I didn't code this it's from a tutorial.

if i go to this url: friendrequest.php?user=minifly2

it shows a blank page instead of echoing
$username has been sent a request you must now wait for it to be accepted

any idea why?


it isn't cause this script is old and doesn't work in the newer php versions possibly?

<?
// First we must start off the sessions
session_start();
ob_start();
// Then include the configuration file which has the database connection and locations.
include("configuration.php");


if($loggedin = logged_in()){ // Check if they are logged in

if ($_GET[user]){ //gets username
$username = htmlspecialchars($_GET[user]); //friend
$by = $loggedin[username]; //you
$query = mysql_query("INSERT INTO `friend_requests` ( `username` , `by` ) VALUES ( '$username' , '$by' )"); //inserts the request
echo ( "$username has been sent a request you must now wait for it to be accepted" ); //echos completion
} else {
echo ( "No request was made" ); // or no request sent
}
} else {
echo ( "You need to be logged in" ); //not logged in
}
?>

The code uses bad practices (might in new versions of PHP cause issues):
ie. try changing $_GET[user] to $_GET['user'], $loggedin[username] to $loggedin['username'].

It's also vulnerable to SQL Injection attacks, to fix this, change

$username = htmlspecialchars($_GET['user']); //friendto

$username = mysql_real_escape_string(htmlspecialchars($_GET['user'])); //friend

thanks, sadly it still just gives me a white page.



<?
// First we must start off the sessions
session_start();
ob_start();
// Then include the configuration file which has the database connection and locations.
include("configuration.php");

if($loggedin = logged_in()){ // Check if they are logged in

if ($_GET['user']){ //gets username
$username = mysql_real_escape_string(htmlspecialchars($_GET['user'])); //friend
$by = $loggedin['username']; //you
$query = mysql_query("INSERT INTO `friend_requests` ( `username` , `by` ) VALUES ( '$username' , '$by' )"); //inserts the request
echo ( "$username has been sent a request you must now wait for it to be accepted" ); //echos completion
} else {
echo ( "No request was made" ); // or no request sent
}
} else {
echo ( "You need to be logged in" ); //not logged in
}
?>

Please paste the contents of configuration.php minus any sensitive data.

This line looks weird:

if($loggedin = logged_in())
It's been a long time since I played with PHP, but I don't think you should be setting variables inside an if().
Tbh I think I'm wrong about that, as it would still probably work out as either true or false and at least show something.

Try turning error reporting on, then run it again and see what it says.
Could you link me to the tutorial?

This line looks weird: if($loggedin = logged_in()) I was going to suggest that as the problem as well, I'd have thought setting any variable in an if statement would return true, then again it could be shorthand for "set this and check the value", the likes of which I've never seen before. You could try changing = to == (to compare the values), but then I have no idea why the you'd be checking the variable with the return of a function of a seemingly identical purpose, so for this reason it would be helpful to see what other functions are in configuration.php

it's not that line, It's used in other files and it works fine. It is part of a function from my usersystem

config


<?php

define("DATABASE_LOCATION", "localhost");
define("DATABASE_USERNAME", "root");
define("DATABASE_PASSWORD", "");
define("DATABASE_NAME", "users");


$locations = array("images_folder" => "images/",
"stylesheet" => "stylesheet.css");

if(!file_exists($locations['images_folder'])){die("Images Folder Not Present");}
if(!file_exists($locations['stylesheet'])){die("StyleSheet Not Present");}

$conn = mysql_connect(DATABASE_LOCATION,DATABASE_USERNAME, DATABASE_PASSWORD);
if (!$conn) die ("Could not connect MySQL Server With Username And Password");
mysql_select_db(DATABASE_NAME,$conn) or die ("Could Not Open Database");

include("functions.php");
?>

There's no logged_in function in that config file, so unless you're including this page from another one which is setting it, you're probably getting a "function doesn't exist" error, which you have hidden. You'll need to create a way to check whether the person is logged in and also retrieve the user information from the database in addition to this code - something we can't easily help you with without knowing how sessions are used and the database tables are structured.

To check whether it is an error which isn't being displayed (probably is), add this to the very beginning of configuration.php:

error_reporting(E_ALL ^ E_NOTICE);

EDIT - sorry, didn't notice functions.php include.

it's not that line, It's used in other files and it works fine. It is part of a function from my usersystem


Are you sure? It still feels weird to me.
Can we see the functions.php file please?

i'm positive this php page was made to be added to a usersystem hence it never used the functions page as it was from my usersystem.


