We are working on the development of a very simple comment system. We have done the system, using PHP and MySQL without any problem.
Now, the thing is that we need to serve this forms, into a few many different sites, and even different locations in the same sites.
At this moment we have the following files:
deliver_comm.php: selecting all the previous comments that match with the domain_id
ui/deliver_comm.php: the HTML for the previous file, that shows the previous comments and the form itself to send a new one.
Said that, what we have in mind, is to generate the divs and forms, using JavaScript and document.write, then the forms would send the information back into our servers where it should processed by the PHP scripts and be stored into the databases.
Now, our major concern, is how can we validate that the comments are truly coming from the site where the script is being included?
I understand that something alike a XSRF token should be created in order to solve this, but I've to admit that some help in the logic would be really appreciated.
As well, I shall mention, that the forms have at this moment, 2 hidden inputs, one to identify the website (as domain_id) and another one, to identify the specific section of that website (as file_id).
Some ideas:
At this momement I realized that since we're using PHP variables inside the HTML, it would be convenient to use a JavaScript, only to generate an iframe, where the information shall be placed.
Also this modification would be necesary to include the XSRF prevention token. And by doing this, we would avoid comments coming from other sites? Am I loosing something?
You should give every comment "section" an id. Let's call it "comment_post_id" (as wordpress does). So for each comment form, you should have a hidden input giving the id over when committing the comment. As you certainly want to show the recent comments below, you should check for matching comment_post_id's in your database using php or mysql.
If you want to avoid exploiting your comment function, you should use captchas as they are the only secure method. Of course you could check the referer ($_SERVER['HTTP_REFERER']) but this won't bring you practical advantage, since people who try to exploit your comment system will just overgive a valid referer.