In order to add a comment, my script needs to know:
1.) Which Article (i.e. “articleID”) are we commenting on?
2.) Who (i.e. “memberID”) is making the comment?
3.) What is the Comment (i.e. from form itself)?
4.) What is the URL (i.e. “returnToPage”) where we were originally at?
Up until now, I have been relying on $_SESSION but I’m wondering if using the Query String or something else would be better or safer?!
If “add_comment.php” doesn’t have an “articleID” and “memberID” then it can’t insert a record since these are required key values, so these values must be there.
The way I have things drawn out on paper - which you can’t see - is that at “article.php” we establish the “articleID” and then when the user logs in on “log_in.php” we capture the “memberID” and then when we arrive at “add_comment.php” we should have everything we need to add a comment (i.e. articleID, memberID, comment) and take the user back to the original Article page they just commented on (i.e. “returnToPage”).
Then you could get what you want with the method AnthonySterling has suggested above, but I would avoid the GET method at all cost because it is vulnerable to hacker attack. It’s okay as long as your SESSION values are not sensitive data.
For the hidden method, if facebook.com prefer to use it there is no reason to deny it.
You can check about that by viewing the source code of facebook login page.
The benefit of using a session is that you can continue passing the data between pages even when there isn’t a form.
The benefit to passing fields as hidden values in a form is that all the values are in the final form when it is submitted and not just those entered on the current page so the script processing the form doesn’t have to look at session variables as well.
Security isn’t an issue with any of the alternatives as they are all equally (in)secure. Session and post variables are just as vulnerable to hackers as get variables are.
If I am not wrong you want to grab the SESSION values from the article.php and pass them through the log_in.php and then the add_comment.php right? The above trick would be always works, because the button you mentioned is a part of a from too.
Here’s the idea.
You pass these value to the log_in.php using a trick above
$_SESSION[‘articleID’] = $articleID;
$_SESSION[‘pageTitle’] = $pageTitle;
Then pass them through the add_comment.php.
BTW; you have to check if the session value is passing from the first place.
This is easy to achieve. I don’t know how you grab the ArticleID and the MemeberID and associate values for a path lead to your article. Once you get them you can easily pass them all through the form.
on the comment.php you can grab all the value with:
$memberID = $_POST[‘MemberID’];
and so on…
after insert all the data into database you can redirect the user back to where come from with:
header(‘location:’ .$page. ‘.php?articleID=’ .$ArticleID)
There is no need for human interfere, let’s the PHP do it job
Nice idea, except there is no form on “article.php” which is where the “articleID” comes from. (There is just a Log-In button.)
I could pass the “articleID” and “memberID” on the 2nd form - “log_in.php” - to the 3rd form - “add_comment.php” - but I’d still need a SESSION to make the first hop.
See my fairly extensive code and explanation above…
A solution is to put the <textarea> for each article in a <form> with a hidden <input> whose value is the article id. When the user clicks a “add comment” button, the comment text and article id are sent to a script that first checks the user is legitimately logged in before inserting the comment in the appropriate db table. The memberID should be stored in a session variable when the member logs in.
Your description is not clear to me and I don’t see why you need 3 screens.
Haven’t you just got a list of articles on a page with an add comment button and <textarea> for each if the visitor wants to leave a comment.
Using “3 screens” seems like a messy way to do it, but that’s your choice. I would do it the way I described and it’s quick and simple and just requires 1 page to display the articles and the code, either in the same page or a separate file, to add comments to an article in the database.
yes it is your choice as I said. But if you wanted to, you could do it all using 1 php page and there would be nothing wrong with that.
The user logs in.
The user then views a page listing articles.
If the user wants to add a comment they click a button that then displays a <textarea> inside a <form> with the article id for the comment in a hidden input.
After typing a comment the user clicks submit and the comment text and article id are sent via POST either to the same page or a separate page for insertion into the database.
If you use a query string, you are letting people know the variable name for the id and thus increasing your vulnerability to attack. But whether you use a query string or POST, the data should be validated and sanitised before inserting into the db.
And if you do it all using 1 page, you don’t have to worry about redirecting back to the original page.
The MemberID is stored in session I think (not sure, but I also don’t know where else they would store it).
In the first URL it’s using the number 779761, which is the ThreadID.
In the reply you have 4946300, which is the PostID, and from the PostID you can get to the ThreadID.
I’ve had some people bugging me that I should basically avoid using Sessions and put everything in the database, but that seems overly taxing if you are going from page to page, don’t you agree?
Yet, in their defense, if you store data in a Session and the user’s browser is closed, there goes your data.
Here is what I am working on again…
Step 1: User reads an article and wants to comment in the “Comments section” beneath the article, and clicks “Log In”
Step 2: User is taken to “log_in.php” page and logs in
Step 3: User is taken to “add_comment.php” and types up and submits his/her comment
Step 4: User is returned to original article.
To insert a comment in the Comment table, I need “articleID” (Step 1), "memberID (Step 2) and some comment (Step 3).
In Step 3, I get the “articleID” and “memberID” from $_SESSION.
The motivation for this post was that maybe there is a better way - without changing my process flow - of securing the pieces of data I need to do an INSERT.
So to sum up, in step 4 you get memberID from $_SESSION, articleID from $_GET (right? *) and comment from $_POST ?
And yes, I do agree that storing everything in the database doesn’t make a lot of sense sometimes, like in this case. If you go from page to page on relatively simple pages sessions are the easiest and most sensible thing to use. (the story changes when you have to think about pages to declare VAT for example which can easily take several hours to fill out).
Are you actually storing the articleID in the SESSION when you go to the login page, or do keep the complete URL in the SESSION? The latter would make more sense since your system would then be generic and you can easily add it to any URL later might you ever want to.
