[thelist] Using PHP to let folks add comments

Aleem B aleem.bawany at utoronto.ca
Mon Sep 15 12:13:36 CDT 2003

> What I want to do is have a page, and at the bottom, have a
> form filed where people will be able to add a comment.  The
> comments should be wrapped in <p> and </p> but if they put
> in line breaks they should be kept.

You would need to associate comments with pages. So, each page
should have a unique identifier and the comments would
be linked to that.

The comments table would look some'n like this:
id, comment, poster_info/datetime/etc...

Wrapping the comment in <p> tags would be the job of your
template and you probably would not want to store those
tags in the DB (for a bunch of reasons).

PHP's nl2br [ www.php.net/nl2br ] function converts
linebreaks to <br>. You will need to convert <br>'s to
<br />'s. Again you should do this in your template and
store the linebreaks in the DB.

> What I don't want is someone to be able to put in javascript
> or evil HTML that does something nasty to the page.  I would
> like them to be able to include regular links.

use PHP's strip_tags function:

you can allow some tags. I think the img tag allows javascript
to be embedded within it (atleast using the lowsrc attrib, IIRC)
so be careful which tags you allow. You will need to grab
all occurences of 'javascript' and strip those. There maybe
other security checks, I am not sure.

> I am trying to keep the page XHTML 1.0 Strict.

This will probably need some regex checks b'cos not all visitors
will close their tags, in which case you will need to close all
unended tags at the end of the comment (in the order in which
they are opened). Alternately you could instruct posters to close
all their tags in order.

> This doesn't seem too hard, but I'm not getting it.

Ensuring/converting the comment to XHTML will be a li'l
tricky but still easily doable.


[ http://www.aleembawany.com/ ]

More information about the thelist mailing list