blog comments issue

david_wright

Hello
NogDog and Protato kindly assisted in seeking to debug my blog script some months ago.
The discussion can be found at: phpbuilder.com/board/showthread.php?t=10343494. Despite their generous efforts, the bug remains undetected.
I have discovered a further clue and wondered if somebody might help me make sense of the problem.
The basic difficulty is that in attempting to add comments, a series of undefined variable notices replace the expected text.
The new clue clue is as follows:
my database contains 2 tables - posts (all looks fine there), and comments containing comment_id, post_id and other fields not relevant here. The comment_id column contains the expected comment id number, but the post_id column contains the number 0 in each row.
I guess what's happening is the comment can't id the post and the whole thing collapses.
I'm not sure what else - if anything - is appropriate to record here, though I will be happy to post whatever code is needed.
Many thanks.
David

jeremyphphaven

yo yo...

repost your latest code and I'll take a gander.

david_wright

Hello jeremyphphaven
Your offer is much appreciated.
Latest code as follows

above DTD:

<?php
//open connection to database universal
include("../db_connect.php");

//get post_id from query string universal
$post_id = (isset($_REQUEST["post_id"]))?$_REQUEST["post_id"]:"";


//if post_id is a number get post from database
if (preg_match("/^[0-9]+$/", $post_id)) {
	$sql = "SELECT post_id, title, post, DATE_FORMAT(postdate, '%e %b %Y at %H:%i') AS dateattime FROM posts
	WHERE post_id=$post_id LIMIT 1";
	$result = mysql_query($sql);
	$myposts = mysql_fetch_array($result);
}
// universal
include("functions.php");

//if comment has been submitted and post exists then add comment to database
if (isset($_POST["postcomment"]) != "") {
	$posttitle = addslashes(trim(strip_tags($_POST["posttitle"])));
	$name = addslashes(trim(strip_tags($_POST["name"])));
	$email = addslashes(trim(strip_tags($_POST["email"])));
	$website = addslashes(trim(strip_tags($_POST["website"])));
	$comment = addslashes(trim(strip_tags($_POST["comment"])));

$sql = "INSERT INTO comments
	(post_id,name,email,website,comment)
	VALUES ('$post_id', '$name', '$email', '$website', '$comment')";
$result2 = mysql_query($sql);
if (!$result2) {
	$message = "failed to insert comment.";
} else {
	$message = "comment added.";
	$comment_id = mysql_insert_id();

	//send yourself an email when a comment is successfully added
	$emailsubject = "comment added to: ".$posttitle;

	$emailbody ="comment on '".$posttitle."'"."\r\n"
	 ."http://www.thewrightline.co.uk/post.php?post_id=".$post_id ."#c".$comment_id."\r\n\r\n"
	 .$comment."\r\n\r\n"
	 .$name." (".$website.")\r\n\r\n";
	$emailbody = stripslashes($emailbody);

	$emailheader = "from: ".$name." <".$email.">\r\n"."reply-to: ".$email;

	@mail("david@thewrightline.com", $emailsubject, $emailbody, $emailheader);
	//direct to post page to eliminate repeat posts
	header("Location: post.php?post_id=$post_id&message=$message");
}
}
//pull comments from database

if ($myposts) {
	$sql = "SELECT comment_id, name, website, comment FROM comments WHERE post_id = $post_id";
	$result3 = mysql_query($sql);
	$mycomments = mysql_fetch_array($result3);
}

?>

in sidebar (form to complete for posting a comment):

<form method="post" action="<?php echo $_SERVER["PHP_SELF"] ?>">
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<input type="hidden" name="post_id" value="<?=$post_id ?>" />
<input type="hidden" name="posttitle" value="<?=$title ?>" />
<h4>add a comment:</h4>

<form action="<? /twlcouk/post.php?>" method="post">
<input type="hidden" name="post_id" value="<?=$post_id ?>" />
<input type="hidden" name="posttitle" value="<?=$title ?>" />

<?php
if (isset($message)) {
	echo "<p>".$_POST["message"]."</p>";
	}
	?>
	<p>name: <br /><input name="name" type="text" /></p>
	<p>email: <br /><input name="email" type="text" /></p>
	<p>website: <br /><input name="website" type="text" /></p>
	<p>comment: <br /><textarea name="comment" cols="20" rows="10"></textarea></p>
	<p class="align"><input type="submit" name="postcomment" value="post comment" /></p>
	</form>

in main body of page:

