into <script> so code doesn't run $user_name = htmlspecialchars($user_name); $comment = htmlspecialchars($comment); try { // 5. Insert into Database $stmt = $pdo->prepare("INSERT INTO reviews (product_id, user_name, rating, comment) VALUES (?, ?, ?, ?)"); if ($stmt->execute([$product_id, $user_name, $rating, $comment])) { // Success! Redirect back to product page header("Location: /product/$product_id"); } else { // Database failed header("Location: product.php?id=$product_id&error=db_error"); } } catch (Exception $e) { // Catch any system errors header("Location: product.php?id=$product_id&error=system_error"); } } else { // If someone tries to open this file directly without submitting form header("Location: index.php"); exit(); } ?>