I am building a custom blog script that functions almost exactly like WordPress or Moveable Type... where people can read the blog and directly beneath, fill out a little form to add their own comments. Since each blog entry has a primary key (blog_id), and any comments for any particular blog must contain that blog_id so there is the association... how should I pass the blog_id back to the script for processing the comments when a visitor clicks the "submit comments" button?
Should I embed the blog_id within the form xhtml using a hidden input??? I would think this would not be desirable since it could be easily forged and cause headaches for me upon moderation (ie... a mal-intended user could post a whole bunch of comments with blog_id's that don't exist yet, etc.). The other option I can think of would be to pass it in a $_SESSION variable with the user. Less likely to be tampered with, but then again, I'd have to use sessions. Any other ideas??
What is your suggestion for passing blog_id back to the script for DB inserting the comments? What would you do? Thanks for your help.
Blog Comments on Submit
Moderator: General Moderators
- seodevhead
- Forum Regular
- Posts: 705
- Joined: Sat Oct 08, 2005 8:18 pm
- Location: Windermere, FL
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
What's wrong with using sessions?
I would just pass it back in a hidden form field. The core action here is posting a comment. A user's data is always suspect, so you can validate the id server side - check if the id exists, if it's within a moderation date range (many blogs automatically queue or deny posting comments to blog entries of a certain age), etc. Using a session to store the id might be workable too, but it seems a roundabout way. A user might open several entries in tabs, and reply to only one - i.e. the session id would not necessarily match and through no fault of the user.
I would just pass it back in a hidden form field. The core action here is posting a comment. A user's data is always suspect, so you can validate the id server side - check if the id exists, if it's within a moderation date range (many blogs automatically queue or deny posting comments to blog entries of a certain age), etc. Using a session to store the id might be workable too, but it seems a roundabout way. A user might open several entries in tabs, and reply to only one - i.e. the session id would not necessarily match and through no fault of the user.
Re: Blog Comments on Submit
Everything the user sends can be forged, but that just means we need to inspect it before we use it.seodevhead wrote:I would think this would not be desirable since it could be easily forged...
In your case, it sounds like blog_id is just an integer, so you can inspect it with something like ctype_digit() and also check to be sure that it's within a valid range.