Menu
I was trying to create a commenting system like that uses facebook. I use php and jquery. My code works perfect. User writes something in textarea, comment_1 and post it. Comment_1 appears directly under the textarea successfuly. If i refresh the page I can see comment_1 posted at beginning. If I try to post a new comment (comment_2), then comment_2 appears under comment_1 and again comment_1 under comment_2. For example:
At the begining: comment_1
After refresh and post new comment: comment_1 / comment_2 comment_1 So as you can see, after refresh the page it places comment_2 and under it comment_1, but also keeps comment_1 above them (like keeping comment_1 in its "memory"). If I refresh the page I will get comment_2 comment_1 which is what I finaly want, but how can I do this without refresh? Here is my code:
wall.php
<?php
<script>
$(document).ready(function(){
$("#comment_process").click(function(){
if($("#comment_text").val() != ""){
$.post("comments.php?action=post", { comment: $("#comment_text").val() }, function(data) {
$(".comments").html(data);
$("#comment_text").val("");
});
}
});
});
</script>
<div class="comment_container">
<div class="comment_form">
<textarea id="comment_text" ></textarea>
<input type="button" id="comment_process" value="Post"/>
</div>
</div>
<?php include_once("comments.php");?>
<div class="comments"> </div>
?>
and this is comments.php
<?php
function getComments(){
$comments = "";
// use desc order by date in order to display comments by date
$sql = mysql_query("SELECT * FROM comments ORDER BY comment_date DESC ") or die (mysql_error());
if(mysql_num_rows($sql) == 0){
$comments = " <div class='each_comment'> There are no comments ...</div> ";
}else{
while ($row= mysql_fetch_assoc($sql)){
$comments .= "<fieldset> Stefanos Says : <div class='each_comment'> <small><em> ".$row['comment_date']." </em></small><br />".$row['comment']."</div></fieldset> </br>";
}
}
return $comments;
}
function postComments($comment){
$comment = mysql_real_escape_string(strip_tags($comment));
$sql = mysql_query(" INSERT INTO `comments` (comment, comment_date) VALUES ('".$comment."', now()) ");
return true;
}
if((isset($_GET['action'])) && ($_GET['action'] == "post")) {
postComments($_POST['comment']);
}
echo getComments();
?>
842
The issue here is that you're not clearing the original comments.
Move <?php include_once("comments.php");?> into this div:
<div class="comments"> </div>
This way, when you write comments to that block with your javascript, the original comments which were loaded when the page loaded will be replaced.
mysql extensionCorrect Practices
How you SHOULD sanitize a string for a SELECT statement:
$data = mysql_real_escape_string($_POST['some_data']);
$query = mysql_query("SELECT * FROM some_table WHERE some_value = '$data'");
How you SHOULD sanitize an integer for a SELECT statement:
$data = (int) $_POST['some_data'];
$query = mysql_query("SELECT * FROM some_table WHERE some_value = $data");
Note that the integer does not have quotation marks around it.
The Apparent Vulnerability
Mathew correctly pointed out in the comments that this brand of select statement (demonstrated by ircmaxell) would not correctly prevent SQL injection attacks:
$data = mysql_real_escape_string($_POST['some_data']);
$query = mysql_query("SELECT * FROM some_table WHERE some_value = $data");
However, this isn't a vulnerability so much as a misuse of the function, by not putting quotations around $data we suggest that we're searching for an integer, but we've sanitized our input as if it were a string.
If it's an integer field, we should be casting the input value as an integer. If it's a string field, there should be quotes around it in the query. All that's been displayed here is that a function can be used incorrectly.
As your SELECT statement does not take any user inputs and just selects ALL comments, there is no opportunity for this kind of injection anyway.
94
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