& I added that line to config, nothing changed.


functions

<?php

function protection($field,$encrypt=false) // Start Of Function.
{
if (empty($field)) // Checks if $field is empty.
{
$return[error] = "Value Empty"; // If $field is found to be empty it will return an error message.
}
else
{
if (is_array($field)) // Checks if $field is an array or not.
{ // If it is an array then carry on.
foreach($field as $key => $value){ // Carry out the foreach on the $field assigning the key and value of the array to $key and $value.
$key = strip_tags($key); // Remove any tags from the field
$value = strip_tags($value); // Remove any tags from the field
$return[$key] = htmlentities($value, ENT_QUOTES); // Convert all applicable characters to HTML entities
}
}
else // If $field isnt an array carry out the following.
{
$field = strip_tags($field); // Remove any tags from the field.
$return = htmlentities($field, ENT_QUOTES); // Convert all applicable characters to HTML entities.
}
}
return $return; // Return $return
}

function logged_in(){
$sess_id = protection($_COOKIE['PHPSESSID']); // Remove any injection and bugout stuff from the session
// Retrieve the sessions tables wheres the session id above matches the session id in the sessions table

$conn = mysql_connect(DATABASE_LOCATION,DATABASE_USERNAME, DATABASE_PASSWORD);
mysql_select_db(DATABASE_NAME,$conn);

$sess_check = mysql_query("SELECT * FROM `sessions` WHERE `sess_id` = '".$sess_id."' && `logged` = '0'");
// If there is no session in the table where they are not logged in, show them as not logged in
if(mysql_num_rows($sess_check)){ // Check if there is a row in the table.
$s = mysql_fetch_array($sess_check); // Retrieve the data from the tables.
$uinfo = mysql_query("SELECT * FROM `users` WHERE `id` = '".$s['uid']."'"); // Retrieve the users table where the uid matches the uid in the sessions table
$u = mysql_fetch_array($uinfo); // Retrieve the data from the tables.
// Put the data into an array to be returned.
$return = array("session_id" => $s['id'],
"session_sessid" => $s['sess_id'],
"user_id" => $u['id'],
"username" => $u['username'],
"password" => $u['password'],
"gender" => $u['gender'],
"twitter" => $u['twitter'],
"relation" => $u['relation'],
"religion" => $u['religion'],
"politic" => $u['politic'],
"town" => $u['town'],
"activit" => $u['activit'],
"hobby" => $u['hobby'],
"fav" => $u['fav'],
"about" => $u['about'],
"email" => $u['email'],
"lastfm" => $u['lastfm'],
"youtubename" => $u['youtubename'],
"ip" => $u['ip']);
// Return the array
return $return;
}else{
// Return nothing
return false;
}
}

function check_phpsessid(){
session_start();
if(empty($_COOKIE['PHPSESSID'])){
die("Your cookies are disabled. Please enable them before using this usersystem.");
}
}


function update_user($user_id, $values = array()){
$update_field = ""; // Start the $update_field so we can add to it.
if(!is_array($values)){ // If $values isnt in an array show error.
return "Update Values Not In An Array"; // Return the message.
}else{ // Carry On :)
$conn = mysql_connect(DATABASE_LOCATION,DATABASE_USERNAME, DATABASE_PASSWORD); // Connect to the mysql server
mysql_select_db(DATABASE_NAME,$conn); // Select the database

$values = protection($values);
foreach ($values as $key => $value){ // Go through the array
$get_columns = mysql_query("DESCRIBE `users`"); // Get the information about the users table.
while($r=mysql_fetch_array($get_columns)) // Put the information into an array and go through it.
{
if($key == $r['Field']){ // Check if $key from the $values array is a valid database column.
$update_field .= "`".$key."` = '".$value."', "; // If it is add it to $update_field variable.
break; // Stop Loop.
}
}
}
$update_field = substr($update_field, "0", "-2"); // Now there all added remove the last , and space.
$update = mysql_query("UPDATE `users` SET ".$update_field." WHERE `id` = '".$user_id."'"); // Update database
if($update){ // Check if it successfully updated
return "1"; // If it did return 1
}else{ // If not return Unknown Error.
return "Unknown Error";
}
}
}
?>