<?php
if($myposts) {
	do {
		$post_id =$myposts["post_id"];
		$title = $myposts["title"];
		$post = format($myposts["post"]);
		$dateattime = $myposts["dateattime"];
		echo "<h3>$title</h3>\n";
		//echo "<h4>posted on $dateattime</h4>\n";
		echo "<div class='post'>\n $post \n</div>";
		echo "<div class='right'>posted on $dateattime</div>";
	}   while ($myposts = mysql_fetch_array($result));
} else {
	echo"<p>there is no post matching a post_id of $post_id.</p>";
}
?>//above code dumps post on page - it works

<h4>comments</h4>
<div id="comments">
<div class="link">

//following code should dump comment posted from sidebar form at 
//<p class='central'...</p> 
<?php
if($mycomments) {
	echo "<dl>";
	do {
		$comment_id = $mycomments["comment_id"];
		$name = $mycomments["name"];
		$website = $mycomments["website"];
		$comment = format($mycomments["comment"]);
		if ($website !="") {
			echo "<dt><a href='$website'>$name</a> wrote:</dt>\n";
		} else {
			echo "<dt>$name wrote:</dt>\n";
		}
		echo "<p><dd>$comment</dd></p>\n";
	  } while ($mycomments = mysql_fetch_array($result3));
	  echo "</dl>";
	 } 	else {
	 	echo"<p class='central'>use the add a comment form to leave a comment.</p>";
	 }
	 ?>

When comments form is completed and submit button hit, the following happens:
1
Notice: Undefined variable: myposts in /Library/WebServer/Documents/twlcouk/post.php on line 55

is inserted above the top banner

lines 55-59 read:

if ($myposts) {
		$sql = "SELECT comment_id, name, website, comment FROM comments WHERE post_id = $post_id";
		$result3 = mysql_query($sql);
		$mycomments = mysql_fetch_array($result3);
	}

2
text of post is replaced by:
Notice: Undefined variable: myposts in /Library/WebServer/Documents/twlcouk/post.php on line 136

there is no post matching a post_id of .

lines 136-149 read:

if($myposts) {
	do {
		$post_id =$myposts["post_id"];
		$title = $myposts["title"];
		$post = format($myposts["post"]);
		$dateattime = $myposts["dateattime"];
		echo "<h3>$title</h3>\n";
		//echo "<h4>posted on $dateattime</h4>\n";
		echo "<div class='post'>\n $post \n</div>";
		echo "<div class='right'>posted on $dateattime</div>";
	}   while ($myposts = mysql_fetch_array($result));
} else {
	echo"<p>there is no post matching a post_id of $post_id.</p>";
}

3
The following appears where the new comment is expected:
Notice: Undefined variable: mycomments in /Library/WebServer/Documents/twlcouk/post.php on line 158

use the add a comment form to leave a comment.

lines 158-175 read:

if($mycomments) {
	echo "<dl>";
	do {
		$comment_id = $mycomments["comment_id"];
		$name = $mycomments["name"];
		$website = $mycomments["website"];
		$comment = format($mycomments["comment"]);
		if ($website !="") {
			echo "<dt><a href='$website'>$name</a> wrote:</dt>\n";
		} else {
			echo "<dt>$name wrote:</dt>\n";
		}
		echo "<p><dd>$comment</dd></p>\n";
	  } while ($mycomments = mysql_fetch_array($result3));
	  echo "</dl>";
	 } 	else {
	 	echo"<p class='central'>use the add a comment form to leave a comment.</p>";
	 }

The table comments on database david reads (eg):
comment_id 2
post_id 0
name david wright
email davidwright@xxxx.com
website www.xxxxx.com
comment test
tstamp 2007-07-30 21:48:33
All post_id entries are 0

Sorry it's such a long post.
Hope it's all relevant. Please let me know if you need further info.
And thanks again for your interest.
Cheers
David

thereo

i have a feeling that there may be no result after this sql for some reason hence $myposts is not defined.try an error check on the result if(!result). if there is a result then try an error check on mysql_fetch_array($result).

