I built simple code of comment system

[eom12]

I built simple code of comment system, the is here: http://pastebin.com/GKutv7u2

 

now the question is that how I can to extend my knowladge in that, (tutorials, and more).

tanks and good day

[scootstah]

I guess you're looking for critique or problems, so here is my review:

 

$connect = mysql_connect ('localhost', 'root', '') or die (mysql_error);
mysql_select_db ('chatsystem') or die (mysql_error);

 

If you had error reporting, you would see two errors here for undefined constants. mysql_error() is a function, not a constant. Also, you shouldn't be echo'ing out the mysql_error() here, because you will potentially leak part of your database credentials to the public.

 

Instead, you should use the error-suppression operator (@) and create your own error. Using the error-suppression operator means that under no circumstances will mysql_connect() output anything to the screen if it fails.

 

$connect = @mysql_connect ('localhost', 'root', '') or die ('could not establish database connection');
mysql_select_db ('chatsystem') or die ('could not establish database connection');

 

 

$name = $_GET['name'];
$comments = $_GET['comments'];

 

Again, if you had error reporting on and tried viewing this page without those indices in the URL you would get an "undefined index" error. You can also remove if ($name&&$comments){ and do it this way:

 

if (!empty($_GET['name']) && !empty($_GET['comments'])) {
$name = $_GET['name'];
$comments = $_GET['comments'];

 

 

$query = mysql_query ('SELECT * FROM comments');

 

You don't appear to be doing anything else with the data returned from this query. Why is this here?

 

 

$posted = mysql_query ("INSERT INTO comments VALUES ('', '$name', '$comments')");

 

You are now using unsanitized input in your database query, which could lead to SQL injection or query failure due to illegal characters (such as quotes).

 

ALL user input needs to be escaped before using it with a database. The only exception is if the column type is an integer or float, you can type cast the input to those data types first, which will strip any non-int characters.

 

So, change your variable declarations to:

$name = mysql_real_escape_string($_GET['name']);
$comments = mysql_real_escape_string($_GET['comments']);

 

 

}else {
echo "please leave comment click <a href='index.php'>here</a> to back";
}

 

This "error" isn't really descriptive of what went wrong (missing or empty "name" or "comments" from the query string).

 

 

echo $rows;

 

This is going to result in "Array". Why is this here?

 

 

Also, consider using POST instead of GET. GET is used for GETting things, POST is used for POSTing things.

[eom12]

Thanks you!

 

You hava any tutorials that explain how to build system like that?

[scootstah]

A system like what?

[eom12]

like that.. in the first post

[Barand]

I'm guessing but you can probably use Google just as easily as we can.

[eom12]

you hava any website that you hava there systems to downloads?

I dont finding..

[scootstah]

Again, what kind of "system" are you looking for?

[Jessica]

I think he wants something to handle comments?

[eom12]

yes..

thanks 

[trq]

Try Google. This site is for help with code, not help looking for code.