Should I let users add comments without logging in?

[man5]

As long as it's SQL injection proof, would it be alright for me to let non-members add comments to a post and give the Author the ability to delete them?

 

 

[fastsol]

Why not?  It all depends on the content of the site I guess and if you think yo need personal info on the commenter.  I have a setting on mine to allow comments if not logged in, or change it at any time to disallow.

[Jacques1]

How do you know that a user which is not logged in owns a particular comment and is allowed to delete it? I mean, you don't want arbitrary users to delete arbitrary comments, right?

[man5]

I ment the Author of the Post is allowed to delete any comment that is posted under his Post. 

 

The concept is for other users to rate and review/comment on a Business profile. I rather not have it so that an average Joe that goes on the website to have to register to leave a comment or rate the business.  Then again it might be a good idea for a Business to remove any comment they desire, just their own. I might give them an option to report it though.

[ginerjm]

If a user provides no credentials to post a comment, how do you know which previous comments are his?

[man5]

If a user provides no credentials to post a comment, how do you know which previous comments are his?

 

Ah but they do. When users posts a comment, they are required to give a name and email address.  The comments will be displayed by the name and the comment.

[ginerjm]

So - in effect - the users are "logging in", no?

[requinix]

Ah but they do. When users posts a comment, they are required to give a name and email address.  The comments will be displayed by the name and the comment.

They have to give a name and email. You don't know if it's actually theirs, nor if it's even real.

 

Not requiring a log in means allowing anonymous comments. Do you want anonymous comments?

[man5]

Yes I suppose you can call it anonymous comments.  The given name and email can be not theirs of course.  The point of this exercise is to make it fast and easy user experience for non-members. As long as I use prepared statements for binding and escape the outputs, I should be good. Any further security details can come at a later date considering if the website is growing.

[requinix]

Unsolicited advice:

 

Don't allow businesses to delete comments. Otherwise they'll delete the ones they don't like and your site will get a bad reputation for it. Let people and businesses report comments for spam or bad language or whatever, then have trusted users (moderators) decide.

[man5]

Unsolicited advice:

 

Don't allow businesses to delete comments. Otherwise they'll delete the ones they don't like and your site will get a bad reputation for it. Let people and businesses report comments for spam or bad language or whatever, then have trusted users (moderators) decide.

 

 

My mistake on the typo; that's what I ment in my other post. I will not allow a business to delete comments in their own profile/post, unless it's their own comment.

[davidannis]

If you allow anonymous comments make sure that you don't allow links or you'll be overrun with postings by bots and spammers.