//if post_id is a number get post from database
if (preg_match("/^[0-9]+$/", $post_id)) {
$sql = "SELECT post_id, title, post, DATE_FORMAT(postdate, '%e %b %Y at %H:%i') AS dateattime FROM posts
WHERE post_id=$post_id LIMIT 1";
$result = mysql_query($sql);
$myposts = mysql_fetch_array($result);
}

If $myposts is empty here your code further down will not work so there is really 1of the same problem. Hope i Have helped!!

phaseonemedia

try doing this and tell me what happens..

change

if (preg_match("/^[0-9]+$/", $post_id)) {
    $sql = "SELECT post_id, title, post, DATE_FORMAT(postdate, '%e %b %Y at %H:%i') AS dateattime FROM posts
    WHERE post_id=$post_id LIMIT 1";
    $result = mysql_query($sql);
    $myposts = mysql_fetch_array($result);
}

to...

if (is_numeric($post_id)) {
    $sql = "SELECT post_id, title, post, DATE_FORMAT(postdate, '%e %b %Y at %H:%i') AS dateattime FROM posts
    WHERE post_id=$post_id LIMIT 1";
    $result = mysql_query($sql);
    $myposts = mysql_fetch_array($result);
} else { die("Post ID is $post_id"); }
print_r($myposts);
exit;

one more thing, is the post_id in the mysql table set to auto increment?

david_wright

Hello phaseonemedia
And thank you for responding to my thread.
Replacing the code as you suggest returns

Post id is

nothing else.

Two tables relate to post.php.
TABLE posts (where posts are stored) has post_id set to AUTO_INCREMENT
TABLE comments (stores comments) does not have post_id set to AUTO_INCREMENT.

Thanks again for your interest.

David.

david_wright

thereo
Thanks for you interest.

//if post_id is a number get post from database
if (preg_match("/^[0-9]+$/", $post_id)) {
    $sql = "SELECT post_id, title, post, DATE_FORMAT(postdate, '%e %b %Y at %H:%i') AS dateattime FROM posts
    WHERE post_id=$post_id LIMIT 1";
    	if(!result);
    $result = mysql_query($sql);	
    $myposts = mysql_fetch_array($result);
}

returns:

Notice: Use of undefined constant result - assumed 'result' in /Library/WebServer/Documents/twlcouk/post.php on line 13
(where line 13 = if(!result)

The post result still appears on the page.

I'm not clear what this means.

Posts are stored in TABLE posts and appear on the page as expected.
The problem occurs when trying to submit a comment to a post. Comments are stored in TABLE comments - field comment:

+------------+--------------+------+-----+-------------------+----------------+
| Field      | Type         | Null | Key | Default           | Extra          |
+------------+--------------+------+-----+-------------------+----------------+
| comment_id | int(11)      | NO   | PRI | NULL              | auto_increment | 
| post_id    | int(11)      | NO   | MUL |                   |                | 
| name       | varchar(255) | NO   |     |                   |                | 
| email      | varchar(255) | NO   |     |                   |                | 
| website    | varchar(255) | NO   |     |                   |                | 
| comment    | text         | NO   |     |                   |                | 
| tstamp     | timestamp    | YES  |     | CURRENT_TIMESTAMP |                | 
+------------+--------------+------+-----+-------------------+----------------+

As shown in the sample below, the post_id field reads 0. This is true in all attempts to comment on a post.

+------------+---------+--------------+-------------------------+------------------------+-------------------+---------------------+
| comment_id | post_id | name         | email                   | website                | comment           | tstamp              |
+------------+---------+--------------+-------------------------+------------------------+-------------------+---------------------+

|         30 |       0 | david wright | davidwright@macace.net  | www.thewrightline.com  | testing comments  | 2007-08-02 23:07:43 |

Hope this clarifies what's happening. I'm not clear on how to correct it.
Thanks again for your interest
David

phaseonemedia

in the sidebar, when you view the source code on the page where this line is located...

<input type="hidden" name="post_id" value="<?=$post_id ?>" />

what does it say the post_id is there?

david_wright

phaseonemedia,

<form action="<? /twlcouk/post.php?>" method="post">
<input type="hidden" name="post_id" value="<?=$post_id ?>" />
<input type="hidden" name="posttitle" value="<?=$title ?>" />
<?php echo "$post_id";
?>

returns
7
above the name textbox.
I've included the code because I'm not 100% sure I'm doing this correctly.
Your interest is much appreciated
David

david_wright

PS Just tried it with another post - returns 6. And another - returns 8. It seems to return the post_id as expected.
David

arty56

david wright wrote:
PS Just tried it with another post - returns 6. And another - returns 8. It seems to return the post_id as expected.
David

From what you have described above appears that the post to the script for inserting the comment is not picking up the variable in the post.php.

