0

I'm pretty new to php, and for that matter server scripting in general (so go easy on me)
But regardless of that I managed to create this, the first half of a comment system:

<html>
<body>
<form name="Comment" action="InsertComment.php" method="POST">
Name: <input type="text" name="name" /><br>
Comment: <br><textarea style="height: 100px; width: 600px;" name="comment"></textarea><br>
<input id="Special_ID" name="id" value="<?php $unixtime = time(); echo $unixtime; ?>">
<!--^Gathers a unique id^-->
<input type="submit" />
</form>
</body>
</html>

Once submitted -->

<?php
$con = mysql_connect("Blaa", "Blaa", "Blaa");
if(!$con) {
die('Could not connect ' . mysql_error());
}
sql_select_db("Comments", $con);
$sql = "INSERT INTO Posts (Name, Comment, ID)
VALUES('$_POST[name]', '$_POST[comment]', '$_POST[id]')";
?>

This is exactly what I wanted, a user puts in their name, a comment, and a unique post id (time stamp) is generated, then it is all sent to mysql.
But now I'm dumb found as to how I can post this to another page.. I assumed something like:

if(ID == [the id of that post]) {
//$_GET the mysql stuff
//Post inside a specially made div or something
}

Along the lines of that, but I have no clue how to put that into practise :/ Any ideas? Oh and Please don't suggest an echo type post, I've done that and it's not at all what I want.

**Also this is just the basic code, I don't need suggestions on how to touch it up just yet, also errors in this is only due to my sleep deprivation, the code does work.

Improve this question
2
  • 3
    Nice SQL Injection holes. Your time ID is NOT going to work - there's no guarantee that two different users won't load the form at the same time and get the same ID. Commented Nov 15, 2011 at 15:29
  • First remove the hidden field with the timestamp and change the ID column to a timestamp column with on update = current timestamp. then add two more columns - ID of the comment (should be primary key with auto increment) and a page_id column. Next add the page_id as a hidden field in the form and use that in the mysql insert statement. Commented Nov 15, 2011 at 15:34

3 Answers 3

Reset to default
2

As @Marc B has said, you'll first want to fix your SQL injection holes using mysql_real_escape_string. Change your insert statement to

$sql = "INSERT INTO Posts (Name, Comment, ID)
        VALUES('" . mysql_real_escape_string($_POST['name']) . "', '" . mysql_real_escape_string($_POST['comment']) . "', '" . mysql_real_escape_string($_POST['id']) . "')";

To display your comment, try this

$sql = "SELECT Name, Comment, ID
        FROM Posts
        WHERE ID = '" . mysql_real_escape_string($_GET['PostID']) . "'";
$query = mysql_query($sql);

echo "<div id=\"comments_container\">";
while ($row = mysql_fetch_assoc($query))
{
    echo "<div class=\"comment\">";
    echo "<div class=\"name\">" . $row['Name'] . "</div>";
    echo "<div class=\"comment_body\">" . $row['Comment'] . "</div>";
    echo "</div>"
}
echo "</div>";

Then CSS style your DIVs using IDs and classes.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Just an example using mysql_fetch_object

Please sanitize your $_GET data before inserting to MySQL, this is a huge injection security flaw. 

$sql = "SELECT * FROM Posts WHERE id={$id}"
$result = mysql_query($sql);
$obj = mysql_fetch_object($result)
if(is_object($obj))
{
 echo "Welcome " . $obj->Name;
}
Improve this answer

Comments

0

A full length example is given here: http://manzur-ashraf.com/code/auto_commenting_system/Automatic_Commenting_System_and_Email_notification_using_PHP_and_MYSQL.htm

In addition to using a MYSQL database to store the comments, you can also post email to the admin about new comments.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.