Am getting an error on my php code to send sms [closed]

Question

This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.

Closed 9 years ago.

Am a newbie and i am getting an error on line 26 of my code i cant understand what causes the error as it is making me not to be able to send sms anyhelp will be appreciated

        <?php
        $gw_host="10.0.0.9";
     $value=$_POST['value'];
     urlencode($message)=$_POST['message'];
     $con = mysql_connect("localhost","db_host","xxxxxx");

         if (!$con)
         {
         die('Could not connect: ' . mysql_error());
         }

         mysql_select_db("aic_sms", $con);

     $result = mysql_query("SELECT phn_number FROM users WHERE message=$value");
     if($result){
     while($row = mysql_fetch_array($result)) {
         function sendSmsMessage($phn_number, $message)
        {
            $ch= curl_init();
        curl_setopt($ch, "http://10.0.0.15/process_sms/sendsms.php?recipient=$phn_number&msg=" . urlencode($message));
        curl_exec($ch);
        curl_close($ch);

           }
       }
    else {
       echo mysql_error();
   }
   }

   echo 'Message sent successfully';    



      mysql_close($con);
      ?>

Answer 1

Ok, first off you have a function within a loop this will cause the function tobe defined twice then kill your script, with functions you define them once then use the function name to execute the code within the function, also the actual curl function you are using wont work as your not setting the correct options.

Plus you should use prepared query's to execute SQL statements, as in your current script you are vulnerable to sql injection, someone malicious could post someval OR 1=1 this would cause mysql to return everything as 1=1 which is true.

Heres how you should perhaps do it and build appon it. Hope it helps

if($_SERVER['REQUEST_METHOD']=='POST' && !empty($_POST['value']) && !empty($_POST['message'])){

    $value  = $_POST['value'];
    $message= $_POST['message'];

    try {
        $dbh = new PDO("mysql:host=localhost;dbname=aic_sms", 'username', 'password');

        $stmt = $dbh->prepare("SELECT phn_number FROM users WHERE message=:message");

        /*** bind the paramaters ***/
        $stmt->bindParam(':message', $value, PDO::PARAM_STR);

        /*** execute the prepared statement ***/
        $stmt->execute();

        /*** fetch the results ***/
        while($row = $stmt->fetch())
        {
            $result[$row['phn_number']] = sendSmsMessage($row['phn_number'], $message);
        }
        //perhaps do somthing with the $result array
        echo 'Messages sent successfully';   
    }
    catch(PDOException $e)
    {
        die($e->getMessage());
    }
}else{
    //Show form or whatever
}


function sendSmsMessage($phn_number, $message){
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, "http://10.0.0.15/process_sms/sendsms.php?recipient=$phn_number&msg=" . urlencode($message));
    curl_setopt($curl, CURLOPT_HEADER, 0);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($curl, CURLOPT_TIMEOUT, 30);

    $html = curl_exec($curl);
    curl_close($curl);

    return $html;
}
?>