Talk To Me! - The Last Word (Page 8 of 8 )
There are a couple of other things that can be added to complete this application. First, since all this work will come to naught if the article and section numbers are not transmitted correctly, you can build in a rudimentary error check by validating the presence of these two variables before performing any database operation. In case these variables are not present, simply redirect the user to an error page.
<?
// redirect if missing important parameters
// place at the top of every page
if (!$article || !$section) { header("Location: error.php"); }
?>
In the interests of consistency, you might also like to connect
related posts to one another by including the string "Re: " in the subject line of replies, as on USENET. This is a relatively simple operation to accomplish - simply add this refinement to "post.php".
<form action="<? echo $PHP_SELF; ?>" method="post">
<input type="hidden" name="replytopost" value="<?php echo $replytopost; ?>">
<input type="hidden" name="section" value="<?php echo $section; ?>">
<input type="hidden" name="article" value="<?php echo $article; ?>">
<table border="0" cellspacing="5" cellpadding="0">
<tr>
<td colspan=2>
<font face="Verdana, Arial" size="2" color="Black"><b>Your
comment:</b></font><p>
</td>
</tr>
<tr>
<td><font face="Verdana, Arial" size="2" color="Black">Name</font></td>
<td><input type="text" name="username" size="25"></td>
</tr>
<tr>
<td><font face="Verdana, Arial" size="2" color="Black">Email
address</font></td>
<td><input type="text" name="email" size="25"></td>
</tr>
<?
// if this is a reply to an existing post
if ($replytopost)
{
// connect to database and pre-fill the subject field
include("config.php");
$connection = mysql_connect($hostname, $user, $pass) or die ("Unable to
connect!");
$query = "SELECT subject FROM $table WHERE id='$replytopost'";
$result = mysql_db_query($database, $query, $connection) or die ("Error in
query: $query . " . mysql_error());
list($subject) = mysql_fetch_row($result);
// fix the subject line if necessary
$substring = substr($subject,0, 3);
if ($substring != "Re:")
{
$subject = "Re: " . $subject;
}
}
?>
<tr>
<td><font face="Verdana, Arial" size="2" color="Black">Subject</font></td>
<td><input type="text" name="subject" size="25" value="<? if ($subject) {
echo $subject; } ?>"></td>
</tr>
<tr>
<td><font face="Verdana, Arial" size="2" color="Black">Comment</font></td>
<td><textarea name="post" rows="5"></textarea></td>
</tr>
<tr>
<td colspan=2 align=center><input type="submit" name="submit" value="Add
Comment"></td>
</tr>
</table>
</form>
In the case of replies (indicated by the presence of the $replytopost
variable), the subject field in the form is pre-filled with the subject of the parent post (obtained by querying the database), and the string "Re: " is prefixed to it. The user can, of course, replace this suggested subject line with anything else (s)he chooses.
Here's what it looks like:
Finally, it should be said that this system, as described above, is by no means perfect. For example, the passing of parameters via the URL GET method is an inherent vulnerability, allowing experienced users to alter the parameters and the subsequent attributes of the record in the database. A possible solution to this is to store the relevant numbers in session variables, which are inaccessible to the user, and thereby prevent mischief.
It should also be noted that the architecture on which this application is premised is by no means optimal - a few obvious flaws present themselves, the primary one being the odd duality of the article and section number combination. However, when performing development on an existing, active Web site with a pre-defined database architecture (as we were), and given the constraints inherent in such a situation, it's difficult to redesign a system from scratch, and often, the only practical (and cost-effective) option is to simply build on existing plumbing rather than going back to square one.
Either way, I hope this case study has given you some insight into how many Web sites build their online discussion forums, and perhaps also sparked some ideas on how you can apply this application to your own development activities. See you soon!
This article copyright Melonfire 2001. All rights reserved.| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
/ 1 
