Sending a Private Message to Search and Match Users

This script is called send-message.php

First, we use the check-id.php script to ensure that the session id variable is set, and send the user to Login to MC Search and Match Profile and Account Management if it is not. Then we put the session variable 'username' into $U—we will be checking that it is set in a second. Then we define a named constant '_NODIRECTACCESS'. We include the config.php file (in the includes folder) which uses the PHP defined() function to check on this constant. If it is not set, we are thrown out of the config.php file like yesterday's trash.

Next we check if the session variables 'groupname', 'username', and 'userid' are set. If not, we are sent to the login-to-mc.php script. We make sure $U is still equal to the session variable 'username', that it is not an empty string, and that it's at least 6 characters long or . . . you guessed it . . . the login script. We make sure the session id is set and send them away if not.

Now we create the MySQL messaging table privatemessages if it does not exist. The table is standard stuff except for the ENUM data type. As specified in http://dev.mysql.com/doc/refman/5.0/en/enum.html, "An ENUM is a string object with a value chosen from a list of permitted values that are enumerated explicitly in the column specification at table creation time." I.e., if someone tries to enter a value in a ENUM('0','1') field that is not '0' or '1', then a blank value will be entered.

The variables $subject, $message, and $touser get loaded with POSTed form variables from Form to Send Private Message. The strip_tags() function dumps their tags and the substr() function ensures they are not too long by trimming any excess. Then, if any of these values is nothing or under 3 characters, the user sees "Fill form completely, please." and is sent to Form to Send Private Message.

Then the $message string is processed so that "@" is changed into "-at-", "/" is changed into "|", ";" is changed into ",", ":" is changed into ",", "+" is changed into " plus ", "&" is changed into " and ", single quote is changed into "`", double quote is changed into '``', "=" is changed into " equals ", ">" is changed into
" greater than " (< is killed with strip_tags which dumps rest of message).

The preg_replace() function uses regular expression patterns to allow only certain characters in the $subject and $message and $touser strings. We look for -- in $message and $subject and change it to - twice each since if you do it once, it is possible to miss a -- pattern, which can be used in bad ways, as can quotes, semicolons, =, @, etc. Once the 3 strings are sanitized, we run the mysql_real_escape_string() function on them for extra security before storing them in a MySQL db table, even though we've already taken care of most security issues. We also stick these 3 into session variables.

The database is queried for the $touser group name. If it is not found, the user sees "This Group Name does not exist. Please try again." and is sent back to the message form. We use the mysql_fetch_assoc() function on the query results and get the id of the group and stick it in a session variable as well as into $touser. Finally, we use the MySQL INSERT INTO statement to insert the message, etc., into the table privatemessages.

Having sent the message, we now get the group's email address from the associative array from the db and use it to send an email to the group we are messaging. In the message is "You have a new private message on our Website!" We don't want an email reply, so we put NO-REPLY in the From of the headers. Then we alert the message sender that "Message sent." and send him back to the message form at Form to Send Private Message.

The script below is called: send-message.php

<?php

include_once"check-id.php";
$U=$_SESSION['username'];
define('_NODIRECTACCESS', TRUE);
include_once"includes/config.php";
if (!isset($_SESSION['groupname']) || !isset($_SESSION['userid']) || !isset($_SESSION['username']) || $_SESSION['username']<>$U || !isset($U) || $U=="" || strlen($U)<6 || !isset($_SESSION['sessionid'])){echo '<script language="javascript">alert("Please login."); window.location = "login-to-mc.php";</script>';}

//send-message.php

$sql = "CREATE TABLE IF NOT EXISTS privatemessages (
id INT(4) NOT NULL AUTO_INCREMENT,
touser INT(4) NOT NULL,
fromuser INT(4) NOT NULL,
subject VARCHAR(150) NOT NULL,
message TEXT NOT NULL,
readit ENUM('0','1') NOT NULL DEFAULT '0',
deleted ENUM('0','1') NOT NULL DEFAULT '0',
datesent VARCHAR(40) NOT NULL,
outdel ENUM('0','1') NOT NULL DEFAULT '0',
PRIMARY KEY (id)
) ENGINE=MyISAM AUTO_INCREMENT=1";

mysql_query($sql);

