10.4. Storing New Comments in the Database

When the user fills out your form and clicks the Post Comment box, the data from the form is submitted to update.inc.php. But before you do anything with update.inc.php, you need to determine how you be handle information from the form by creating a new method, called saveComment(), that cleans posted data and stores it in the database.

This method accepts the posted data as an argument, then cleans the data using strip_tags() and htmlentities(). You store the clean data in variables, which you pass to a prepared SQL statement and save in the comments table.

If nothing goes wrong, the method returns TRUE. Otherwise, it returns FALSE.

You can build this method by adding the code in bold to comments.inc.php:

<?php

include_once 'db.inc.php';

class Comments
{
    // Our database connection
    public $db;

    // Upon class instantiation, open a database connection
    public function __construct()
    {
        // Open a database connection and store it
        $this->db = new PDO(DB_INFO, DB_USER, DB_PASS);
    }

    // Display a form for users to enter new comments with
    public function showCommentForm($blog_id)
    {
        return <<<FORM
<form action="/simple_blog/inc/update.inc.php"
    method="post" id="comment-form">
    <fieldset>
        <legend>Post a Comment</legend>
        <label>Name
            <input type="text" name="name" maxlength="75" />
        </label>
        <label>Email
            <input type="text" name="email" maxlength="150" />
        </label>
        <label>Comment
            <textarea rows="10" cols="45" name="comment"></textarea>
        </label>
        <input type="hidden" name="blog_id" value="$blog_id" />
        <input type="submit" name="submit" value="Post Comment" />
        <input type="submit" name="submit" value="Cancel" />
    </fieldset>
</form>
FORM;
    }

// Save comments to the database
    public function saveComment($p)
    {
        // Sanitize the data and store in variables
        $blog_id = htmlentities(strip_tags($p['blog_id']),ENT_QUOTES);
        $name = htmlentities(strip_tags($p['name']),ENT_QUOTES);
        $email = htmlentities(strip_tags($p['email']),ENT_QUOTES);
        $comment = htmlentities(strip_tags($p['comment']),ENT_QUOTES);
        // Keep formatting of comments and remove extra whitespace
        $comment = nl2br(trim($comments));

        // Generate and prepare the SQL command
        $sql = "INSERT INTO comments (blog_id, name, email, comment)
                VALUES (?, ?, ?, ?)";
        if($stmt = $this->db->prepare($sql))
        {
            // Execute the command, free used memory, and return true
            $stmt->execute(array($blog_id, $name, $email, $comment));
            $stmt->closeCursor();
            return TRUE;
        }
        else
        {
            // If something went wrong, return false
            return FALSE;
        }
    }
}

?>

NOTE

You'll learn how to add email validation in the next chapter, as well as implement some basic spam-prevention measures.

10.4.1. Modifying update.inc.php to Handle New Comments

Your script knows how to handle data from the comment form, so you're ready to modify update.inc.php to call saveComment() when the comment form is submitted.

You can do this by adding a check to see whether the user clicked the Post Comment button. You add this check after your check for the admin form in update.inc.php. If the comment form was submitted, you need to include and instantiate the Comments class, then call your new saveComment() method and pass the $_POST superglobal array as an argument.

If the call to saveComment() returns TRUE, you try to use the value of $_SERVER['HTTP_REFERER'] to send the user back to the entry where she posted the comment. If that value isn't available, you send user back to the default entry listings.

You should also add a check that outputs an error message if the saveComment() call returns FALSE. To accomplish this, add the code in bold to the bottom of update.inc.php, just before the last else block:

// If a comment is being posted, handle it here
else if($_SERVER['REQUEST_METHOD'] == 'POST'
    && $_POST['submit'] == 'Post Comment')
{
    // Include and instantiate the Comments class
    include_once 'comments.inc.php';
    $comments = new Comments();

    // Save the comment
    if($comments->saveComment($_POST))
    {
        // If available, store the entry the user came from
        if(isset($_SERVER['HTTP_REFERER']))
        {
            $loc = $_SERVER['HTTP_REFERER'];
        }
        else
        {
            $loc = '../';
        }

        // Send the user back to the entry
        header('Location: '.$loc);
        exit;
    }

    // If saving fails, output an error message
    else
    {
        exit('Something went wrong while saving the comment.'),
    }
}

else
{
    header('Location: ../'),
    exit;
}

?>

You're now ready to test your system. Navigate to an entry in a browser and fill out the form with test information. Press the Post Comment button, and you should be redirected to the entry.

If you navigate to http://localhost/phpmyadmin and open the comments table in the simple_blog database, you can see your entry in the database (see Figure 10-3).

Figure 10.3. A comment stored in the comments table

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset