Ok, this can be apparent nevertheless its not clicking quite yet. I'm developing a forum/blog esque application.

I grab the posts in the database rather safely but leaving comments is starting to be more difficult. (I might just be paranoid, right?).

How do you give a comment without subjecting the id from the parent message? (as with a concealed form area or query string, or something like that).

I suppose I'm a little paranoid that somebody might enter in the code with firebug or something like that and alter the hidden form area value to another thing before posting. I suppose I would need to make certain the consumer has permission to comment compared to that publish/category?

Items to note : The consumer has already been drenched in. It is not a public publish

I would suggest that you simply setup your database like so:

Comments
---------
id
encodedID
authorID
parentID
message

Then, for that form area have two hidden values, one would be the encodedID, and also the second is a hash that you simply make. I would suggest the hash to become:

<?php

$hash = sha1(md5($encodedID . $userID . $_SERVER['REMOTE_ADDR'] . "abc1234"));

?>

Then, once the user submits the shape, validate the hash applies for that specific encodedID and user. This is a brief code write down:

<?php

if(isset($_POST['submit']))
{
    //Get the variables and all and sanitize the input of 'message'
    if(sha1(md5($_POST['value1']. $userID . $_SERVER['REMOTE_ADDR'] . "abc1234")) == $_POST['value2'])
    {
        //User is valid.
    }
    else
    {
        //Invalid user.
        //Document this.
    }
}

$value1 = $encodedID; //Grab this from your database
$value2 = sha1(md5($value1 . $userID . $_SERVER['REMOTE_ADDR'] . "abc1234"));
?>

<form method="post" action="comment.php">
<input type="text" name="message" />
<input type="hidden" name="value1" value="<?php echo $value1; ?>" />
<input type="hidden" name="value2" value="<?php echo $value2; ?>" />
<input type="submit" name="submit" value="Comment" />
</form>

Edit: Only a small tip, but I would suggest that you simply change value1 and value2 to something abstract, don't refer to it as encodedID or anything like this, so it atmosphere any customers which will attempt to break it.

Company md5 and sha1 aren't completely secure, however for this situation it'll work since you need to have the ability to process your comments ought to fast and effectively.

That could be an overkill but when you want to cover the publish_id from the current message then you should look at using session. So rather than using something similar to this in your form:

<form action="/postcomment.php" method="post" >
   <input name="post_id" type="hidden" value="123" />
   <textarea name="message"></textarea>
</form>

Reduce it to something similar to this:

<?php $_SESSION['post_id'] = '123'; ?>

<form action="/postcomment.php" method="post" >
   <textarea name="message"></textarea>
</form>

Obviously this really is "yucky" coding but a minimum of you get the drift.

Oh, be sure to validate EVERYTHING on postcomment.php. Also escape ALL string input values and make certain all number inouts are amounts indeed (multiply them by one?).

[EDIT: Because of insistent public demand, may I, should you please, amend these:]

Rather than:

<?php $_SESSION['post_id'] = '123'; ?>

Produce a form id:

<?php $_SESSION['form_id'] = $_SESSION['user_id'].'_'.md5(time()); ?>

Then create the unique publish_id:

<?php $_SESSION[$_SESSION['form_id'].'_post_id'] = '123'; ?>

After posting obtain the publish_id:

<?php $post_id = $_SESSION[$_SESSION['form_id'].'_post_id']; ?>

you can assign the shape an "id" like a hidden area and make up a database table to trace form ids as well as their connected publish ids, this way once the form will get posted you can look into the publish id within the db without ever delivering it towards the client in line with the form id that's came back using the publish