Why is mime print in header and can't call a variable?

Question

Let say I have a class, for example:

class User{
     function callname(){
         $user = $_SESSION['id'];
         $query = ("SELECT * FROM user WHERE user.id='$user'");
         while ($result=mysql_fetch_array($query)){
              echo ($result['username']);}}}

And then, make instance for User object:

$user = new User;

Code to send mail:

if($_SERVER["REQUEST_METHOD"] == "POST"){
$username = trim($_POST['username']);
$check = mysql_num_rows(mysql_query("SELECT * FROM user WHERE username='$username'"));

if ($check==TRUE){
    $name = $user->callname();
    $to = "myemail@domain.com";
    $subject = "Example Subject";
    $headers = "From: My Domain".'\r\n'.
      "MIME-Version: 1.0".'\r\n'.
      "Content-Type: text/html; charset=ISO-8859-1".'\r\n'.
      'X-Mailer: PHP/' . phpversion();
    $message = "Hai $name, this is the new message.";

            mail($to, $subject, $message, $headers);
} else {
    ?>
        <script type="text/javascript">
            alert("Sorry, username not exist !");
        </script>
        <?php
}

}

Mail function was working correctly and I have received an email too. The problem is

$name didn't print the name of user in the email. I've tried this $name = $user->callname(); on different page without the if() and it was working.
\r\nMIME-Version: 1.0 and so on was print in the From header.

**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Mar 26 '14 at 14:38
Agreed with Quentin, at least you need to use mysql_real_escape_string on $username before sending it in the query! — Jonas Äppelgran, Mar 26 '14 at 14:41
Thanks Quentin and Jonas Äppelgran. I really still new in this. Need to learn more. Thanks for the explainations. — merli, Mar 26 '14 at 14:54

Jonas Äppelgran · Answer 1 · 2014-03-27T16:47:02.540

1

I think you need to return $result['username'] instead of echoing it.
For special characters be read as such you need them in double quotes (").

A attempt to correct your code:

class User{
     function callname(){
         $user = $_SESSION['id'];
         $query = mysql_query("SELECT * FROM user WHERE user.id='$user'");
         while ($result=mysql_fetch_array($query)){
              return $result['username'];}}}

Next part:

if($_SERVER["REQUEST_METHOD"] == "POST"){
$username = mysql_real_escape_string(trim($_POST['username']));
$check = mysql_num_rows(mysql_query("SELECT * FROM user WHERE username='$username'"));

if ($check==TRUE){
    $name = $user->callname();
    $to = "myemail@domain.com";
    $subject = "Example Subject";
    $headers = "From: My Domain"."\r\n".
      "MIME-Version: 1.0"."\r\n".
      "Content-Type: text/html; charset=ISO-8859-1"."\r\n".
      'X-Mailer: PHP/' . phpversion();
    $message = "Hai $name, this is the new message.";

            mail($to, $subject, $message, $headers);
} else {
    ?>
        <script type="text/javascript">
            alert("Sorry, username not exist !");
        </script>
        <?php
}

edited Mar 27 '14 at 16:47

answered Mar 26 '14 at 14:39

Jonas Äppelgran

2,617
26
30

Both of that still not work man. I tried to put "[]" like this `$name = [$user->callname()];` and it result value "Array" so the message goes like "Hai Array, this is the new message." – merli Mar 26 '14 at 16:29
@merli At least problem number 2 were solved right? Please post your updated code. I saw right now that you do not actually make the call to the DB in callname(). You are doing a mysql_fetch_array on a string with SQL. There should be a mysql_query call there. – Jonas Äppelgran Mar 26 '14 at 18:13
not yet man. If I used double quotes, then the email didn't sent. – merli Mar 27 '14 at 07:12
I've put 'mysql_query' in front of that but still same, Jonas. I was trying to test the code in the simple code page which called `$name = $user->callname();` without if... and this resulting the name. Let say, the name is Patrick. So "Patrick" was printed in the page. – merli Mar 27 '14 at 07:21
@merli I did an attempt to correct your code. Please give it a go. If its unsuccessfull I would suggest you ask a new question with updated code. Good luck! – Jonas Äppelgran Mar 27 '14 at 16:49
Wow, thanks man but it's still not work. I really don't understand why. I've search in many source for the headers and many of that shown as what you wrote (every part glue with `."\r\n".`) – merli Mar 28 '14 at 11:45
Yup! I guess I need that. Thanks a lot Jonas Äppelgran. +1 for Jonas Äppelgran. – merli Mar 28 '14 at 11:46

Why is mime print in header and can't call a variable?

1 Answers1