Allowing others to post comments via PHP

[Kasracer]

I would like to add posting of comments a feature of my website. The problem is, I am worried I won't secure it correctly since I'm still new to PHP.

I tried a similiar system hosted on a different database to see how it would work.

This is the function calling:

PHP Code:

add_comment(basic_formatter($_POST['id']), basic_formatter($_POST['name']), $_SERVER['REMOTE_ADDR'], basic_formatter($_POST['message'])); 


I use a function that formats the input:

PHP Code:

function basic_formatter($message)
{
    $message = str_replace(">", ">", $message);
    $message = str_replace("<", "&lt;", $message);
    $message = str_replace("\"", "&quot;", $message);
    return nl2br($message);
} 


and here is the part where we add our stuff to the database:

PHP Code:

function add_comment($post_id, $name, $ip, $message)
{
    connect();
    $result = mysql_query("INSERT INTO comments (post_id, name, ip, message) VALUES('$post_id', '$name', '$ip', '$message')");
    if (!$result) {
        die('Invalid query: ' . mysql_error());}
    header("Location: index.php?id=".$post_id);
} 


What do you think? Am I careful enough or am I lacking in security?

EDIT: I probably should have put this into the PHP forum. Sorry. Could someone please move it?

[visualAd]

There are a couple of steps which are un-necessary in the basic_formatter() function. These two lines can be replaced with the htmlspecialchars() function.

You should also us the mysql_escape_string() function to escape an meta characters, making your text safe for SQL queries. You only need to d this however, if mgaic quotes is on:

PHP Code:

function basic_formatter($message)
{
    $message = htmlspecialchars($message)
    
    if (! get_magic_quotes_gpc()) {
        $message = mysql_escape_string($message);
    }

    return nl2br($message);
} 


It looks secure enough to me , however, once you are done writing oyour script it would be wise to remove the mysql_error() call from your die() message, as error message can be used to compromise the security of your script.

[Kasracer]

Thanks a lot!

[Kasracer]

Thanks again. I got my solution working correctly: www.binaryidiot.com

[EJ12N]

put spam protection if not people will have fun with your site comments. ^^

[Kasracer]

put spam protection if not people will have fun with your site comments. ^^

I need to add this.

I am limiting the amount of characters someone can input, however; I'm not sure whatelse to do. How can I make sure they're on the apge for, like 20 seconds before posting? Or do you have other recommendations?

[EJ12N]

I need to add this.

I am limiting the amount of characters someone can input, however; I'm not sure whatelse to do. How can I make sure they're on the apge for, like 20 seconds before posting? Or do you have other recommendations?

yes either save in a file their IP,TIME or do it by mysql

then in ur script check if that IP has posted any msges in last X minutes u want...additionally u can register session variable or put a cookie
something like $_SESSION['last_comment'] = time();
then in ur script check for that...I hope you get the idea

[visualAd]

The easiest thing you can do is to cast input like age to the appropriate data type in PHP. you can doo this by using the cast operators like (in) and (bool) and (float). Strings are a little more complicated becuase it depends what context you will be using them in.

To display the value inside html and not have it parsed, use htmlspecialchars(). If you want to include the value inside adatabase query, you should use one of the functions made avaialable by the db abstraction functiosn you are using, e.g mysql_escape_string() and pg_escape_string (). If you are using the value inside a regular expression you have preg_quote() and it is part of a shell command, use escapeshellcmd().

Whatever you are using the input for, it is very important that you know exactly what form the data is in before you apply it to the application.