There's like way too many places for SQL injection there. Someone could, seriously, delete your weblog with a single comment. Back it up now.
And then contact me, and I'll help you out or something. My heart just jumped in my throat when I saw exactly how a jerk - which, by the way, there's plenty of Vincent-hating jerks who know SQL and PHP - could erase all your hard work.
CRN go "Test"*
BR go "Clinton is like the sherif, man..."*
I'm relatively new to php, but I know a thing or two and would be glad to help, either in terms of pointers ( i came too late to the thread to see the code) or in terms of (benign) testing. Lemme know - I think you have my email. Sounds like Clinton's basically got your back, though.
Yow. I just had to edit a marginalia post to escape some stuff that was causing the SQL to bomb out -- at least apply a regexp to your variables like s/'/'/g, which avoids most of the trivial sql hacking bugs (as well as letting people post things with apostrophes without getting "sql error" on the result side).
mneme go "bah"*
mneme go "or..."*
VB go "done, anyway, I'm pretty sure."*
mneme go "*sigh*"*
mneme go "yup"*
VB go "HTML ESCAPING! DAMMIT!"*
JL go "There's always more..."*
mneme go "no, that's just wrong"*
mneme go "yes..."*
mneme go "preview would be nice"*
Textdrive, hey? I just downloaded and installed that on my laptop over the weekend, for fiddling around with. Thinking about the Marginalia gave me some ideas about AJAX-y comment threading that I may want to try out, if I can figure out the hard parts.
AG go "Textpattern is what I meant"*