php + mysql comment system

Question

I'm pretty new to php, and for that matter server scripting in general (so go easy on me)
But regardless of that I managed to create this, the first half of a comment system:

<html>
<body>
<form name="Comment" action="InsertComment.php" method="POST">
Name: <input type="text" name="name" /><br>
Comment: <br><textarea style="height: 100px; width: 600px;" name="comment"></textarea><br>
<input id="Special_ID" name="id" value="<?php $unixtime = time(); echo $unixtime; ?>">
<!--^Gathers a unique id^-->
<input type="submit" />
</form>
</body>
</html>

Once submitted -->

<?php
$con = mysql_connect("Blaa", "Blaa", "Blaa");
if(!$con) {
die('Could not connect ' . mysql_error());
}
sql_select_db("Comments", $con);
$sql = "INSERT INTO Posts (Name, Comment, ID)
VALUES('$_POST[name]', '$_POST[comment]', '$_POST[id]')";
?>

This is exactly what I wanted, a user puts in their name, a comment, and a unique post id (time stamp) is generated, then it is all sent to mysql.
But now I'm dumb found as to how I can post this to another page.. I assumed something like:

if(ID == [the id of that post]) {
//$_GET the mysql stuff
//Post inside a specially made div or something
}

Along the lines of that, but I have no clue how to put that into practise :/ Any ideas? Oh and Please don't suggest an echo type post, I've done that and it's not at all what I want.

**Also this is just the basic code, I don't need suggestions on how to touch it up just yet, also errors in this is only due to my sleep deprivation, the code does work.

Answer 1

A full length example is given here: http://manzur-ashraf.com/code/auto_commenting_system/Automatic_Commenting_System_and_Email_notification_using_PHP_and_MYSQL.htm

In addition to using a MYSQL database to store the comments, you can also post email to the admin about new comments.

Answer 2

As @Marc B has said, you'll first want to fix your SQL injection holes using mysql_real_escape_string. Change your insert statement to

$sql = "INSERT INTO Posts (Name, Comment, ID)
        VALUES('" . mysql_real_escape_string($_POST['name']) . "', '" . mysql_real_escape_string($_POST['comment']) . "', '" . mysql_real_escape_string($_POST['id']) . "')";

To display your comment, try this

$sql = "SELECT Name, Comment, ID
        FROM Posts
        WHERE ID = '" . mysql_real_escape_string($_GET['PostID']) . "'";
$query = mysql_query($sql);

echo "<div id=\"comments_container\">";
while ($row = mysql_fetch_assoc($query))
{
    echo "<div class=\"comment\">";
    echo "<div class=\"name\">" . $row['Name'] . "</div>";
    echo "<div class=\"comment_body\">" . $row['Comment'] . "</div>";
    echo "</div>"
}
echo "</div>";

Then CSS style your DIVs using IDs and classes.

Answer 3

Just an example using mysql_fetch_object

Please sanitize your $_GET data before inserting to MySQL, this is a huge injection security flaw.

$sql = "SELECT * FROM Posts WHERE id={$id}"
$result = mysql_query($sql);
$obj = mysql_fetch_object($result)
if(is_object($obj))
{
 echo "Welcome " . $obj->Name;
}