0

I've been doing a very simple php comment system, where the user simply types a comment and it appears on the site.However, I realised that the most recent comment would keep being posted if the user refreshed the page.

I figured it had something to do with the while loop in the getComments function, but I've tried header("Location: index.php") and it had another error, so I'm really out of ideas.

index.php:

<?php
    date_default_timezone_set('Europe/Bucharest');
    include 'dbh.inc.php';
    include 'comments.inc.php';
?>  

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <link rel="stylesheet" type="text/css" href="styles.css">
</head>

<body>

<?php
echo "<form method='POST' action='".setComments($conn)."'>
    <input type='hidden' name='uid' value='Anonymous'>
    <input type='hidden' name='date' value='".date('d-m-Y H:i:s')."'>
    <textarea name='message'></textarea><br/>
    <button type='submit' name='commentSubmit'>Comment</button>
</form>";

getComments($conn);

?>
</body>

</html>

Comments.inc.php:

<?php

function setComments($conn) 
{
    if (isset($_POST['commentSubmit']))
    {
        $uid = $_POST['uid'];
        $date = $_POST['date'];
        $message = $_POST['message'];

        $sql = "INSERT INTO comments (uid, date, message) VALUES ('$uid','$date','$message')";
        $result = mysqli_query($conn,$sql);
    }
}

function getComments($conn)
{
    $sql = "SELECT * FROM comments";
    $result = mysqli_query($conn,$sql);
    while($row =$result->fetch_assoc())
    {
        echo "<div class='comment-box'><p>";
            echo $row['uid']." ";
            echo $row['date']."<br>";
            echo nl2br($row['message']);

        echo "</p></div>";
    }
}

dbh.inc.php

<?php
$conn = mysqli_connect('localhost', 'root', '' , 'commentsection');

Any feedback is greatly appreciated.

QRe
  • 27
  • 1
  • 9
  • 1
    A refresh resubmits the form. Take a look at http://stackoverflow.com/questions/6320113/how-to-prevent-form-resubmission-when-page-is-refreshed-via-php. You also are open to SQL injections. Use parameterized queries. – chris85 Oct 15 '16 at 16:40
  • 1
    Before fixing that issue, your code doesn't make sense. There is no possible reason why you would have `action` be a concat to a function that adds something to the database and returns nothing. – Jonnix Oct 15 '16 at 16:40
  • How should I do it instead? – QRe Oct 15 '16 at 16:55
  • Yeah, like chris said, you are vulnerable to mysql injections, which could potentially bring down your site/reveal sensitive info. Make sure to use `mysql_real_escape_string`. – Reality Mar 26 '21 at 00:00

2 Answers2

0

So I do not know if this is a good thing, but it seems very practical.What I've finally done is:

I set up a session variable.Then instead of

function getComments($conn)
{
    $sql = "SELECT * FROM comments";
    $result = mysqli_query($conn,$sql);
    while($row =$result->fetch_assoc())
    {
        echo "<div class='comment-box'><p>";
            echo $row['uid']." ";
            echo $row['date']."<br>";
            echo nl2br($row['message']);

        echo "</p></div>";
    }
}

I did

function getComments($conn)
{
        $sql = "SELECT * FROM comments";
        $result = mysqli_query($conn,$sql);
        while($row =$result->fetch_assoc())
        {
            if($_SESSION["repeated"]!=$row['message'])
            {
            echo "<div class='comment-box'><p>";
                echo $row['uid']." ";
                echo $row['date']."<br>";
                echo nl2br($row['message']);
            }           
            $_SESSION["repeated"]=$row['message'];
            echo "</p></div>";
        }
}

And it seems to be absolutely working!It has a minor glitch though : If I delete all the variables in the database after I already posted a comment in this session, at some point it will post it again.(Not a big deal). But that's all. I was going for the post/redirect/get, but I was a bit confused and tried this out of curiosity and it worked.(To me)It seems a simpler approach, or is it something I'm not seeing?

QRe
  • 27
  • 1
  • 9
0

easy fix!!! add recuired to the forms <input type='text' name='emne' placeholder='Subject' required

<input type='text' name='emne' placeholder='Subject' required>
user15482276
  • 1
  • 1
    This does not solve the original problem. The issue is refreshing a page will resend previous POST content. – CyberEd Mar 25 '21 at 22:43