Results 1 to 5 of 5

Thread: Submit Comment

  1. #1
    Join Date
    Mar 2009
    Posts
    42
    Thanks
    18
    Thanked 0 Times in 0 Posts

    Default Submit Comment

    Hi all,

    I have been working on my comments form which posts data to mysql db, redirects to thank you page, then after 2-3 seconds redirects back to the comments page. This works fine.

    The issue I'm having here is users must fill in the mandatory fields (name, comment). I have tried an attempt, but once I press the submit button it bounces straight to the thank you page, then redirects to the comments page with the comment displayed but with no data?

    Any ideas, help and suggestions really appreciated. Below is the source.

    Thanks, John.


    PHP Code:
    <?php
    // query db and print from database
        
    $sql "SELECT ID, Name, Email, Time, Comment, DATE_FORMAT(Time, 'Posted %d-%m-%y at %H:%i:%s') as Time FROM `comments` ORDER BY ID DESC"// from comments get ID
        
    if ($result mysql_query($sql)) {
          if (
    mysql_num_rows($result)) {

        while(
    $row mysql_fetch_assoc($result)) {
          echo 
    "<h4>" "From: " $row['Name'] . "<small>" $row['Time'] . "</small>" "</h4><br>";

          echo 
    "<p>" $row['Comment'] . "</p>"
        } }  

            } else {
            echo 
    "Something is wrong!";
          }
        
    ?>

    <div class="comment">

    <?php
    //initilize PHP
    if($_POST['submit']) //If submit is hit
    {

       
    //convert all the posts to variables:
       
    $name $_POST['name'];
       
    $email $_POST['email'];
       
    $comment $_POST['comment'];
       
       
       
    //Insert the values into the correct database with the right fields
       //mysql table = news
       //table columns = id, title, message, who, date, time
       //post variables = $title, $message, '$who, $date, $time
       
    $result=MYSQL_QUERY("INSERT INTO comments (ID,Name,Email,Comment)" "VALUES ('NULL', '$name', '$email', '$comment')"); 

        
    //confirm

    header("Location: thank_you.php");
    }
    ?>


    <?php // insert timestamp into 'Time'
    $query_autodate "INSERT INTO comments (Time) VALUE ('TIMESTAMP: Auto CURDATE()', CURDATE() )"?>

    <?php

      
    // list expected fields
      
    $expected = array('name''email''comment');
      
    // set required fields
      
    $required = array('name''email''comment');
      
    // create empty array for any missing fields
      
    $missing = array();
      
      
    // process the $_POST variables
      
    foreach ($_POST as $key => $value) {
        
    // assign to temporary variable and strip whitespace if not an array
        
    $temp is_array($value) ? $value trim($value);
        
    // if empty and required, add to $missing array
        
    if (empty($temp) && in_array($key$required)) {
          
    array_push($missing$key);
          }
        
    // otherwise, assign to a variable of the same name as $key
        
    elseif (in_array($key$expected)) {
          ${
    $key} = $temp;
          }
        }
     
          
    // go ahead only if all required fields OK
      
    if (empty($missing)) {
        
    // build the message
        
    $message "Name: $name\n\n";
        
    $message .= "Email: $email\n\n";
        
    $message .= "Comment: $comment\n\n";

        
    // limit line length to 70 characters
        
    $message wordwrap($message70);
      
        
    // send it  

          
    unset($missing);
          }
          
    ?>

        <form id="sendcomment" name="sendcomment" method="post" action="">

          <?php
        
    if (isset($missing) && in_array('name'$missing)) { ?>
          <span class="warning">Enter your name.</span>
          <?php ?>

          <label><abbr title="Enter your name."><font color="#FF0000"><sup>*</sup></font>Name:</abbr>
            <input type="text" name="name" id="name" maxlength="35" />
          </label>

          <label><abbr title="Enter your email address.">Email:</abbr>
            <input type="text" name="email" id="email" maxlength="35"/>
          </label>

          <?php
         
    if (isset($missing) && in_array('comment'$missing)) { ?>
          <span class="warning">Enter your contact no.</span>
          <?php ?>

       <!-- <label><abbr title="Enter your contact no."><font color="#FF0000"><sup>*</sup></font>Tel.:</abbr>
            <input type="text" name="time" id="time" maxlength="25" /></label> -->

          <label><abbr title="Enter your comment."><font color="#FF0000"><sup>*</sup></font>Your Comment:</abbr></label>

           <textarea name="comment" id="comment" cols="0" rows="7"></textarea>

            <input type="submit" name="submit" id="submit" class="submit" value="Send" title="Send" />

            <input type="reset" name="reset" id="reset" class="reset" value="Reset" title="Reset" />

        </form>

  2. #2
    Join Date
    Sep 2008
    Location
    Bristol - UK
    Posts
    842
    Thanks
    32
    Thanked 132 Times in 131 Posts

    Default

    Much bigger problem on your hands that you should fix immediately is that at present your database is vulnerable to injection. If your site isn't live then this isn't as much of a problem, but it's a good habit to get into:

    PHP Code:
    $name mysql_real_escape_string($_POST['name']); 
    Do this for the rest of them too, anything you're entering into your database should be escaped, or someone could really mess things up for you.

    Sorry this isn't the answer you were looking for but I thought I should point it out as it's quite a big security flaw.

    You'll only need to escape the variables that are entered from users, the other variables do not need to be.

  3. #3
    Join Date
    Mar 2009
    Posts
    42
    Thanks
    18
    Thanked 0 Times in 0 Posts

    Default

    Hay Schmoopy,

    Thanks for pointing that out, I will implement into source asap!

    I need to find out more about injections.

    Thanks, John.

  4. #4
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    good beginner's security tutorials:

    http://www.aachen-method.com/
    http://www.addedbytes.com/php/writing-secure-php/

    At least, I thought they were a good introduction.

  5. #5
    Join Date
    Mar 2009
    Posts
    42
    Thanks
    18
    Thanked 0 Times in 0 Posts

    Default

    Thanks for the info traq, very useful.

    Thanks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •