The code is sending for profile comment,I dont know what is wrong with my code because when i click the POSTCOMMENT button It just gives a blank Page,with no Error desplayed
or Any message.
And actualy the Datas are not sent.


 //Connect to the database server
exit('<p>Unable to connect to the database</p>');
//select the joke database
 exit('<p>Unable to locate the profile'.
 'Database at the this time.</p>');



 $sql="INSERT INTO profcomment SET
echo '<p>Your comment has been added.</p>';

 echo '<p><font color=white>Error adding submitted comment:</font>';
   mysql_error() .'</p>';

$result=@mysql_query("SELECT  *FROM profcomment where user='$userid'");

 echo"<font color=red>There are $num comments </font><br>";
exit('<p>Error perfoming query:' .
 mysql_error() .'</p>');

//Diaplay the text of each profcomment in paragraph

echo "<table width=280 height=5 align=center border=1 cellpadding=3 cellspacing=2 bordercolor=black bgcolor=creem>";
echo "<tr><td>
<p>posted by:<font color=blue>$sender</font> date:<font color=blue>$date</font></p></td></tr>";
echo "</table>";


<table border=0 width=100 height=50 cellspacing=1 cellpadding=1 align=right>
<tr >
<td valign=top>
<form action=<?php echo$_SERVER['PHP_SELF'];?>  method=POST >
<textarea name="comment" rows=2 cols=32>
<tr><td align=right>
<input type="submit" name="submit" value="postcomment"/>
</form> </center>




I need your help Please!!!

Here are some things you need to fix.
You are checking if $_GET is set. Say, for example, the user follows a link and gets to this page. comments.php?id=4 . Then it will enter the condition isset($_GET) and does the required action. But, when the user fills in the comment and clicks on submit, $_GET doesn't hold any value anymore. So, it skips isset($_GET) block.
Secondly, there is no session_start. And, most importantly, don't use @ to supress the errors. You will never know where you are going wrong.

now can you advice me,
as you said if the user writes a comment it will skip the isset($_GET) function.
what can i do to make it work because i`m using as you explained above that the user must follow the link.
I removed the @ symbol nothing changed.

pass id in a hidden field when the form is submitted. Use $_REQUEST instead of $_GET. $_REQUEST can handle both $_GET and $_POST. Thats all !
Oh, have session_start on top of your script.

This script is also vulnerable to sql injection.

Always filter your input variables.

Google "sql injection prevention in php" or someone will steal all of your data and compromise your accounts. It would take under 5 minutes with this script.

You need to do length checking, and character filtering.

If you accept input data when building login form, filter for XSS as well.

This applies to all scripts even non-login pages since your registered users can use SQL injection too. Very scary stuff...


i never used hidden values,
if can show me how accodding to my code i`ll appreciate.

Simple. The first time you follow the link, you will have the id. <input type="hidden" name="id" value="<?php echo $id; ?>"> where $id is id's value.