personal-website/docs/www/blog/post_comment.php

<?php
$COMMONS = $_SERVER['DOCUMENT_ROOT'] . "/../common";

include_once($COMMONS."/header.php");
include_once($COMMONS."/blog_utils.php");

/**
 * Send a comment to the database.
 * If the poster is not signed in, send "NULL" (as a string) as the $posterID
 * The same goes for $parentId (that is the parent comment,
 * if this one is a response)
 * Returns: GUID PK of the newly added comment.
 */
function send_comment($conn, $blogId, $posterId, $content, $parentId) {
	// If content is empty, do not post
	if(empty($content)) {
		return "";
	}

	// Get a uuid for the comment
	$stmt = $conn->prepare("SELECT UUID()");
	$stmt->execute();
	$result = $stmt->fetch(PDO::FETCH_ASSOC);
	$uuid = $result["UUID()"];

	// Prepare the statemtnt
	$stmt = $conn->prepare("INSERT INTO blogpost_comments
		( comment_id,  parent_id,  blogpost_id,  poster_id,  content) VALUES
		(:comment_id, :parent_id, :blogpost_id, :poster_id, :content);");

	// Bind all the parameters
	$stmt->bindValue(":comment_id", $uuid, PDO::PARAM_STR);
	$stmt->bindValue(":parent_id", $parentId == "NULL"
		? NULL : $parentId, PDO::PARAM_STR);
	$stmt->bindValue(":blogpost_id", $blogId, PDO::PARAM_STR);
	$stmt->bindValue(":poster_id", $posterId == "NULL"
		? NULL : $posterId, PDO::PARAM_STR);
	$stmt->bindValue(":content", $content, PDO::PARAM_STR);

	// Execute the statement
	$stmt->execute();

	return $uuid;
}

// If request is not POST, show request info.
if(strcmp($_SERVER["REQUEST_METHOD"], "POST") != 0)
{
	display_header("Post Comment");

	printf("
<article>
	<h2>Post Comment</h2>
	<p>
		Request this page with POST supplying following arguments:
	</p>
	<table>
		<tr>
			<td>
				<b>Argument</b>
			</td>
			<td>
				<b>Comment</b>
			</td>
		</tr>
		<tr>
			<td>
				referer
			</td>
			<td>
				URL, from which this page was requested,
				after adding the comment into the database,
				the page will redirect back to the referer.
			</td>
		</tr>
		<tr>
			<td>
				blogpost_id
			</td>
			<td>
				GUID of the blogpost, under which the comment was posted.
			</td>
		</tr>
		<tr>
			<td>
				content
			</td>
			<td>
				Content of the comment.
			</td>
		</tr>
		<tr>
			<td>
				parent_id (optional)
			</td>
			<td>
				GUID of the parent comment of the comment to be posted.
			</td>
		</tr>
	</table>
	<p>
		Note: takes the SESSION variable \"current_user\" into account, if set.
	</p>
</article>
	");

	include_once($COMMONS."/footer.php");
	die();
}

// Check DB connection
if($conn == null){
	header($_SERVER["SERVER_PROTOCOL"]." 503 Service Unavailable", true, 503);
	include_once($_SERVER["DOCUMENT_ROOT"]."/errors/503.php");
	die();
}

// If one of the needed parameters isn't set, show 400
if(!
	(isset($_POST["referer"]) && isset($_POST["blogpost_id"]) &&
	isset($_POST["content"])))
{
	header($_SERVER["SERVER_PROTOCOL"]." 400: Bad Request", true, 400);
	include_once($_SERVER["DOCUMENT_ROOT"]."/errors/400.php");
	die;
}

// Get the input arguments
$referer = sanitize_input($_POST["referer"]);
$blogpost_id = sanitize_input($_POST["blogpost_id"]);
$content = sanitize_input($_POST["content"]);
$parent_id = isset($_POST["parent_id"]) ?
	sanitize_input($_POST["parent_id"]) : "NULL";
$poster_id = isset($_SESSION["current_user"]) ?
	sanitize_input($_SESSION["current_user"]->user_id) : "NULL";

// Send the comment to the database
$commentId = send_comment($conn, $blogpost_id, $poster_id, $content,
	$parent_id);

// Get the address of the blogpost
$blogAddress = get_blogpost_address($conn, $blogpost_id);

// Try to open the file to which to render the blogpost.
if (!($fp = fopen("article/".$blogAddress.".php", 'w'))) {
	header($_SERVER["SERVER_PROTOCOL"]." 500 Could not open file for writing",
		true, 505);
	include_once($_SERVER["DOCUMENT_ROOT"]."/errors/500.php");
	die();
}

// Attempt to regenerate the blogpost
$blogRendered = generate_article($conn, $fp, $blogpost_id);

// Redirect back to the referrer.
header("Location: ".$referer."#comment-".$commentId);
?>