Allowing others to post comments via PHP

**Kasracer** · Oct 31st, 2005, 03:26 AM

I would like to add posting of comments a feature of my website. The problem is, I am worried I won't secure it correctly since I'm still new to PHP.

I tried a similiar system hosted on a different database to see how it would work.

This is the function calling:

PHP Code:


add_comment(basic_formatter($_POST['id']), basic_formatter($_POST['name']), $_SERVER['REMOTE_ADDR'], basic_formatter($_POST['message']));

I use a function that formats the input:

PHP Code:


function basic_formatter($message)

{

    $message = str_replace(">", "&gt;", $message);

    $message = str_replace("<", "&lt;", $message);

    $message = str_replace("\"", "&quot;", $message);

    return nl2br($message);

}

and here is the part where we add our stuff to the database:

PHP Code:


function add_comment($post_id, $name, $ip, $message)

{

    connect();

    $result = mysql_query("INSERT INTO comments (post_id, name, ip, message) VALUES('$post_id', '$name', '$ip', '$message')");

    if (!$result) {

        die('Invalid query: ' . mysql_error());}

    header("Location: index.php?id=".$post_id);

}

What do you think? Am I careful enough or am I lacking in security?

EDIT: I probably should have put this into the PHP forum. Sorry. Could someone please move it?

Thread: Allowing others to post comments via PHP

Thread Tools

Display

Threaded View

Allowing others to post comments via PHP

Posting Permissions