Private messages between site users

Here is the script for private messages between users. Such a problem: there is a table mail and members. Why is it possible to send only name, lastname or username from the users (members) table to the messages (mail) table when sending a message?

Why can’t I pass $avatar data from the members table to the mail table in $avatar. Maybe because $avatar contains the path to the image, (which is unlikely) or something is wrong there. Help, please, fellow experts.

<?php
 session_start();
 include("db-info.php");
 $link = mysql_connect($server, $user, $pass);
 if(!mysql_select_db($database)) die(mysql_error());
 include("session.inc.php");
 include("loadsettings.inc.php");
 include ("header.php");
$mailTo = $_GET['mailto'];
// Variables that recieves translations
// To make script untranslated remove $ chars for below vars in script.
$Inbox =  ;
$Compose =  ;
$View =  ;
$Delete =  ; 
$Reply =  ;
$Send =  ;
// Variables that recieves translations
?>
<? if ($session == true) { ?>
<table  style="text-align:left;margin-left:50px;">
  <tr>
    <td> 
    <form method="post" action="mymessages.php?mailto=<?php echo $mailTo ?>">   
    <input class="btn_mail_write" type="submit"  name="mailAction" value="" />
    &nbsp;&nbsp;&nbsp;<input class="btn_mail_inbox" type="submit"  name="mailAction" value="" />
    </form>
        </td> 
  </tr>
</table>
<?php
    if(!empty($_POST['mailAction']) && isset($_POST['mailAction'])){
        $action = $_POST['mailAction'];
    } else {
        $action = $Inbox;
    }
//$Compose = MSG_Compose_END ;
    if(($action == $Compose) || ($action == $Reply)) {
        if(isset($_POST['mailSubject']) && !empty($_POST['mailSubject'])){
            $mailSubject = 'Re: '.$_POST['mailSubject'];
        } else {
            $mailSubject = "";
        }
        if(isset($_POST['mailFrom']) && !empty($_POST['mailFrom'])){
            $mailTo = $_POST['mailFrom'];
        } else {
            $mailTo = "$mailTo";
        }
// Compose Message Form
        ?>
<table width="100%">
  <tr> 
    <td width="100">&nbsp;</td>
       <td >    
            <form action="mymessages.php" method='post'>
                <div class="area-messages">
                <p><br><b>:</b><input  type='text' name='mailTo' size='50' maxlength="30" value='<?php echo $mailTo; ?>'></p>
                <p><b>:</b><input type='text' name='mailSubject' size='50' maxlength="30" value='<?php echo $mailSubject; ?>'></p>
                <p><textarea class='messagestext'  maxlength='700'  name='mailMessage'></textarea></p>
                <p style="text-align:right;margin-right:15px;"><input class="button" type="submit" name="mailAction" value="" /></p>
                </div>
            </form>
        </td> 
        <td width="100">&nbsp;</td> 
  </tr>
</table>            
        <?php
       }
    if($action == $Send) {
        if(empty($_POST['mailSubject']) || !isset($_POST['mailSubject'])){
        } else {
            $subject = $_POST['mailSubject'];
        }
        if(empty($_POST['mailTo']) || !isset($_POST['mailTo'])){
        if(strlen($content) < 1){ 
        die("   !<br> 
        <form name=\"back\" action=\"mymessages.php\" method=\"post\"> 
        <input type=\"submit\" value=\"Try Again\"> 
        </form> ");
        }
        } else {
            $mailTo = $_POST['mailTo'];
        }
        if(empty($_POST['mailMessage']) || !isset($_POST['mailMessage'])){
        if(strlen($content) < 1){ 
        die("   !<br> 
        <form name=\"back\" action=\"mymessages.php\" method=\"post\"> 
        <input type=\"submit\" value=\"Try Again\"> 
        </form> "); 
        }
        } else {
            $message = $_POST['mailMessage'];
        }
        // $date = date('m/d/Y')." at ".date('g:i.s')." ".date('a');
        $date = date('Y-m-d')." / ".date('H:i');
        $userid = $username;
        $q  = "INSERT INTO mail (UserTo, UserFrom, avatar, Subject, Message, SentDate, status) 
                        VALUES ('$mailTo','$userid','$avatar','$subject','$message','$date','<h9></h9>')";
        if(!($send = mysql_query($q))){
            echo "  ".$mailTo."    !";
        } else {
echo "<table border='0' width='100%' border='0 cellspacing='0' cellpadding='5' class='main'>";
 echo "<tr>"; 
  echo "<td width='100'>&nbsp;</td>";
  echo "<td>";
            echo "<p>  <b>".$mailTo."</b>  !</p>";
    echo "</td> ";
 echo "</tr> ";
echo "</table> ";           
        }
    }
    if($action == $Inbox) {
        $user = $username;
        $q = "SELECT * FROM mail WHERE UserTo = '$user' ORDER BY SentDate DESC";
        $getMail = mysql_query($q) or die(mysql_error());
        if(mysql_num_rows($getMail) == 0){
echo "<table width='100%' >";
 echo "<tr>"; 
  echo "<td width='100'>&nbsp;</td>";
  echo "<td>";  
