There is a single quote in $submitsubject
or $submit_message
Why is this a problem?
The single quote char terminates the string in MySQL and everything past that is treated as a sql command. You REALLY don’t want to write your sql like that. At best, your application will break intermittently (as you’re observing) and at worst, you have just introduced a huge security vulnerability.
Imagine if someone submitted '); DROP TABLE private_messages;
in submit message.
Your SQL Command would be:
INSERT INTO private_messages (to_id, from_id, time_sent, subject, message) VALUES('sender_id', 'id', now(),'subjet',''); DROP TABLE private_messages;
Instead you need to properly sanitize your values.
AT A MINIMUM you must run each value through mysql_real_escape_string()
but you should really be using prepared statements.
If you were using mysql_real_escape_string()
your code would look like this:
if($_POST['submit_message']){ if($_POST['form_subject']==""){ $submit_subject="(no subject)"; }else{ $submit_subject=mysql_real_escape_string($_POST['form_subject']); } $submit_message=mysql_real_escape_string($_POST['form_message']); $sender_id = mysql_real_escape_string($_POST['sender_id']);
Here is a great article on prepared statements and PDO.