Page 1 of 1

Blog Comments on Submit

Posted: Mon Oct 02, 2006 4:37 pm
by seodevhead
I am building a custom blog script that functions almost exactly like WordPress or Moveable Type... where people can read the blog and directly beneath, fill out a little form to add their own comments. Since each blog entry has a primary key (blog_id), and any comments for any particular blog must contain that blog_id so there is the association... how should I pass the blog_id back to the script for processing the comments when a visitor clicks the "submit comments" button?

Should I embed the blog_id within the form xhtml using a hidden input??? I would think this would not be desirable since it could be easily forged and cause headaches for me upon moderation (ie... a mal-intended user could post a whole bunch of comments with blog_id's that don't exist yet, etc.). The other option I can think of would be to pass it in a $_SESSION variable with the user. Less likely to be tampered with, but then again, I'd have to use sessions. Any other ideas??

What is your suggestion for passing blog_id back to the script for DB inserting the comments? What would you do? Thanks for your help.

Posted: Mon Oct 02, 2006 5:16 pm
by Maugrim_The_Reaper
What's wrong with using sessions?

I would just pass it back in a hidden form field. The core action here is posting a comment. A user's data is always suspect, so you can validate the id server side - check if the id exists, if it's within a moderation date range (many blogs automatically queue or deny posting comments to blog entries of a certain age), etc. Using a session to store the id might be workable too, but it seems a roundabout way. A user might open several entries in tabs, and reply to only one - i.e. the session id would not necessarily match and through no fault of the user.

Posted: Mon Oct 02, 2006 6:29 pm
by wtf
If you are inserting new comment you should not need blog ID.

edited:
ok... nevermind, new comment doesn't need an ID. :oops:

Re: Blog Comments on Submit

Posted: Tue Oct 03, 2006 7:42 pm
by shiflett
seodevhead wrote:I would think this would not be desirable since it could be easily forged...
Everything the user sends can be forged, but that just means we need to inspect it before we use it.

In your case, it sounds like blog_id is just an integer, so you can inspect it with something like ctype_digit() and also check to be sure that it's within a valid range.