            echo "<p class='msg'>  !</p><br/><br/>";
    echo " </td> ";
 echo " </tr> ";
echo "</table> ";           
        } else {            
            ?>
<table width="100%" >
    <tr> 
        <td>            
            <table border="0">
                <tr class="title">
                    <td width="50"><b> </b></b></td>
                    <td width="50"><b></b></td>
                    <td width="50"><b></b></td>
                    <td><b>\</b></td>
                </tr>
            <?php
            while($mail = mysql_fetch_array($getMail)){ 
        echo "<form action='mymessages.php' method='post'>";
                ?>
                    <tr>
                        <td style="border-top: #999 2px dashed;"><div style="width:50px;"><?php echo $mail['avatar']; ?></div><div style="overflow:hidden;width:100px;"><?php echo $mail['UserFrom']; ?></div></td>
                        <td style="border-top: #999 2px dashed;"><?php echo $mail['status']; ?></td>
                        <td style="border-top: #999 2px dashed;"><div style="overflow:hidden;width:80px;"><h8><?php echo $mail['Subject']; ?></h8></div></td>
                        <td style="border-top: #999 2px dashed;"><h8><?php echo $mail['SentDate']; ?></h8></td>
                        <td align="center"><input class="button" type="submit"  name="mailAction" id="mailAction" value="" /></td>
                    </tr>
                        <input type="hidden" name="mail_id" value='<?php echo $mail['mail_id']; ?>' />
                        <td align="center" style="padding-bottom:20px;"><input class="button" type="submit"  name="mailAction" id="mailAction" value="" /></td>
                <?php
                    echo "</form>";
            }
        }           
        echo "</table>";
    echo " </td> ";
 echo " </tr> ";
echo "</table> ";
    }
//$View = MSG_Read_END ;
    if($action == $View) {
        $mail_idx = $_POST['mail_id'];
        $user = $username;
        $result = mysql_query("SELECT * FROM mail WHERE UserTo = '$user' AND mail_id = '$mail_idx'") or die (" !");
        $row = mysql_fetch_array($result);
    //  echo $username;
        $ = "<h8></h8>";
        $q = "UPDATE mail SET status='$' WHERE UserTo='$username' AND mail_id='$row[mail_id]'";
        mysql_query($q) or die("   !.");
        ?>
<table  width="100%" >
  <tr> 
    <td width="100">&nbsp;</td>
       <td >                    
            <form method="post" action="mymessages.php" >
                <div class="area-messages">
                    <p style="text-align:left;"><b> :</b><?php echo $row['UserFrom']; ?><input type="hidden" name="mailFrom" value="<?php echo $row['UserFrom']; ?>" /></p>
                    <p style="text-align:left;"><b>:</b><?php echo $row['Subject']; ?><input type="hidden" name="mailSubject" value="<?php echo$row['Subject']; ?>" /></p>
                    <p style="text-align:left;"><b>:</b><p class='messagesbox'><?php echo $row['Message']; ?></p><br /></p>
                    <p style="text-align:right;padding-right:20px;"><input class="button" type="submit" name="mailAction" value="" /></p>
                </div>
            </form>
        </td> 
      <td width="100">&nbsp;</td>
  </tr>
</table>            
        <?php
    }
// $Delete = MSG_Delete_END ;   
    if($action == $Delete) {
        $id = $_POST['mail_id'];
        $query = mysql_query("DELETE FROM mail WHERE mail_id='$id' LIMIT 1");
        if(!$query) {
            echo "     !";
        } else {
            echo "  !";
        }
    }
?>
<? } 
else { echo"<script language=\"JavaScript\">window.location.href='error.php';</script>";}
?>

Answer 1, authority 100%

A terrible mess of code… You can’t spot the error right off the bat. Try instead of mysql_query($q);to write die($q);– the message will not be sent, but you can debug the query.


Answer 2, authority 75%

2 tables:

1.members:

- id(  )
 - name
 - avatar
 -   

2.messages:

 - id(. )
  - sender(.    ( id) )
  - receiver(.    ( id) )
  - body( 
  -  ..

now extract the message from the database

SELECT * FROM messagesWHERE receiver=’our recipient’

get an array of values ​​id,sender,receiver,body..

we need sender(message sender)

now we climb into the user’s table for an avatar, name and other data

SELECT * FROM membersWHERE id=’$sender’

we got name,avatar and everything else we need

this is for incoming, for outgoing I think it’s clear what needs to be changed)

about

And what exactly are the lines associated with
with security, and what to do with them?

read about sql injection, xss vulnerabilities


Answer 3, authority 50%

Why do you need to shove an avatar into the database with messages, in my opinion, the sender’s id is enough, and then pull the avatar from the database by id. Why duplicate information?