Hi nimzrocks, Welcome to Webmasterworld.

You will need a php script to take the values posted in your comment form, sanitise these and then let your script process them so they either get to your database, or get emailed to you, from where you decide, which ones to post which ones not to.

Hope this helps!

Opps sorry this is my script :)

<?

//connect to your database
$dbh = mysql_connect ('', '', '') or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ('fees0_4383963_test');





//query comments for this page of this article
$inf = "SELECT * FROM `comments` WHERE page = '".stripslashes($_SERVER['REQUEST_URI'])."' ORDER BY time ASC";
$info = mysql_query($inf);
if(!$info) die(mysql_error());

$info_rows = mysql_num_rows($info);
if($info_rows > 0) {
echo '<h5>Comments:</h5>';
echo '<table width="95%">';

while($info2 = mysql_fetch_object($info)) {
echo '<tr>';
echo '<td>"'.stripslashes($info2->subject).'" by: <a href="'.$info2->contact.'">'.stripslashes($info2->username).'</a></td> <td><div align="right"> @ '.date('h:i:s a', $info2->time).' on '.$info2->date.'</div></td>';
echo '</tr><tr>';
echo '<td colspan="2"> '.stripslashes($info2->comment).' </td>';
echo '</tr>';
}//end while
echo '</table>';
echo '<hr width="95%" noshade>';
} else echo 'No comments for this page. Feel free to be the first <br>';

if(isset($_POST['submit'])) {
if(!addslashes($_POST['username'])) die('<u>ERROR:</u> you must enter a username to add a comment.');
if(!addslashes($_POST['contact'])) die('<u>ERROR:</u> enter contact method in contact field.');
if(!addslashes($_POST['subject'])) die('<u>ERROR:</u> enter a subject to your comment.');
if(!addslashes($_POST['comment'])) die('<u>ERROR:</u> cannot add comment if you do not enter one!?');


//this is for a valid contact
if(substr($_POST['contact'],0,7) != 'mailto:' && !strstr($_POST['contact'],'//')) {
if(strstr($_POST['contact'],'@'))
$_POST['contact'] = "mailto:".$_POST['contact']."";
else
$_POST['contact'] = "http://".$_POST['contact']."";
} //end valid contact

//try to prevent multiple posts and flooding...
$c = "SELECT * from `comments` WHERE ip = '".$_SERVER['REMOTE_ADDR']."'";
$c2 = mysql_query($c);
while($c3 = mysql_fetch_object($c2)) {
$difference = time() - $c3->time;
if($difference < 300) die('<u>ALERT:</u> '.$c3->username.', You have already commented earlier; if you have a question, try the forums!<BR>');
} //end while

//add comment
$q ="INSERT INTO `comments` (article_id, page, date, time, username, ip, contact, subject, comment) VALUES ('".$_GET['id']."', '".$_POST['page']."', '".$_POST['date']."', '".$_POST['time']."', '".addslashes(htmlspecialchars($_POST['username']))."', '".$_SERVER['REMOTE_ADDR']."', '".addslashes(htmlspecialchars($_POST['contact']))."', '".addslashes(htmlspecialchars($_POST['subject']))."', '".addslashes(htmlspecialchars(nl2br($_POST['comment'])))."')";

$q2 = mysql_query($q);
if(!$q2) die(mysql_error());

//refresh page so they can see new comment
header('Location: ['...] . $_SERVER['HTTP_HOST'] . $_POST['page'] . "#comments");

} else { //display form
?>
<form name="comments" action="<? $_SERVER['PHP_SELF']; ?>" method="post">

<input type="hidden" name="page" value="<? echo($_SERVER['REQUEST_URI']); ?>">
<input type="hidden" name="date" value="<? echo(date("F j, Y.")); ?>">
<input type="hidden" name="time" value="<? echo(time()); ?>">

<table width="90%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><div align="right">Username: </div></td>
<td><input name="username" type="text" size="30" value=""></td>
</tr>
<tr>
<td><div align="right">Contact: </div></td>
<td><input type="text" name="contact" size="30" value=""> <i>(email or url)</i></td>
</tr>
<td><div align="right">Subject: </div></td>
<td><input type="text" name="subject" size="30" value=""></td>
</tr>
<tr>
<td><div align="right">Comment: </div></td>
<td><textarea name="comment" cols="45" rows="5" wrap="VIRTUAL"></textarea></td>
</tr>
<tr>
<td></td>
<td colspan="2"><input type="reset" value="Reset Fields">
<input type="submit" name="submit" value="Add Comment"></td>
</tr>
</table>
</form>
<?
} // end else
?>

I do not mind it goes to database coz I can delete it from there later But before it publish on my page I want to get it to my email. I'm totally new to php. Can you help me to do it mvaz ?

[edited by: eelixduppy at 3:58 pm (utc) on Feb 22, 2010]
[edit reason] removed db specifics [/edit]

Hi there Nimzrocks,

WRT the database and which comments you want to have as 'viewed' is the easy part! You would just need to select all the entries in the db where a field, for arguments sake, called 'public' (set it as a enum entry too, so that you can default it to 'no') is set to 'yes', that would make it easier to seperate the non public from publily viewable.

Tricky part would be to have a form in your email with a radio button or check box in saying something like, "A comment has been posted to your website, check this box to allow this comment, leave unchecked to remain non-public", or words of that effect.

Hope this points you in the right direction.

Cheers,

MRb

Can you please explain how to do it ? I'm new to this Matthew.

Thank you

One of options is that you add a column 'auth' in your table, and set its properties to be enum, values y or no. Then, when you get an email saying that there has been a comment posted, you could either go to the database and set the auth to yes. Where your comments are displayed, on that page, you will need to modify your script to display only those comments that have yes to the column auth.

Hope this helps.

Hi there nimzRocks,

A couple of things i notice from your snippet, firstly, the opening tags <? should be <?php, good practice to do this, and not all servers support short tags.

Also, when using $_GET or $_POST, make sure as the data coming from them is sanitised, strip_tags() & mysql_real_escape_string() for using in conjunction with a sql query ie:-

$some_value = strip_tags($_POST['some_value']);

$sql = "SELECT * FROM `sometable` WHERE `user` = '".mysql_real_escape_string($_POST['somename'])."'";

Reason I highlight these is because they can be subject to abuse from the hackers of the internet, and malicious code injections can be carried out if the $_GET & $_POST are not sanitised, just thought you would like to know.

WRT the comments sql, you would need to stipulate that:-

SELECT `your_comments` FROM `your_table` WHERE `auth` = 'yes'

I borrowed mvaz's idea for the colum name, but hopefully you can see the structure of the sql query that would be required.

as for setting up an enum field, a quick search in google, or try this url (hopefully I'm not breaching any rules here) [devshed.com ]

How this helps a little, but as for the email/html form, not sure, I will have to ponder that a little longer..

Hopefully someone reading this can help there.. I suppose it would be down to the form action file reference, I'm not sure, never had to do one...

Cheers,

MRb

Now it directly allows user to put anything on my page but I do not like that.

Add a field, "approved_status," boolean not null default FALSE, or tinyint(1) not null default 0.

On submit, you don't need to do change anything in how it's written to the DB. It will be 0/false by default.

Change your page script to whatever where you have . . . "and approved_status=1".

You'll have to write some administration to set the status to 1, or do it manually.