PHP - Echo

Here's an idea... Why not validate this client side before you allow the user to submit the form? For example, when a user accesses this page, in the response, include a hidden input element that stores the username.

When the user clicks on the submit button, check to see if the value of the "mailTo" input element is the same value that you are storing in the hidden input element. If they match, do not allow the user to submit the form.

You can easily accomplish this via JavaScript, even easier if you are already including the jQuery library on your page.

You can do this in the form validation process once the form has been submitted. Seen as you're using the HTTP POST method, you can access the values of all named form parameters through the $_POST superglobal array. Here's a quick example:

<?php

if(isset($_POST['mailAction'])) { // check if the form has been submitted
    if(!empty($_POST['mailTo'] && $_POST['mailTo'] !== $session->username) {
        // continue form validation here
    }
}

@JorgeM, client-side validation (alone, at least) is never a good idea because of how easily it can be bypassed.

I echo (no pun intended) JorgeM's suggestion, that you start with client-side validation, but back it up with server-side validation.

jQuery flavour:

<script>
    var username = '<?php echo $_SESSION['username'];?>'; //you may need to escape single quotes with .replace()
    $('#to').change(function() {
      if(this.val() == username){
          ...do something...
      }
    });
</script>

That's off the top of my head and not thought out clearly, but I hope you get the idea.

I'd agree with approaching this with client-side validation such as what diafol mentions. Additionally, you can implement a similar check serverside such as what you have in your first post to prevent clients that may bypass the javascript routines and attempt to submit directly.

<?php
   include("include/session.php");
   if(!$session->logged_in){
            die;
   }

?>
<a href='../main.php'>Return</a>
   <h1>Messaging System</h1>
   <form method="POST" action="mail.php">
      <input type="submit" name="mailAction" value="Compose" /><input type="submit" name="mailAction" value="Inbox" />
   </form>

<?php

   if(!empty($_POST['mailAction']) && isset($_POST['mailAction'])){
      $action = $_POST['mailAction'];
   } else {
      $action = 'Inbox';
   }



   if(($action=="Compose") || ($action=="Reply")) {

      if(isset($_POST['mailSubject']) && !empty($_POST['mailSubject'])){
         $mailSubject = 'Re: '.$_POST['mailSubject'];
      } else {
         $mailSubject = "";
      }

      if(isset($_POST['mailFrom']) && !empty($_POST['mailFrom'])){
         $mailTo = $_POST['mailFrom'];
      } else {
         $mailTo = "";
      }

      ?>

   <form action="mail.php" method="POST"> 
            <table border="0">
           <tr><td><b>To:</b></td><td><input type="text" name="mailTo" size="20" value="<? ; ?>"></td></tr>
      <tr><td><b>Subject:</b></td><td><input type="text" name="mailSubject" size="20" value="<?=$mailSubject;?>"></td></tr>
            </table>
                <b>Message:</b><br>
                <textarea rows='16' cols='45' name='mailMessage'></textarea><br>
                <input type="submit" name="mailAction" value="Send" />
   </form>

<?php
   }


   if($action=="Send") {

      if(empty($_POST['mailSubject']) || !isset($_POST['mailSubject'])){
         echo "Subject Blank";
      } else {
         $subject = $_POST['mailSubject'];
      }

      if(empty($_POST['mailTo']) || !isset($_POST['mailTo'])){
         echo "To Blank";
      } else {
         $mailTo = $_POST['mailTo'];
      }

      if(empty($_POST['mailMessage']) || !isset($_POST['mailMessage'])){
         echo "Message Blank";
      } else {
         $message = $_POST['mailMessage'];
      }

      $date = date('m/d/Y')." at ".date('g:i.s')." ".date('a');

      $q   = "INSERT INTO mail (UserTo, UserFrom, Subject, Message, SentDate, status)
                  VALUES ('$mailTo','$session->username','$subject','$message','$date','unread')";
      if(!($send = $database->query($q))){
         echo "A letter could not be sent to ".$mailTo."!";
      } else {
         echo "Message Sent to ".$mailTo."!";
      }

   }


   if($action=="Inbox") {

      $user = $session->username;
      $q = "SELECT * FROM mail WHERE UserTo = '$user' ORDER BY SentDate DESC";
      $getMail = $database->query($q) or die(mysql_error());

      echo "<div id=\"inbox\">";

      if(mysql_num_rows($getMail) == 0){
         echo "<p>You haven't got any mail.</p><br /><br />";
      } else {         
         ?>
         <table>
            <tr class="title">
               <td colspan="2" align="center">Action</td>
               <td>Status</td>
               <td>From</td>
               <td>Subject</td>
               <td>Time</td>
            </tr>
         </div>
         <?php
         while($mail = mysql_fetch_array($getMail)){
         echo "<form action='mail.php' method='post'>";
            ?>
               <tr>
                  <input type="hidden" name="mail_id" value="<?php echo $mail['mail_id']; ?>" />
                  <td align="center"><input type="submit" name="mailAction" value='View' /></td>
                  <td align="center"><input type="submit" name="mailAction" value="Delete" /></td>
                  <td align="center"><input type="submit" name="mailAction" value="Delete All" /></td>
                  <td><?php echo $mail['status']; ?></td>
                  <td><?php echo $mail['UserFrom']; ?></td>
                  <td><?php echo $mail['Subject']; ?></td>
                  <td><?php echo $mail['SentDate']; ?></td>
               </tr>
            <?php
         echo "</form>";

         }
      }         
      echo "</table>";

   }


   if($action == "View") {


      $mail_id = $_POST['mail_id'];
      $user = $session->username;
      $result = $database->query("SELECT * FROM mail WHERE UserTo = '$user' AND mail_id = '$mail_id'") or die ("cant do it");
      $row = mysql_fetch_array($result);


      if($row['UserTo'] != $session->username) {
         echo "<font face=verdana><b>This isn't your mail!";
         exit;
      }

      $q = "UPDATE mail SET status='read' WHERE UserTo='$session->username' AND mail_id='$row[mail_id]'";
      $database->query($q) or die("An error occurred resulting that this message has not been marked read.");

      ?>
         <form method="post" action="mail.php">
            <div id="single">
               <p class="grid_1">From: </p><p class="grid_2"><?php echo $row['UserFrom']; ?><input type="hidden" name="mailFrom" value="<?php echo $row['UserFrom']; ?>" /></p>
               <p class="grid_1 clear">Subject: </p><p class="grid_2"><?php echo $row['Subject']; ?><input type="hidden" name="mailSubject" value="<?php echo$row['Subject']; ?>" /></p>
               <p class="grid_4 clear">body: <br /><?php echo $row['Message']; ?><br /></p>
               <p class="grid_4 clear" align="right"><input type="submit" name="mailAction" value="Reply" /></p>
            </div>
         </form>
      <?php
   }


   if($action == 'Delete') {
      $id = $_POST['mail_id'];
      $query = $database->query("DELETE FROM mail WHERE mail_id='$id' LIMIT 1");

      if(!$query) {
         echo "The message wasn\'t deleted";
      } else {
         echo "The message was successfully deleted";
      }
   }
if($action == 'Delete All') {
      $id = $_POST['mail_id'];
      $query = $database->query("DELETE FROM mail ");

      if(!$query) {
         echo "Your message's weren\'t deleted";
      } else {
         echo "All of your messages were successfully deleted";
      }
   }
?>

Thats the script for the whole page.

Thats the script for the whole page.

So you're solved?

Yeah, I haven't added it yet. But, I finally figured it out. Thank You for all the people that helped me.