Comment Box - Wondering if there was a better way to make it and display.

[chrisrog]

Just wondering about this since I'm using a file write and read setup in php for the comment box but also I've never been good at displaying things on web pages or at least setting up a good display.


Here's the 3 files that make this thing run.

The part of my PHPCommentsForum.php file that is the comment box. Yes it started out as a html file and was converted to a php one to let php work freely in it.

<div id="content">
 
            <h3>Site Info</h3>
            <div name="commentDisplayer" id="commentDisplayer" >
      <h3>Comments Section</h3>
      <p>This is meant for where the comments are going to show up but isn't setup fully yet so this message will be here until it is working.</p>
      <?php include('LoadForumComments.php') ?>
     </div>
     <form name="commentsForm" id="commentsForm" action="SaveComments.php" method="post">
      <fieldset>
       <label id="usertag" for="user" >User Namer <input name="user" id="user" type="text" value="Guest" /></label>
       <br />
       <label id="commenttag" for="comment">Comment</label>
       <br />
       <textarea name="comment" id="comment" rows="5" cols="35">Replace this with your own text!</textarea>
       <br />
       <input type="submit" value="Submit"/>
      </fieldset>
     </form>
           </div>

Here's my Save and Load files.

LoadForumComments.php
<?php
     $file = "SavedForumComments.txt"; //Path to your *.txt file $_SERVER['DOCUMENT_ROOT'] .
 $contents = file($file);
 
 $string = implode($contents);
 
 echo $string;
?>

SaveComments.php

<?php
 $username = $_POST['user'];
 $userComment = $_POST['comment'];
 $file = "SavedForumComments.txt";
 $openFile = fopen($file,"a") or die("Can't open file!");
 fwrite($openFile, "\n" . '<div name="FileComment" class="FileComment">' . '<h2>' . $username . '</h2>' . '<p>' . $userComment . '</p>' . '</div>' . "\n");
 
 fclose($openFile) or die("Can't close file!");
 header("Location: PHPCommentsForum.php");
 exit;
?>

and the css file that holds any relevance to this directly

form#commentsForm{
 width: 40%;
 background-color: gray;
 float: left;
 
}
div#commentDisplayer{
 width: 58%;
 background-color: gray;
 float: right;
 margin: 3px;
 
}
div.FileComment{
 border: groove 3px blue;
 background-color: rgb(30,100,50);
 margin: 20px;
}
div.FileComment code{
 display: block;
}

Just looking for ideas right now since it is working but I know it could probally be better.

 

[essellar]

There are a lot of other things you could be doing, but Priority One is going to be sanitizing user input. As it stands, your users can inject arbitrary HTML — including <script> — onto your page, making you vulnerable to both pranks and nastier stuff. At the very least, you'd want to use strip_tags() (and probably htmlspecialchars()). The problem with htmlspecialchars() is that it completely removes a user's ability to format what they type. It would help, too, if line breaks/paragraph breaks are preserved (lb2br() — line break to <br> — does a half-assed job of that; it preserves breaks but produces semantically-bad HTML).

This is one of those instances where using a third-party library might be the better part of valour. Either [URL="http://en.wikipedia.org/wiki/BBCode"]BBCode[/URL] or [URL="http://en.wikipedia.org/wiki/Markdown"]Markdown[/URL] would be a good choice. "Civilians" may be more familiar with BBCode since most of the Bulletin Board/Forum software out there (including this forum) uses it, but it's tag-based and can hard to read. Markdown is a lot more natural to create and read — it's specifically designed to be readable as plain text — and it has begun to spread to significant parts of the web, but people aren't necessarily expecting it. Honestly, it's a much better markup than BBCode ever thought of being.

I like Michel Fortin's [URL="http://michelf.ca/projects/php-markdown/"]PHP Markdown[/URL] or [URL="http://michelf.ca/projects/php-markdown/extra/"]PHP Markdown Extra[/URL]. Anybody who has used the StackOverflow/StackExchange sites (or the Community Support site here) will be familiar with Markdown. If you combine that with a JS Markdown editor (with preview), you get a full WYSIWYG editor for people who are not familiar with MD, and since most of them show the Markdown source as well as the WYSIWYG preview, your "frequent flyers" will get up to speed with direct entry pretty quickly. [URL="http://code.google.com/p/pagedown/"]Pagedown[/URL] is the StackOverflow editor (a fork of [b]wmd editor[/b]), and it's easy to plug in to your page.