Making A News Section For A Site

[miocene]

I've recently completed my first proper site that is for my friend's business and it seems a success. I'm beginning to feel comfortable with (x)html and css but would like to learn some ways to make my pages more dynamic.I thought I'd start with an easily updatable news section that might appear on a site's home page and contain recent news in a form a bit like this:The first news itemyesterdayHere is some news for the first itemThe last news item15th July 2009Here is other some news for the last itemObviously I'd like it all to be styled using css so i can match my site.What I'm after is a way of doing this in a semi automatic way. I.e I just post a news article a bit like a comment and it gives it a date and places it in the site in a blog style fashion.Would a php/mysql approach be best? or I thought perhaps one could use a blog site (like blogger) and when I add a post to the blog it syncs with my site's home page (perhaps using an rss feed reader embedded in the page)

[NurAzije]

I think it is better to have a server-side scripting approach. Try with PHP/MySQL, or ou can use something more easy like CFM or WhizBase. It is better than relying on a third-party technology, you never know what they can do.

[miocene]

I think it is better to have a server-side scripting approach. Try with PHP/MySQL, or ou can use something more easy like CFM or WhizBase. It is better than relying on a third-party technology, you never know what they can do.

Yeah I figured. I'm just starting out with php/mySQL and finding it pretty tricky but can appreciate how useful it could potentially be.I'm currently making a simple php/sql comment box here to try and teach myself; if you'd care to check it out and give me some pointers.

[Synook]

Don't forget to sanitize your inputs!

[miocene]

Don't forget to sanitize your inputs!

What's sanitizing inputs?EDIT:Ok I get it, it prevents people from entering code into the box thus changing what the page does (like you probably did to check if I had sanitized the inputs)I've removed those comments from the database but how do I sanitize the inputs?Here is my php code for insert.php:

<?phpheader( 'Location: http://topuptents.x10hosting.com/index.php' );?><?php$code= $_POST['code'];echo $code;if ($code=="jopft"){if (!$_POST['name']){die();}else{//INSERTION INTO TABLE CODE$con = mysql_connect("localhost","*****","******");if (!$con)  {  die('Could not connect: ' . mysql_error());  }mysql_select_db("miocene_shoutbox", $con);$thetime = date('l jS \of F Y \a\t h:i a');$sql="INSERT INTO shouts (name, comment, date)VALUES('$_POST[name]','$_POST[comment]','$thetime')";if (!mysql_query($sql,$con))  {  die('Error: ' . mysql_error());  }mysql_close($con);}}elsedie();?>

[justsomeguy]

To sanitize a string value, use the mysql_real_escape_string function. String values are anything that need to go inside quotes in the SQL statement:

$sql="INSERT INTO shouts (name, comment, date)VALUES('" . mysql_real_escape_string($_POST['name']) . "','" . mysql_real_escape_string($_POST['comment']) . "','$thetime')";

You don't need to sanitize the time because that's the result of the date function, it shouldn't break anything. Sanitize everything from $_POST, $_GET, or $_COOKIE that goes into a database query. For number values instead of strings, you can use the intval function to convert to an integer, or floatval for a floating point number.

[miocene]

OK thanks, I added that code to my script.why do you have the

" .

either side of the function though?Edit:Just tested it having added the extra code and it still parses html tags, dunno about javascript etc. How do I stop it doing that?Edit2: js is not parsed or even added to the db, that's good but I would like also to prevent html...

[Ingolme]

OK thanks, I added that code to my script.why do you have the

" .

either side of the function though?Edit:Just tested it having added the extra code and it still parses html tags, dunno about javascript etc. How do I stop it doing that?Edit2: js is not parsed or even added to the db, that's good but I would like also to prevent html...

To prevent HTML parsing you can use htmlspecialchars() on the string.

[miocene]

To prevent HTML parsing you can use htmlspecialchars() on the string.

So would it be like:

('" . htmlspecialchars(mysql_real_escape_string($_POST['name'])) . "','" . htmlspecialchars(mysql_real_escape_string($_POST['comment'])) . "','$thetime')";

??

[justsomeguy]

Do it the other way, run htmlspecialchars first, then escape the result of that using mysql_real_escape_string.mysql_real_escape_string(htmlspecialchars($_POST['name']))The dot operator in PHP joins two strings together, so that quote ends the query, then uses the dot operator to add the output from the escape function, then uses another dot to add the next part of the query.

[miocene]

Do it the other way, run htmlspecialchars first, then escape the result of that using mysql_real_escape_string.mysql_real_escape_string(htmlspecialchars($_POST['name']))The dot operator in PHP joins two strings together, so that quote ends the query, then uses the dot operator to add the output from the escape function, then uses another dot to add the next part of the query.

Nice, thank you very much.I think now have quite a good functioning comment script, unless you think it needs anything else. (maybe a proper captcha image verification rather than the same image every time!)

[Synook]

I would recommend using an spam-detection service like Akismet instead of a CAPTCHA, as CAPTCHAs can be really irritating, and bots can always get through them in the end.I wrote a small API for Akismet once - http://www.aspektas.com/blog/on-spam-and-the-akismet-service.