0

I am working on a simple inbox/pm system, and I can't figure out why but I can get the display working for sent messages, I can display the list of sent items, view pms from the inbox, but not sure what I am doing wrong, any tips appreciated..

here is my code:

<table>
<?php
$id = $_GET['id'];
$from_user = $_SESSION['user_id'];
$sql = "SELECT users.user_id, users.username, users.profile, messages.id, messages.to_user, messages.from_user, 
        messages.subject, messages.message, messages.has_read, messages.deleted, messages.date_sent
        FROM `messages`
        JOIN `users` ON messages.to_user = users.user_id 
        WHERE messages.from_user = '$from_user' AND messages.id = '$id' ORDER BY messages.date_sent DESC";
$result = mysql_query($sql);
$rows = mysql_fetch_array($result);
$from_user = $rows['from_user'];
$subject = $rows['subject'];
?><tr>
<td width="50px" align="center">
<img src="<?php echo $rows['profile']; ?>" width="40px"><br><?php echo $rows['username']; ?>
</td>
<td valign="top" width="350px">
<b><?php echo $rows['subject']; ?></b><br>
<?php echo $rows['message']; ?>
</td><td><?php echo $rows['date_sent']; ?></td>
</tr>
<tr>
<td colspan="3"><hr></td>
</tr>
</table>
user2571547
  • 91
  • 1
  • 1
  • 9
  • 2
    [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. – Kermit Sep 04 '13 at 15:45
  • You can.. and you can.. but you don't know what you are doing wrong? So what is the problem? Do you get any results from your query? – putvande Sep 04 '13 at 15:46
  • I can't get sent pms to display, i can read PMs just fine, just not ones from the sent area. yes marc, because someone is going to climb through my window and "pwn" my local machine /facepalm. – user2571547 Sep 04 '13 at 15:47
  • **You are leaving yourself wide open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. http://bobby-tables.com/php has examples to get you started. – Andy Lester Sep 04 '13 at 15:59
  • http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php Read this to make sure you are protected from malicious SQL injection attacks. – Vlad Sep 04 '13 at 16:07

1 Answers1

1

Your have $from_user specified twice, try removing the second and see how you go.

user2542256
  • 153
  • 7