Check to see if post variable in your script is

$post_id = addslashes(@$_POST['post_id']);

If the post_id is not being stored correctly in the insert statement then it will assume the post_id = 0

So check your insert statement and see if the post_id field has the value set as $post_id.

I sometimes make the same mistake when coping and pasting that I change one part of the post code and not both.

Like: $id = addslashes(@$_POST['post_id']);

and the expected insert variable is set for $post_id

or I have $post_id = addslashes(@$_POST['id']);

this also would make the insert enter a 0

Hope this helps

Arty

david_wright

Thanks for your interest, arty.
post variable is:

$post_id = (isset($_REQUEST["post_id"]))?$_REQUEST["post_id"]:"";

INSERT statement reads:

if (isset($_POST["postcomment"]) != "") {
	$posttitle = addslashes(trim(strip_tags($_POST["posttitle"])));
	$name = addslashes(trim(strip_tags($_POST["name"])));
	$email = addslashes(trim(strip_tags($_POST["email"])));
	$website = addslashes(trim(strip_tags($_POST["website"])));
	$comment = addslashes(trim(strip_tags($_POST["comment"])));

$sql = "INSERT INTO comments
	(post_id,name,email,website,comment)
	VALUES ('$post_id', '$name', '$email', '$website', '$comment')";
$result2 = mysql_query($sql);
if (!$result2) {
	$message = "failed to insert comment.";
} else {
	$message = "comment added.";
	$comment_id = mysql_insert_id();

The TABLE comments:

+------------+--------------+------+-----+-------------------+----------------+
| Field      | Type         | Null | Key | Default           | Extra          |
+------------+--------------+------+-----+-------------------+----------------+
| comment_id | int(11)      | NO   | PRI | NULL              | auto_increment | 
| post_id    | int(11)      | NO   | MUL |                   |                | 
| name       | varchar(255) | NO   |     |                   |                | 
| email      | varchar(255) | NO   |     |                   |                | 
| website    | varchar(255) | NO   |     |                   |                | 
| comment    | text         | NO   |     |                   |                | 
| tstamp     | timestamp    | YES  |     | CURRENT_TIMESTAMP |                | 
+------------+--------------+------+-----+-------------------+----------------+

Maybe what is not set is a way of the INSERT code identifying which post - described above as post_id - the comment relates to.

Any ideas?

Much appreciate your help, arty.
David

thereo

Change the following lines and should work i have had a similar problem:
Change:
$sql = "SELECT post_id, title, post, DATE_FORMAT(postdate, '%e %b %Y at %H:%i') AS dateattime FROM posts
WHERE post_id=$post_id LIMIT 1";

To:
$sql = "SELECT post_id, title, post, DATE_FORMAT(postdate, '%e %b %Y at %H:%i') AS dateattime FROM posts
WHERE post_id='$post_id' LIMIT 1"; //i have added ' as mysql sometimes doesn't like $var alone it likes '$var'

Change:
$sql = "SELECT comment_id, name, website, comment FROM comments WHERE post_id = $post_id";

To:
$sql = "SELECT comment_id, name, website, comment FROM comments WHERE post_id = '$post_id'"; //same again

arty56

david wright wrote:

Thanks for your interest, arty.
post variable is:

$post_id = (isset($_REQUEST["post_id"]))?$_REQUEST["post_id"]:"";

INSERT statement reads:

if (isset($_POST["postcomment"]) != "") {
	$posttitle = addslashes(trim(strip_tags($_POST["posttitle"])));
	$name = addslashes(trim(strip_tags($_POST["name"])));
	$email = addslashes(trim(strip_tags($_POST["email"])));
	$website = addslashes(trim(strip_tags($_POST["website"])));
	$comment = addslashes(trim(strip_tags($_POST["comment"])));

$sql = "INSERT INTO comments
	(post_id,name,email,website,comment)
	VALUES ('$post_id', '$name', '$email', '$website', '$comment')";
$result2 = mysql_query($sql);
if (!$result2) {
	$message = "failed to insert comment.";
} else {
	$message = "comment added.";
	$comment_id = mysql_insert_id();

David

Hey David what variable is the key?

post_id or comment_id?

post_id according to your insert statement or comment_id according to your else statement?

I think the key shd be post_id not comment_id

change this: $comment_id = mysql_insert_id(); to this $post_id = mysql_insert_id();

After re-reading your table structure it is clear that the error lies in not having this line in your isset statement.

