<?PHP // do I need to do additional security checks to make sure the script is being called appropriately? include("config.php"); if (!$_POST){ header('Location: '.$site_url); } // error checking if (isset($_POST[Review_Subject]) && isset($_POST[Review_Contents])) { if ($_SERVER['HTTP_X_FORWARD_FOR']) { $ip = $_SERVER['HTTP_X_FORWARD_FOR']; } else { $ip = $_SERVER['REMOTE_ADDR']; } $tsNow = time(); $triclub_id = $_POST[triclub_id]; $editor_id = $_POST[editor_id]; $subject = mysql_escape_string(trim($_POST[Review_Subject])); $message = mysql_escape_string(nl2br(htmlspecialchars(substr(trim($_POST[Review_Contents]), 0, 4096)))); // build the SQL query to delete the edits that are bad $sql = "INSERT INTO ".$prefix."TriclubsComment (triclub_id_fk, comment_time, user_id_fk, comment_subject, comment_message, comment_ip, comment_valid) VALUES ($triclub_id, '$tsNow', '$editor_id', '$subject', '$message', '$ip', 0)"; //echo $sql; mysql_query($sql) or die(mysql_error()); } header('Location: '.$site_url.'/individual.php?triclub_id='.$triclub_id.'&review_add=ok'); exit(); ?>