Home/ Questions/Q 3759240
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T10:17:09+00:00

If you have an item where you allow users to add comments, how can

  • 0

If you have an item where you allow users to add comments, how can you pass which item the user is replying too?

I’ve though of using a hidden field in a form, however this can be easily changed using plugins such as firebug:

<form method="post" action="blah">
<input type="hidden" name="item_id" value="<?php echo $item_id; ?>">
<!-- other form data here -->
<input type="submit" name="submit">
</form>

Or just simply using a session:

$_SESSION['item_id'] = $item_id

Is there a safe way to send the item data in a form?

Edit:
This is after validation,… I do implement some XSS protection (form tokens etc). The reason I was asking was just to know what the best practise is.

I though of doing something like 

$_SESSION['item_id'] = $id //this is set when they visit the current item

then in the form have a hidden field:

<input type="hidden" name="item_id" value="<?php echo $id?>">

Finally check the session matches the id clicked:

if ($_SESSION('item_id') !== $item_id) //the value posted in the form
{
   die('There\'s got to be a morning after
       If we can hold on through the night
       We have a chance to find the sunshine
       Let\'s keep on looking for the light');
}

However after reading some of your comments I guess this is a bad idea?

To be fair (@Surreal Dreams): it isn’t that big a deal if they do change the id, I as I’ve said,I was just looking for the best practice.

Cheers.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Using a session the way you suggested would screw up cases where (1) a visitor opens several different articles in multiple tabs, and (2) tries to write a reply on any tab other than the one that was opened last. The user might even write two replies simultaneously in different tabs; I sometimes do that on StackOverflow. Web developers so easily forget that today’s visitors may have several browser tabs open at the same time. Really, we don’t use IE6 anymore.

    A solution would be to make $_SESSION['item_id'] an array of recently viewed article IDs, but then you won’t be able to stop some Firebug user (or any other tech savvy person) from replying to a previously viewed article. Adding time limits won’t change anything, either.

    But why would somebody intentionally change the ID of the post to which they’re replying, except to troll or spam the site? And if somebody really wanted to screw your site, they can easily get around any protection by making their bot request the appropriate page just before posting a spam comment. You’d be much better off investing in a better CSRF token generator, spam filter, rate limiter, etc.

    • 0