$post_id = addslashes(trim(strip_tags($_POST["post_id"])));

Can't insert what it doesn't receive. LOL

Arty

david_wright

Thanks thereo.
I tried it. No change.
David

david_wright

Hi arty.
In the comments TABLE, comment_id is key and is set to auto_increment, which is why it's not included in the INSERT statement. I'm wanting mysql to insert the post_id of the post being commented on.
I tried changing comment_id to post_id as suggested and
there is no post matching a post_id of 67.
was returned.
This is new - with script set prior to the change I get:
there is no post matching a post_id of .
I guess that was the 67th time I tested the comments!
Thanks for your interest.
David

arty56

OK did ya read the rest of my post ....

If comment_id is correct then you are missing the post variable for post_id.

post_id is not being set in your isset statement therefore no post_id is being set in the insert statement for it to be inserted.

david_wright

Arty.
That makes sense.
Sorry, but I'm not clear where to add

$post_id = addslashes(trim(strip_tags($_POST["post_id"])));

to the script.
Your help is much appreciated.
David.

arty56

david wright wrote:
Arty.
That makes sense.
Sorry, but I'm not clear where to add
$post_id = addslashes(trim(strip_tags($_POST["post_id"])));
to the script.
Your help is much appreciated.
David.

add to your isset post as below

if (isset($POST["postcomment"]) != "") {
$posttitle = addslashes(trim(strip_tags($POST["posttitle"])));
$name = addslashes(trim(strip_tags($POST["name"])));
$email = addslashes(trim(strip_tags($POST["email"])));
$website = addslashes(trim(strip_tags($POST["website"])));
$comment = addslashes(trim(strip_tags($POST["comment"])));
$post_id = addslashes(trim(strip_tags($_POST["post_id"])));

Arty

laserlight

You are inserting into a database using the MySQL API. Consequently, addslashes() is the wrong function to use. The correct function for escaping the input to make it safe for insertion to the database is [man]mysql_real_escape_string/man.

Next, are you sure you want to strip tags? strip_tags() can be very destructive since it does not validate HTML. For example, user A may make such a comment: "That is wrong.". Then user B may reply with: "<That is wrong.> No, that is right.". The result is that user B's method of quoting user A is interpreted as a HTML tag, and so the quote is lost. If this kind of destructive effects are not tolerable, then do not use strip_tags, but use [man]htmlspecialchars/man or [man]htmlentities/man when printing the data to screen.

Also, note that arty56's example is incorrect, though it is on the right lines. isset() returns a boolean value, so comparing it with an empty string does not make sense.

Now, before you can even start printing the post, you need the post id. So, separate from processing the comment, you should check that the post id exists, thus your script would be something like this:

if (!empty($_REQUEST['post_id'])) {
    // Retrieve the post from the database.
    // If the post with the given id exists:
        // Process the new comment, if there is one.
        // Print the post.
        // Print the comments.
    // Else:
        // Print an error message complaining about a non-existent post.
} else {
    // Option 1: print the list of posts with links to the individual posts.
    // Option 2: print the most recent post or a random post and its comments.
    // Option 2: print an error message complaining about the missing post id.
}

Note that I used $_REQUEST['post_id'] instead of $_POST['post_id'] since the post id might be specified in the query string, or sent via a hidden form field, so you need to handle both cases.

Now, you know that there is a given post id ($post_id) and it is valid. To process the new comment, you would do something like this:

if (isset($_POST['postcomment'], $_POST['name'], $_POST['comment'])) {
    $posttitle = trim($_POST['posttitle']);
    $name = trim($_POST['name']);
    $comment = trim($_POST['comment']);
    if (strlen($posttitle) > 0 && strlen($name) > 0 && strlen($comment) > 0) {
        $email = isset($_POST['email']) ? trim($_POST['email']) : '';
        $website = isset($_POST['website']) ? trim($_POST['website']) : '';
        $sql = sprintf("INSERT INTO comments
                        (post_id, name, email, website, comment)
                        VALUES (%d, '%s', '%s', '%s', '%s')",
                       $post_id,
                       mysql_real_escape_string($name),
                       mysql_real_escape_string($email),
                       mysql_real_escape_string($website),
                       mysql_real_escape_string($comment));
        // ...
    }
}

Note that there is no need to pass the post title here. Once you have the post id, you can retrieve the post title, along with other details of the post. In fact, you do not even need a hidden form field for the post id, but could pass it along with the query string of the form.