Neglecting the obvious security flaws of mysql and sql escape strings, does anyone know why my sql tables are populated with empty msgs when the page reloads. Each synchronous time when the page reloads the form is submitted. I am confused why this is happening and how can I stop it?
<?php ob_start(); session_start(); $con = mysql_connect("localhost","username","pass"); if (!$con) { die('Could not connect: ' . mysql_error()); } $dates = date('Ymd H:i:s'); $uid = $_SESSION['user_id']; $msg_id = (int) $_GET['msg_id']; mysql_select_db("db_table", $con); $result = mysql_query("SELECT users.first_name, users.last_name , intro.intro, intro.outro FROM intro INNER JOIN users ON intro.user_id = users.user_id WHERE intro.message_id = {$msg_id}"); while($row = mysql_fetch_array($result)) { echo "<div id=\"start\"><div class=\"namedate\"><h1>". $row['first_name'] ." ". $row['last_name'] . "</h1><h2>test</h2></div><div id=\"holdmsg\"><div class=\"cent\"><strong>" . $row['intro'] . "</strong><br><i>" . $row['outro'] ."</i></div></div></div> " ; }
The FORM PART refers to this part, as well as the $ _GET at the top of the page.
<form action="" method="post"> <?php $sql="INSERT INTO messages (user_id, intro_id , msg, date ) VALUES (('$uid'), {$msg_id} ,'$_POST[msg]', ('$dates'))"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } mysql_close($con); ?> <textarea rows="2"style="float:left" name="msg" type="text"placeholder="Elaborate on your idea..."></textarea> <input id="togz2" style="float:right; "type="submit" value="SUBMIT" name="submit" class="butts"> </div></div> </form>
source share