<?php require_once('/home/www.nrao.edu/etc/conn_cr.php'); ?>
<?php
  // Added by Pat Murphy: sanitization.  The bad guys know about this code, and they WILL 
  // use it to probe our database using the credentials in conn_cr.php.
$clean = array();
foreach ($_REQUEST as $key=>$value) {
  // must have SOME limit.  Bad guys love unlimited inputs for XSS, SQL Injection.
  $tempval = substr($value, 0, 512); 

  // Allow these characters.  Note the "^" after the square bracket;
  //  - that negates the pattern, so preg_replace zaps OTHER characters.
  $pattern = '/[^A-Za-z0-9\s\.\,\-\@\(\)\:\;\/\?\'\"\+\=\-\~]/';
  $tempval = preg_replace($pattern, '', $tempval);
  $clean[$key] = mysql_real_escape_string($tempval);
}

$query_rs_insertComment = "INSERT INTO tblComments (episode, author, email, commentary) VALUES ('" . 
  $clean['episode']    . "', '" . 
  $clean['author']     . "', '" .
  $clean['email']      . "', '" .
  $clean['commentary'] . "');";
$rs_insertComment = mysql_query($query_rs_insertComment);
header("Location: index.php");
?>