WHERE id='".$_POST['id']."' SET pos
ts=posts+1, topics=topics+1, lastpos
t='$posterid', lastpostname='$postedid'");

print "Your topic has been created.";
print "<meta http-equiv=\"refresh\
" content=\"1;URL=viewforum
.php?id=".$_POST['id']."\">";
}
}
}
?>
</body>
</html>
<?

?>

Whenever I change

$postid2 = mysql_query("SELECT * FROM f
messages WHERE message='".$_POST['title']."'");
while ($postid = mysql_fetch_array($postid2, 
_ASSOC)) {
$posterid = $postid['msg_id'];
$postedid = $postid['member_id'];

"$postid2 = mysql_query("SELECT * FROM fme
ssages WHERE message='".$POST['title']."'");"
to a non-existant $POST ... it works... but whenever it uses an existing $_POST, it won't work... Its freakin me ou
t

Edit: Please note that I chopped up the first PHP tags so that it wouldn't make everything on the page screwy.

scoppc

Just a guess, you might be having some should-be-escaped character within the title, why not considering passing the message ID instead of the title?

You can try to use addslashes() function.

Deposeni

nope didnt work 🙁

scoppc

What exactly the input, I mean $_POST['title'] and the error messages you received? Why not try to execute that query right from your MySQL console?

Deposeni

<?
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
include("../config.php");
$a = new database();
$a->connect();
session_start();
$quser = mysql_query("SELECT * FROM login WHERE user='".$_SESSION['user']."'");
if (!isset($_SESSION['user'])) {
print "You must be logged in, in order to access this area.";
print "<meta http-equiv=\"refresh\" content=\"3;URL=../index.php\">";
}
else {

$forumname = $_GET['id'];
$cforum = mysql_query("SELECT * FROM fforums WHERE id='".$_GET['id']."'");

while($row = mysql_fetch_array($cforum, MYSQL_ASSOC)){
		$noforum = true;
	}
	if (!$noforum) {
	print "Forum does not exist."; 
	print '<body bgcolor="#504533" text="#ffffff" link="#ffffff" vlink="#ffffff" alink="#ffffff">';
	print '<title>No such forum</title>';
	print "<meta http-equiv=\"refresh\" content=\"3;URL=index.php\">";
	}
else {
?>
<html>
<head>
<title>New Topic</title>
<body bgcolor="#504533" text="#ffffff" link="#ffffff" vlink="#ffffff" alink="#ffffff">
</head>

<body>
<table width="75%" border="1">
  <tr>
    <td width="15%">


</td>
<td width="60%">
<form name="message" action="posttopic.php" method="post">
<center><b>New Topic</b></center>	
<br><br>
<b>Forum ID:</b>
<input name="id" type="text" value="<? print $_GET['id']; ?>" size="3" maxlength="3" readonly="1"><br><br>
<b>Title:</b><br>
<input name="title" type="text" value="" size="15" maxlength="15">
<br><br>
<b>Message:</b> <br>
<textarea name="text" cols="75" rows="10" wrap="virtual"></textarea><br>
<input name="submit" type="submit" value="Post!">
</form>
</td>
  </tr>
</table>

</body>
</html>
<?
}
}
?>

is where the _POST[tile] comes from.... And I don't get any error messages

scoppc

Have you tried to execute directly from your MySQL console?
What I wanted to know is the value of $_POST['title'];

if $_POST['title']; is just something like message title without any single-quote ' and you have tried to execute it from your MySQL console and return no errors, I dont have any other idea. :rolleyes:

Deposeni

Uh how would I Do that? Can't use $_POST's or varibales in it...

HalfaBee

Shouldn't you be checking title=$_POST['title'] in this line?

$postid2 = mysql_query("SELECT * FROM fmessages WHERE message='".$_POST['title']."'");

Also make sure you use htmlentities() to output any user input to avoid some HTML that you don't what to show.

HalfaBee

Deposeni

Thats what its set at...

HalfaBee

You are doing message=$POST['title'] instead of title=$POST['title']

HalfaBee

scoppc

To test it directly from your MySQL console, you cant use $POST['title'], instead substitute your $POST['title'] with whatever string that you typed in the text field.

So, if you typed "Message Title", then use this string right from your MySQL console.

Debugging your script should be sufficient to spot the troublemaker. Usually it can be done by observing what input comes in, the process that is carried out, and the output you get.

A better code that I suggest will be to separate the SQL statement from mysql_query().

$sql="SELECT * FROM fmessages WHERE message='" . $_POST['title'] . "'";
$query=mysql_query($sql);

You can commented out the $query=... line and add print $sql to observed what SQL query gets set.

Deposeni

Resource id #5

thats when I enter "dgfsd" in as the title....

Used print $postid2; to get that

Deposeni

After debugging - i found where it stops... the exact spot... well down to three lines

while ($postid = mysql_fetch_array($postid2, MYSQL_ASSOC)) {
$posterid = $postid['msg_id'];
$postedid = $postid['member_id'];

HalfaBee

The query before these lines is failing.
Try creating the sql before the query so it can be echoed when it fails.
Then

if( mysql_query==FALSE )
echo mysql_error().$sql;

HalfaBee

Deposeni

all it says is

Resource id #6

scoppc

$title="dgfsd";
$sql="SELECT * FROM fmessages WHERE message='$title'";
$query=mysql_query($sql);
if (!$query){
    print "Sorry, query was unsuccessful . " mysql_error();
}else{
    $num=mysql_num_rows($query);
    print "The query returns " . $num . " results";
    while ($data=mysql_fetch_array($query)){
        //assign all variable here....
    }
}

Try the code above and see what you got. Paste it to a brand new file. Dont forget to include your db connection file.🙂

Deposeni

The query returns 0 results

Deposeni

When I change Title to a name that DOES exist - it returns 1

scoppc

It means that the query is fine, just that the title you are going to retrieved doesnt match any record inside your fmessages table.

Make sure you have such record with title 'dgfsd' before trying to execute the SQL.

as pointed out by Halfabee, are you sure that this statement:
"SELECT FROM fmessages WHERE message='" . $POST['title'] . "'"
shouldnt be replaced with:
"SELECT FROM fmessages WHERE title='" . $POST['title'] . "'"
???

Lastly, Just add error checking and error handling as what I have shown you. You can add another checking just before while

if ($num>0){
//if the number of results returned is more than 0
  while ($data=mysql_fetch_array($query)){
  //the rest of the code here....
  }
}

Deposeni

I'll do that when I get up... I've been programming this forum for 10 hours straight... I'm tired as @#$%

thanks for your help