$touser = strip_tags($_POST['touser']);
$subject = strip_tags($_POST['subject']);
$message = strip_tags($_POST['message']);
$message = substr($message,0,700);
$subject = substr($subject,0,150);
$touser = substr($touser,0,40);
if(!isset($touser) || !isset($subject) || !isset($message) || strlen($touser)<3 || strlen($subject)<3 || strlen($message)<3){
echo '<script language="javascript">alert("Fill form completely, please."); window.location = "send-message-form.php"; </script>';

}else{

$message=str_replace("@", "-at-", $message);
$message=str_replace("/", "|", $message);
$message=str_replace(";", ",", $message);
$message=str_replace(":", ",", $message);
$message=str_replace("+", " plus ", $message);
$message=str_replace("&", " and ", $message);
$message=str_replace("'", "`", $message);
$message=str_replace('"', '``', $message);
$message=str_replace(">", " greater than ", $message);//< killed with strip_tags which dumps rest of message
$message=str_replace("=", " equals ", $message);
$pattern1 = '/[^a-zA-Z0-9\\s\\.\\,\\!\\?\\-\\_\\`\\|]/i';
$pattern2 = '/[^a-zA-Z0-9\\_]/i';
$replacement = '';
$touser=preg_replace($pattern2, $replacement, $touser);
$touser=mysql_real_escape_string($touser);
$pattern3 = '/--/';
$replacement3 = ' -';
$subject=preg_replace($pattern3, $replacement3, $subject);
$subject=preg_replace($pattern3, $replacement3, $subject);
$message=preg_replace($pattern3, $replacement3, $message);
$message=preg_replace($pattern3, $replacement3, $message);
$subject=preg_replace($pattern1, $replacement, $subject);
$subject=mysql_real_escape_string($subject);
$message=preg_replace($pattern1, $replacement, $message);
$message=mysql_real_escape_string($message);

$fromuser = $_SESSION['userid'];
$_SESSION['subject'] = $subject;
$_SESSION['message'] = $message;
$_SESSION['to_group'] = $touser;
$to_group = $touser;
$time = time();

$check_touser_name = mysql_query("SELECT * FROM mc_members WHERE groupname = '$touser' LIMIT 1") or die(mysql_error());
if(mysql_num_rows($check_touser_name) == 0)
{echo '<script language="javascript">alert("This Group Name does not exist. Please try again.");window.location="send-message-form.php";</script>;';
}else{

$row=mysql_fetch_assoc($check_touser_name);
$touser=$row['id'];
$_SESSION['touser'] = $touser;// to what id?

$sql = "INSERT INTO privatemessages
(id,touser,fromuser,subject,message,readit,deleted,datesent,outdel)
VALUES (NULL, '$touser', '$fromuser', '$subject', '$message', '0', '0', '$time', '0')";

$res=mysql_query($sql);
if(!$res){
echo '<script language="javascript">alert("Message was not sent—something went wrong."); window.location="send-message-form.php";</script>';}

$sql = "SELECT email FROM mc_members WHERE id = '$touser'";

$res=mysql_query($sql);
$row=mysql_fetch_assoc($res);
$e=$row['email'];

$to = $e;
$subject = "You have a new private message on our Website!";
$message = "You have a new private message on our Website, ".$to_group.".\n\nClick link to log in and see it: http://www.yourwebsite.com/login-to-mc.php \n\nDo not reply to this email.\n\nRegards,\n\nour Website's management";
$headers = "From: NO-REPLY@yourwebsite.com";
$mail_sent = mail($to, $subject, $message, $headers);

mysql_close();

echo '<script language="javascript">alert("Message sent."); window.location = "send-message-form.php"; </script>';
}}
?>

Free Personal Status Boards (PSB™)

Sending a Private Message to Search and Match Users