"Status updates"

[gdebojyoti.mail96]

I am planning to introduce Facebook/ Orkut/ Twitter like "status update" feature to the members of my website. But I am not sure about where and how to store the data posted by the users (i.e., the contents of the "status"). Can someone please suggest a way?
Note that I would also like to display older updates (newest first).
And what measures should I take to prevent SQL injections? I also want to display the exact data that a user enters (such as "<b>Text</b>", and not "Text" ), just like Facebook.

Looking forward to your help.

Regards.

 

[gdebojyoti.mail96]

I am still waiting for a reply.... Anyone there?? Help is urgently required!!

 

[veliisx235]

I would definitely store the data using SQL (most likely in a VARCHAR field). The way you need to handle the special characters is going to depend on how you are displaying the status. Most likely you will need to figure out all the special characters possible and use escape sequences so that they don't behave like HTML (if you are using PHP).

Using SQL, if you use an auto incrementing value for the KEY (or you manually shove in a time stamp) you can have it sort for you when you pull them out of the database quite easily.

 

[misson]

Consider how to model the data before considering what you want to do with it, because what you want to do with it may change in the future. Just designing the model may give you ideas about how to use it. Consider the properties of what you're modeling. There's the status text, the user and the date & time that the status was changed; you may be able to think of others that would be useful. The properties become columns in a "statuses" table (use a table separate from your table of users, since users and statuses have a 1-to-many relationship). The date & time let you sort statuses. The user can be joined to other tables for various purposes (e.g. a "friends' statuses" page).

SQL injection is prevented by using prepared statements, passing the values via prepared statement parameters.

When it comes time to post the status text, pass it through "htmlspecialchars" before outputting it to encode characters that are, well, special in HTML. You may be tempted to do this before storing the text, but (generally speaking) you should only format data for a given purpose when it comes time to use the data for that purpose. You can't be certain that the status text will only ever be used by HTML processors and you'll gain nothing appreciable by pre-processing before storage.

Urgency is subjective.

 

[gdebojyoti.mail96]

Thanks for your help. I have successfully managed to enable status updates in my site.