PHP PM send message help

[as4s1n]

I am working on a PM system for my website, not unlike the one on the forums, and I ran into a big problem I just can't figure out what it is.

Form:

<form action="index.php" method="post">
<table border="0">
<tr>
<td>To:</td><td><input type="text" name="toUser" size="50" /> * Separate by commas (,)</td>
</tr><tr>
<td>Subject:</td><td><input type="text" name="subject" size="50" /></td>
</tr><tr>
<td colspan="2"><textarea rows="20" cols="50" name="message"></textarea></td>
</tr><tr>
<td><input type="submit" value="Send" /><input type="hidden" name="p" value="createMessageFinish" /></td>
</tr>
</table>
</form>

Script:

<?php
$errors = array();
$to = (isset($_REQUEST['toUser'])) ? $_REQUEST['toUser'] : '';
if(!empty($to)) 
$toUsers = explode(",",$to);
else
$errors[] = 'To is empty.';
$msgS = isset($_REQUEST['subject']) ? $_REQUEST['subject'] : '';
$msgM = isset($_REQUEST['message']) ? nl2br($_REQUEST['message']) : '';
if (!$toUsers) {
    $errors[] = 'No recipients.';
}
if (empty($msgS)) {
    $errors[] = "Empty subject.";
}
if (empty($msgM)) {
    $errors[] = "Empty message.";
}
if(!$errors){
$to = implode(",",$toUsers);
 $from = $_SESSION['loggedin'];
 $sth = $dbh->query("SELECT id FROM users WHERE username = '$from'");
 while($row=$sth->fetch())
  $fromID = $row['id'];
 for($i=0;$i<sizeof($to);$i++) {
  $query = $dbh->prepare("SELECT id FROM users WHERE username = '".$to[$i]."'");
  while($row=$query->fetch()) {
   $toID = $row['id']; 
   $send = $dbh->exec("INSERT INTO mail VALUES(0,'$toID','$fromID','$msgM','$msgS',0)");
  }
 }
    if($send)
     echo "Message(s) sent";
    else 
     echo "Errors";
} else {
    ?>Errors: <ul><li><?php
    echo implode('</li><li>', $errors);
    ?></li></ul><?php
}
?>

Sorry it's kind of sloppy.

 

[AngusThermopyle]

What is it supposed to do?
What is the problem?
Error messages?
What input causes the problem?
What have you tried already to find the problem?

 

[as4s1n]

1) This is supposed to insert a row in the database to simulate an email
2) I do not know the problem, but my assumption is it has something to do with the 'to' input into the database
3) I tried a try/catch but it didn't help
4) My guess is the 'to'
5) Try/catch

 

[misson]

You still haven't clearly described the behavior you get, including whether there are any error messages and, if so, what they are. The code is also improperly indented, making it hard to read. However, there is one obvious error:

	$query = $dbh->prepare("SELECT id FROM users WHERE username = '".$to[$i]."'");

$to holds a string, not an array. You want $toUsers.

Also, it's best to forget a good chunk of how you used to do DB access with the old mysql driver. PDO does it differently, and does it simpler.

function getUserID($name, $db) {
	static $getUID;
	if (is_null($getUID)) {
		$getUID = $db->prepare("SELECT id FROM users WHERE username=?"); 
	}
	$getUID->execute(array($from));
	return $getUID->fetchColumn();
}

...

$toAll = implode(",",$toUsers);
$from = $_SESSION['loggedin'];
$msg = array(
	':from' => getUserID($from, $dbh)
	':body' => $msgM,
	':subject' => $msgS
);
$sent = 0;
if (FALSE === $msg[':from']) {
    $errors[] = "Unknown sender: $from";
} else {
    // Always be explicit about which columns you're setting in an INSERT
    $sendQuery = $dbh->prepare("INSERT INTO mail (..., to, from, ...) VALUES (0,toID,:from,:body,:subject,0) SELECT id AS toID FROM users WHERE username=:to");
    foreach ($toUsers as $to) {
        $msg[':to'] = $to;
        $sent += $send->execute($msg);  
    } 
}
if($sent) {
    echo "Message(s) sent"; 
} else {
    echo "Errors"; 
    ...

Prepared statement parameters are already mentioned in another thread of yours, so I won't bother going into the details here.

I could swear we've gone over this before, but I can't find the thread.