Leave a Comment in the Comment Section

I have categories that I haven't used yet because I've only blogged about building a blog so far. But that will come in handy later when I get bored of building the blog. Right now I'm still excited about building this blogging system because it's come a long ways. From having a flat file system to a full fledged database. From Craigslist to Bootstrap the blog is baller.

But what is a blog unless I can hear from my readers. A place where readers can comment would be great. But it's not that simple. Allowing readers to comment is one thing but it also allows for hackers to hack the website. So we need to be very careful when allowing users to comment.

So how do I do it? The comments will need to be stored in the database so I can access them on the blog page. Then the comments will need to be sanitized to assure the comments are safe for the website.

I'll create a new table for the comments, add a comment id, blog id, timestamp, name, and comment field. Now I'll start working on the comment HTML. I'll check the bootstrap template to see if there is any template for the comment section. And there is not one there so I think I'll go with a simple h3 for the comments header and small text for the author, date, and time. And for the comment I'll use parsedown.

Now how do I display the comments in the blog? I need to make sure I pick the right blog as well. The controller will get the right comments and give us the data. With PHP I can create a function called get_blog_comments($id) pass in the blog id and return all the comments that are assigned to that id.

I would prefer to have the user be able to use markdown however I was able to hack it. So for now I'm going to go with plain text for the comments and escape any HTML. Unfortunately the comments will have to be rendered as plain text. I know it sounds boring but at least readers can let their voices be heard.

To make sure all HTML is converted to plain text PHP has a built in function called htmlspecialchars which converts all HTML characters to plain text. But the output will have no line breaks. PHP also has a function for that to add the line breaks back in call nl2br. Now the comments are in plain text and when the would be hacker tries to do cross site scripting attack it will render only plain text.

But there has to be a way to add the comments from the website to the database. A couple of things I'll need is a form and a function that inserts the comment into the database. So I'll create the function first and call it put_blog_comment() and use the POST data of the blog.

I'm using MeekroDB to handle the database so I'll use the insert function and select the comments table and use the POST data from the form and pass it into a key value pair array.

Why don't I add a function that handles untrusted user input and call it untrusted_user_input($input). As long as I remember to use this function on the untrusted user input it will sanitize the input and make it benign plain text.

Now I'll add an HTML comment form under the blog. And now I'll add a comment to test the form and now we have a way for readers to add comments. Glad that's over.

Comments

This blog is beautiful. We need more blogs like this.

<script>
alert("HACKED");
</script>

I will turn your blog red for Trump. A special thanks from Mother Russia Mwahahahahahaha.

<style>
body {
background: red;
}
</style>

Let a real hacker hack the hack jack better get back.

[HACK](javascript:alert%28%22HACKED!%22%29)

First blog comment on the form.

comment not found

new route test

redirect test

redirect test 2

redirect test 3