commentValid()) { header('Location: /post/' . $_POST['post_id']); return false; } $sql = 'INSERT INTO comments VALUES (NULL, ?, ?, DEFAULT, DEFAULT, ?)'; $query = db()->prepare($sql); $query->execute([ trim($_POST['content']), $_SESSION['username'], $_POST['post_id'] ]); header("Location: /post/{$_POST['post_id']}"); return false; } public function update($id) { if (! $this->isCommentAuthor($id)) { header('HTTP/1.0 403 Forbidden'); die(); return false; } if (! $this->commentValid()) { header('Location: /post/' . $_POST['post_id']); return false; } $sql = 'UPDATE comments SET content=? WHERE id=?'; $query = db()->prepare($sql); $query->execute([trim($_POST['content']), $id]); header("Location: /post/{$_POST['post_id']}"); return false; } public function delete($id) { if (! $this->isAuthor($id)) { header('HTTP/1.0 403 Forbidden'); die(); return false; } $sql = 'DELETE FROM comments WHERE id=?'; $query = db()->prepare($sql); $query->execute([$id]); header("Location: /post/{$_POST['post_id']}"); return false; } private function isCommentAuthor($id) { $sql = 'SELECT author FROM comments WHERE id=?'; $query = db()->prepare($sql); $query->execute([$id]); $comment = $query->fetchAll(\PDO::FETCH_CLASS, 'Core\\Record'); return (count($comment) != 0 && $comment[0]->author == $_SESSION['username']); } private function isAuthor($id) { $sql = 'SELECT author FROM posts WHERE id IN ( ' . 'SELECT comment_to FROM comments WHERE id=? )'; $query = db()->prepare($sql); $query->execute([$id]); $post = $query->fetchAll(\PDO::FETCH_CLASS, 'Core\\Record'); return (count($post) != 0 && $post[0]->author == $_SESSION['username']); } private function commentValid() { if (empty(trim($_POST['content']))) { $_SESSION['comment_errors'] = ['Comment cannot be empty.']; return false; } return true; } }