PDA

View Full Version : Comment class



The Reverend
08-16-2006, 11:07 AM
This is something I've been working on for my site, I'm trying to put the ability to comment on articles into a class. I think it's something that can be used on other sites with a few alterations.

It can grab existing comments in the database, as well as insert new comments into it. It records the comments, name and email the person inputs. It also validates the email and the domain name using techniques brought in this (http://www.codingforums.com/showthread.php?t=93453) thread.

Tell me what you think and how it can be improved, this is the first class I've written and I'd like some critique on how to improve it, OOP is fairly new to me.


<?php

/*
################################################
# Comment Class
################################################
*/

class Comments{

var $id;
var $table;
var $fields = array('name','comment','time');
var $field;
var $ip;
var $SQL;
var $result;
var $comments_final;
var $comment_id;
var $email;
var $name;
var $comment;
var $valid;

//here's the constructer

function Comments($itemid, $comtable, $ip){
$this->ip = $ip;
$this->id = $itemid;
$this->table = "`".$comtable."`";
}

//getting comments from the past

function GetComments(){
$this->field = implode(',', $this->fields);
$this->SQL = "SELECT ".$this->field." FROM ".$this->table." WHERE `columnid`='".$this->id."' ORDER BY `commentid` ASC";
$this->result = mysql_query($this->SQL) or die("There was a problem with this query:".mysql_error());
$this->comments_final = "<table width='70%' align='center'><tr><td>Reader Comments</td></tr>\n";
while($row = mysql_fetch_assoc($this->result))
{
$this->comments_final .= "\t<tr>\n\t\t<td><b>".$row['name']."</b>&nbsp;&nbsp;&nbsp;".$row['time']."<br />\n<br />".htmlentities(stripslashes($row['comment']))."</td></tr\n>";
}
$this->comments_final .= "</table><br />
<hr /><span class='headertext'><a name=\"comment\"></a>Add a comment</span><br /><table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" height=\"451\" width=\"100%\">
<tbody>
<tr>
<td align=\"center\" valign=\"center\">
<form name=\"form\" action=\"".$_SERVER['PHP_SELF']."\" method=\"post\">
<table border=\"0\" cellpadding=\"0\" cellspacing=\"4\">
<tbody>
<tr>
<td align=\"right\">Name</td>
<td><input id=\"name\" size=\"40\" name=\"name\"></td></tr>
<tr>
<td align=\"right\">e-mail</td>
<td><input id=\"email\" size=\"40\" name=\"email\"></td></tr>
<tr>
<td align=\"right\">Comment</td>
<td><textarea id=\"message\" name=\"message\" rows=\"9\" cols=\"60\"></textarea> </td></tr>
<tr>
<td><input type=\"hidden\" value=\"sentdata\" name=\"sent\" /></td>
<td><input id=\"send\" value=\"Send\" name=\"send\" type=\"submit\"></td>
</tr></tbody></table></form><br /></td></tr></tbody></table>";
return $this->comments_final;
}

function AddComment($name, $columnid, $comment, $email)
{
$this->SQL = "SELECT `commentid` FROM ".$this->table." WHERE `columnid`=".$this->id." ORDER BY `commentid` DESC LIMIT 1";
$this->result = mysql_query($this->SQL);
while($row = mysql_fetch_assoc($this->result))
{
$this->commentid = $row['commentid'] + 1;
}
if((!$name) or (!$columnid) or (!$comment) or (!$email))
{
$this->valid = false;
break;
}
$this->name = $name;
$this->column_id = $columnid;
$this->comment = addslashes($comment);
$this->email = $email;
if(CheckEmail($this->email) == false)
{
$this->valid = false;
break;
}
if(ValidateDomain($this->email) == false)
{
$this->valid = false;
break;
}
$this->SQL = "INSERT INTO `".$this->table."`('columnid', 'name', 'comment', 'commentid', 'time', 'email', 'ip') VALUES (`".$this->column_id."`, `".$this->name."`, `".$this->comment."`, `".$this->commentid."`, NOW(), `".$this->email."`, `".$this->ip."`) LIMIT 1";
$this->result = mysql_query() or die("could not perform query because:".mysql_error());
$this->valid = true;
}

function CheckEmail($string){
$beg = '[-!#\$%&\'\*\+\/=\?\^_`{}\|~0-9A-Z]+(?:\.[-!#\$%&\'\*\+\/=\?\^_`{}\|~0-9A-Z]+)*';
$end = '[-0-9A-Z]+(?:\.[-0-9A-Z]+)*';
$full_pattern = '/^'.$beg.'(?:@'.$end.')?$/iD';
if (preg_match($full_pattern, $string))
{
return true;
}
else
{
return false;
}
}

function ValidateDomain($string){
$email = $string;
$intitial_url = explode("@",$email);
$url = "http://".$initial_url[1];
$url2 = "http://www.".$initial_url[1];
$hf1 = @fopen($url,"rb");
$hf2 = @fopen($url2,"rb");
if (strlen($hf1) == 0){
if (strlen($hf2) == 0) {
return false;
fclose($hf1);
fclose($hf2);
break;
}
else
{
return true;
fclose($hf1);
fclose($hf2);
break;
}
}
else
{
return true;
fclose($hf1);
fclose($hf2);
break;
}
}

function ValidationMessage()
{
if($this->valid == true)
{
$this->message = "Your comment has been submitted, thank you for your input.";
}
if($this->valid == false)
{
$this->message = "There was an error submitting your message. Please check that all fields are filled out and the email address is valid.";
}
return $this->message;
}
}

?>

Here's the way I use it



require 'CommentsClass.php';
$com =& new Comments($_GET['id'], "table", $_SERVER["REMOTE_ADDR"]);
if($_POST['sent'] == 'sentdata')
{
$com->AddComment($_POST['name'], $_GET['id'], $_POST['comment'], $_POST['email']);
$validation = $com->ValidationMessage();
}

$comments = $com->GetComments();
echo $validation;
echo $comments;

d11wtq
08-16-2006, 11:13 AM
I'll try to provide some constructive criticism ;)

I'd probably break the markup out into a template file... placing that amount of markup in a class is generally not a good idea since you need to edit the class in order to change the layout slightly.

$_SERVER['PHP_SELF'] is tainted and can be exploited. In fact, many of the $_SERVER superglobals are tainted. Do you actually need the 'action' attribute in there at all or can you maybe have the user specify where it should point to?

EDIT | Yikes. Don't do this:

$this->SQL = "INSERT INTO `".$this->table."`('columnid', 'name', 'comment', 'commentid', 'time', 'email', 'ip') VALUES (`".$this->column_id."`, `".$this->name."`, `".$this->comment."`, `".$this->commentid."`, NOW(), `".$this->email."`, `".$this->ip."`) LIMIT 1";

Be sure to mysql_real_escape_string() on those value which have come straight from $_POST.