PHP script not running nor posting to mysql

Question

I have a chat application with a mysql backend. I am trying to add a line of code that will post " ...has joined the room" after the room change function is completed.

Here is my code:

$PHP_PW = $_POST['password'];
$PHP_USER = $_POST['email'];
$PHP_ALIAS = $_POST['alias'];
$PHP_GENDER = $_POST['gender'];
$PHP_LON = $_POST['lon'];
$PHP_LAT = $_POST['lat'];
$PHP_STATUS = $_POST['status'];
$PHP_ROOM = $_POST['room'];
$PHP_ICON = $_POST['iconid'];
//$PHP_IP = $_SERVER['REMOTE_ADDR'];
$PHP_AGE = substr($_POST['age'],0,2);
$PHP_LOC = $_POST['location'];
$PHP_DOB = $_POST['dob'];
$PHP_IP  = $_POST['device_id'];

    if ($_POST['action']=="update")
{
if(!isset($PHP_USER))
{
    echo "ERROR";
} else
{

    if(isset($PHP_ROOM)) 
        $update = mysql_query("UPDATE USER SET room='$PHP_ROOM',lastupdate=NOW() WHERE email='$PHP_USER'")or die("ERROR80");
        $postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the room"','$PHP_ROOM')") or die("ERROR1");


    echo "OK 1";
}
mysql_close($db);

}

The code runs fine without the $postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the"','$PHP_ROOM')") or die("ERROR1");

However if I run it with the $postmsg line I dont get and error or any reply from server.

Are $update and $postmsg supposed to be in the if block or just $update, the code syntax looks off. Cause if both are supposed to be then, you're missing some crucial curly braces. — aztechy, Aug 23 '13 at 02:11

score 1 · Accepted Answer · answered Aug 23 '13 at 02:08

1

I think the problem is in $postmsg "...has joined the room". Its not the proper way of concatenating strings it should be ,'"."..has joined the room"."',

answered Aug 23 '13 at 02:08

Ikong

2,540
4
38
58

That did it. I guess I was concatenating the string improperly. It's working now, THANK YOU. But can someone explain it to me? – TWeeKeD Aug 23 '13 at 03:37

score 0 · Answer 2 · edited May 23 '17 at 10:25

If you omit the curly braces, only the next line is considered to be part of your if statement's body. Your code acts like this:

if (isset($PHP_ROOM)) {
    $update = mysql_query("UPDATE USER SET room='$PHP_ROOM',lastupdate=NOW() WHERE email='$PHP_USER'")or die("ERROR80");
}

$postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the room"','$PHP_ROOM')") or die("ERROR1");

You want it to do this:

if (isset($PHP_ROOM)) {
    $update = mysql_query("UPDATE USER SET room='$PHP_ROOM',lastupdate=NOW() WHERE email='$PHP_USER'")or die("ERROR80");
    $postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the room"','$PHP_ROOM')") or die("ERROR1");
}

Also, by inserting unsanitized text directly into your queries, you make your application vulnerable to SQL injection. Take a look at this question: How can I prevent SQL injection in PHP?

Thank you for your replies. I tried the code before posting with the curly brackets in place and I get nothing back from the server. When i press submit on my test form it loads a blank page. no error or echo of ok. im not sure where script is dieing. — TWeeKeD, Aug 23 '13 at 03:32

PHP script not running nor posting to mysql

2 Answers2