When the user fills out your form and clicks the Post Comment box, the data from the form is submitted to update.inc.php. But before you do anything with update.inc.php, you need to determine how you be handle information from the form by creating a new method, called saveComment(), that cleans posted data and stores it in the database.
This method accepts the posted data as an argument, then cleans the data using strip_tags() and htmlentities(). You store the clean data in variables, which you pass to a prepared SQL statement and save in the comments table.
If nothing goes wrong, the method returns TRUE. Otherwise, it returns FALSE.
You can build this method by adding the code in bold to comments.inc.php:
<?php include_once 'db.inc.php'; class Comments { // Our database connection public $db; // Upon class instantiation, open a database connection public function __construct() { // Open a database connection and store it $this->db = new PDO(DB_INFO, DB_USER, DB_PASS); } // Display a form for users to enter new comments with public function showCommentForm($blog_id) { return <<<FORM <form action="/simple_blog/inc/update.inc.php" method="post" id="comment-form"> <fieldset> <legend>Post a Comment</legend> <label>Name <input type="text" name="name" maxlength="75" /> </label> <label>Email <input type="text" name="email" maxlength="150" /> </label> <label>Comment <textarea rows="10" cols="45" name="comment"></textarea> </label> <input type="hidden" name="blog_id" value="$blog_id" /> <input type="submit" name="submit" value="Post Comment" /> <input type="submit" name="submit" value="Cancel" /> </fieldset> </form> FORM; }
// Save comments to the database public function saveComment($p) { // Sanitize the data and store in variables $blog_id = htmlentities(strip_tags($p['blog_id']),ENT_QUOTES); $name = htmlentities(strip_tags($p['name']),ENT_QUOTES); $email = htmlentities(strip_tags($p['email']),ENT_QUOTES); $comment = htmlentities(strip_tags($p['comment']),ENT_QUOTES); // Keep formatting of comments and remove extra whitespace $comment = nl2br(trim($comments)); // Generate and prepare the SQL command $sql = "INSERT INTO comments (blog_id, name, email, comment) VALUES (?, ?, ?, ?)"; if($stmt = $this->db->prepare($sql)) { // Execute the command, free used memory, and return true $stmt->execute(array($blog_id, $name, $email, $comment)); $stmt->closeCursor(); return TRUE; } else { // If something went wrong, return false return FALSE; } } } ?>
NOTE
You'll learn how to add email validation in the next chapter, as well as implement some basic spam-prevention measures.
Your script knows how to handle data from the comment form, so you're ready to modify update.inc.php to call saveComment() when the comment form is submitted.
You can do this by adding a check to see whether the user clicked the Post Comment button. You add this check after your check for the admin form in update.inc.php. If the comment form was submitted, you need to include and instantiate the Comments class, then call your new saveComment() method and pass the $_POST superglobal array as an argument.
If the call to saveComment() returns TRUE, you try to use the value of $_SERVER['HTTP_REFERER'] to send the user back to the entry where she posted the comment. If that value isn't available, you send user back to the default entry listings.
You should also add a check that outputs an error message if the saveComment() call returns FALSE. To accomplish this, add the code in bold to the bottom of update.inc.php, just before the last else block:
// If a comment is being posted, handle it here else if($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['submit'] == 'Post Comment') { // Include and instantiate the Comments class include_once 'comments.inc.php'; $comments = new Comments(); // Save the comment if($comments->saveComment($_POST)) { // If available, store the entry the user came from if(isset($_SERVER['HTTP_REFERER'])) { $loc = $_SERVER['HTTP_REFERER']; } else { $loc = '../'; } // Send the user back to the entry header('Location: '.$loc); exit; } // If saving fails, output an error message else { exit('Something went wrong while saving the comment.'), } }
else { header('Location: ../'), exit; } ?>
You're now ready to test your system. Navigate to an entry in a browser and fill out the form with test information. Press the Post Comment button, and you should be redirected to the entry.
If you navigate to http://localhost/phpmyadmin and open the comments table in the simple_blog database, you can see your entry in the database (see Figure 10-3).