Home/ Questions/Q 5968401
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T20:05:05+00:00

Ok, this might be obvious but its not clicking quite yet. I am creating

  • 0

Ok, this might be obvious but its not clicking quite yet. I am creating a forum/blog esque app.

I grab the posts from the database rather securely but commenting is beginning to be a little more difficult. (I could just be paranoid, right?).

How do I add a comment without exposing the id of the parent message? (like in a hidden form field or query string, or something).

I guess I am a bit paranoid that someone might go into the code with firebug or something and change the hidden form field value to something else before submitting. I guess I would have to make sure the user has permission to comment to that particular post/category?

Things to note :
The user is already logged in.
Its not a public post

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would recommend that you setup your database like so:

    Comments
---------
id
encodedID
authorID
parentID
message

    Then, for the form field have two hidden values, one will be the encodedID, and the second will be a hash that you make. I would recommend the hash to be:

    <?php

$hash = sha1(md5($encodedID . $userID . $_SERVER['REMOTE_ADDR'] . "abc1234"));

?>

    Then, when the user submits the form, validate that the hash is valid for the specific encodedID and user. Here is a brief code write up:

    <?php

if(isset($_POST['submit']))
{
    //Get the variables and all and sanitize the input of 'message'
    if(sha1(md5($_POST['value1']. $userID . $_SERVER['REMOTE_ADDR'] . "abc1234")) == $_POST['value2'])
    {
        //User is valid.
    }
    else
    {
        //Invalid user.
        //Document this.
    }
}

$value1 = $encodedID; //Grab this from your database
$value2 = sha1(md5($value1 . $userID . $_SERVER['REMOTE_ADDR'] . "abc1234"));
?>

<form method="post" action="comment.php">
<input type="text" name="message" />
<input type="hidden" name="value1" value="<?php echo $value1; ?>" />
<input type="hidden" name="value2" value="<?php echo $value2; ?>" />
<input type="submit" name="submit" value="Comment" />
</form>

    Edit: Just a small tip, but I would recommend that you change value1 and value2 to something abstract, don’t call it encodedID or anything like that, just so that it confuses any users that will attempt to try and break it.

    And yes md5 and sha1 are not completely secure, but for this case it will work since you want to be able to process the comments fast and efficiently.

    • 0