[SOLVED] User profile comments

[onthespot]

Hey. I have made a table called comments, which has 4 fields (fromuser, touser, comment, commentdate).

 

I have then added a form on each user profile for a comment to be added.

 

<form action="comment.php" method="POST">

<p>Comment<input type="text" name="comment">

<input type="submit" name="submit" value="Add Comment">

</form>

 

I have then made the following comment.php

 

include("include/sesh.php");

 

$from=$_SESSION['username'];

$to=$_GET['user'];

$comment=$_POST['comment'];

function addComment($from, $to, $comment){

$query="INSERT INTO comments VALUES ('$to','$from','$comment', now())");

return mysql_query($query);

}

 

The include file has the session starter, and has the username session there.

The get I am using is based up there being ?user=username in the URL, on the initial page the form was on.

 

This isn't working, i think i have just got it completely wrong, would appreciate some guidance here.

[elis]

It looks like you've defined  the function to add the comment into the database, but aren't actually using the function anywhere. (Unless it's used later on in your script.)

[onthespot]

Do i actually need the function? And I need to POST and GET on the initial form.

POST the comment, but GET the username from the URL.

Any ideas? Whats request for?

[elis]

<?php include("include/sesh.php");

$from=$_SESSION['username'];
$to=$_GET['user'];
$comment=$_POST['comment'];
$query="INSERT INTO comments VALUES ('$to','$from','$comment', now())");
?>

 

This  should work. I don't know the entire specifics of your code but (ideally) it should work.

 

You need to sanitize your $_GET and $_POSTs to aid in preventing attacks on your site.

You should also probably use an id in $_GET instead of the actual username, so that if a username contains spaces or other peculiar characters, or just for matching sake, it's more uniformed.

 

You need to also  pass your username to the form or use a hidden post.

<form action="comment.php?user=<?php=$_GET['user']?>" method="POST">
<p>Comment<input type="text" name="comment">
<input type="submit" name="submit" value="Add Comment">
</form>

[onthespot]

Hey, I tried that, but I got a Parse error on the line where you were passing the user over.

 

<form action="comment.php?user=<?php=$_GET['user']?>" method="POST">

 

That line! Any ideas?

Oh and do you have a link where I can learn more about these attacks?

[elis]

Try

 

<form action="comment.php?user=<?php echo $_GET['user']; ?>" method="POST">

 

 

And for the attacks:

http://en.wikipedia.org/wiki/SQL_injection

[onthespot]

Well got rid of the error, but got a new one on the $query line, its just not having it. Thanks for the wikipedia page, will take a look

[onthespot]

OK not getting errors, but the database not updating now! dammm!