Blog Comments on Submit

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Blog Comments on Submit

Post by seodevhead »

I am building a custom blog script that functions almost exactly like WordPress or Moveable Type... where people can read the blog and directly beneath, fill out a little form to add their own comments. Since each blog entry has a primary key (blog_id), and any comments for any particular blog must contain that blog_id so there is the association... how should I pass the blog_id back to the script for processing the comments when a visitor clicks the "submit comments" button?

Should I embed the blog_id within the form xhtml using a hidden input??? I would think this would not be desirable since it could be easily forged and cause headaches for me upon moderation (ie... a mal-intended user could post a whole bunch of comments with blog_id's that don't exist yet, etc.). The other option I can think of would be to pass it in a $_SESSION variable with the user. Less likely to be tampered with, but then again, I'd have to use sessions. Any other ideas??

What is your suggestion for passing blog_id back to the script for DB inserting the comments? What would you do? Thanks for your help.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

What's wrong with using sessions?

I would just pass it back in a hidden form field. The core action here is posting a comment. A user's data is always suspect, so you can validate the id server side - check if the id exists, if it's within a moderation date range (many blogs automatically queue or deny posting comments to blog entries of a certain age), etc. Using a session to store the id might be workable too, but it seems a roundabout way. A user might open several entries in tabs, and reply to only one - i.e. the session id would not necessarily match and through no fault of the user.
User avatar
wtf
Forum Contributor
Posts: 331
Joined: Thu Nov 03, 2005 5:27 pm

Post by wtf »

If you are inserting new comment you should not need blog ID.

edited:
ok... nevermind, new comment doesn't need an ID. :oops:
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Re: Blog Comments on Submit

Post by shiflett »

seodevhead wrote:I would think this would not be desirable since it could be easily forged...
Everything the user sends can be forged, but that just means we need to inspect it before we use it.

In your case, it sounds like blog_id is just an integer, so you can inspect it with something like ctype_digit() and also check to be sure that it's within a valid range.
Post Reply