I'm looking for a simple way to let people leave comments (without even registering to the website) on my website.
Any suggestions how I could do that?

Thanks for your help!

Recommended Answers

All 12 Replies

Member Avatar

Have a element textArea, people will leave the comments there and give a button to submit. when submit just pass the text value to the database using php.

1) Name: Email-id: Comments:

Get the three fields on submit and stored in the databse using php

Ok, I'll give it a try, I'm not familiar with php yet, anyway to get around it?

Member Avatar

First of all you should know about the php environment and syntax to write codings. you have to start from the beginning installation, understanding localhost and all.. Search google for tutorials.

Ok, I'll give it a try, I'm not familiar with php yet, anyway to get around it?

There is a difference between static sites and dynamic sites. Static sites stay the same until the author manually changes the code. A dynamic site changes based on certain events. Adding a comment to a web page is one such event. You are looking to make a dynamic site, and this requires knowledge of some form of scripting language. You need to be able to either interact with a file or a database for a problem like this.

As rajarajan07 said, PHP is a good solution. It is free, and fairly easy to learn. Plus there are tons of documentations and tutorials out there for it.

And unless you want to manipulate the file directly, which could be messy, you'll need to learn database interaction as well. PHP pairs up well with MySQL, a free database management system.

Member Avatar

If you allow anybody to post to your site, you may want to use ReCaptcha, otherwise you may get all sorts of automated nasties - adverts for viagra etc.

In addition, if/when you decide on a server-side language to use (usually a choice between asp and php), ensure that you process the information before you save it to a database. This means removing html tags and escaping characters that could break your SQL. There are a lot of malicious people out there.

Thanks for the inputs.

I know a little bit about scripting, my website is .shtml because I wanted to do SSI (server side include).

ardav: my website is password protected, so only my friends, in theory, should be able to see it. So security is not that big of a deal. But thanks for the warning.

Member Avatar

>ardav: my website is password protected, so only my friends, in theory, should be able to see it. So security is not that big of a deal. But thanks for the warning.

No prob. SQL queries can break via accidental input too - doesn't have to be malicious - so clean/sanitize all input. mysql_real_escape_string() is the standard way of doing it.

commented: Good sheet. +11

From personal preference (not raw utility), I find PHP to be ugly, arcane and difficult. It is, as noted, nearly ubiquitous, free, powerful and has lots of available packages. mysql_real_escape_string() is probably not the best way to deal with incoming data, though it works. Better, in my opinion, to use a package like DB from PEAR, and let the package do the work with placeholder INSERT statements. For instance, here's a bit of code

$q = "INSERT INTO payment (payerid,paidforid,amount) VALUES (?,?,?)";
  $ps = $db->prepare($q);
  if(PEAR::isError($ps)) {
    upPrint($dancername[$id].': '.$ps->getMessage(),"While preparing '{$q}'",'rb');
  $gn = '';
  foreach($dancername as $id => $d) {
    $gn .= $s.$d;
    $s=', ';
  foreach($payment as $gid=>$data) {
    $res = $db->executeMultiple($ps,$data);

Notice the (?,?,?) in line 1, and the prepare() call in line 2; and the executeMultiple() call in the last line. The rest is uninteresting for your purposes: I was just too lazy to pare my existing code down to a simpler example.

Member Avatar

If you want to really confuse the guy why not go the whole hog and go PDO? Ha ha ha.

I got it all up and working! The only thing that confuse me is mysql_real_escape_string(). I get it is meant to add extra / in front of some character like ' or " that could be used for kind of exploit. But I wonder if its not done already by the way I coded it. Here's a simplified version of my code.

The form to get the data from the user:

<form action="AddComment.php" method="post">
<textarea name="Comment" rows="5" cols="60"></textarea> <br>
Name: <input type="text" name="Name"><br>
<input type="submit" value="Submit">

Here's my AddComment.php file:



@mysql_select_db($database) or die( "Unable to select database");

$query = "INSERT INTO Comments VALUES (NOW(),'$Comment','$Name')";

if (!mysql_query($query))
  die('Error: ' . mysql_error());


// Output the new data added to the database:
echo "<br><br><b><center>Your comment has been added, thanks!</center></b><br><br>";

// Remove the slashes
$Comment = stripslashes($Comment);
$Name = stripslashes($Name);

echo "$Comment<br><b>"
<div align="right">
<? echo "$Name</div></b><br><hr><br>"; 

If I don't do:

$Comment = stripslashes($Comment);

There is slashes in front of ' So it seems like I don't need to use mysql_real_escape_string()? It seems like the string is sanitized already...

You can show your answer at css-tricks/Full Page Background Image-progressive. I'm sure that you could find your answer there :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.