Activity Stream
48,167 MEMBERS
6821 ONLINE
besthostingforums On YouTube Subscribe to our Newsletter besthostingforums On Twitter besthostingforums On Facebook besthostingforums On facebook groups

Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1.     
    #1
    Member

    Default [PHP] Guestbook

    I was a little bored so I coded a PHP guest book for my site. I felt like sharing it with KWWH as well!

    index.php
    Code: 
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Guest Book</title>
    </head>
    
    <body bgcolor="#000000" text="#FFFFFF" link="#FFFFFF">
    
    
    Please leave your comments.
    
    <form action="../post.php" method="post">
    Name: <br />
    <input type="text" name="name" />
    <br />
    Email: <br />
     <input type="text" name="email" />
    <br />
    Comment: 
    <br />
     <textarea name="comment"></textarea>
    <br />
    <input type="submit" value="Submit Your Comment" />
    </form>
    
    <br />
    <br />
    Comments....
    <br />
    ......................................... 
    <br /><br />
    
    <?php
    mysql_connect("localhost","username","password") or die(mysql_error());
    mysql_select_db("database") or die(mysql_error());
    
    $result = mysql_query("SELECT * FROM guestbook");
    
    
    while($row = mysql_fetch_assoc($result)){
         
                     echo 'Comment Date:       '. date('m-d-Y') ."<br/>";
                    echo "Name: ".$row['name']."<br/> Email: ".$row['email']."<br/> Comment: ".$row['comment']."<br/>......................................... <br/>";
                                   
                                   }
                                   
                                   
    ?>
    
    </body>
    </html>
    post.php
    Code: 
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Posted</title>
    </head>
    
    <body>
    <?php
    $name = $_POST['name'];
    $email = $_POST['email'];
    $comment = $_POST['comment'];
    
    mysql_connect("localhost","username","password") or die(mysql_error());
    mysql_select_db("database") or die(mysql_error());
    
    $add = mysql_query("INSERT INTO guestbook (name, email, comment) VALUES ('$name','$email','$comment')");
    
    
    echo "Your name: $name.";
    echo "<br/>";
    echo "Your email: $email.";
    echo "<br/>";
    echo "Your Comment: $comment";
    
    ?>
    <br /><br />
    To view the guestbook click <a href="/index.php">here</a>
    </body>
    </html>
    The Database needs a table called guestbook and 4 fields
    id, name, email, comment.

    id, int, auto_increment
    name varchar(40)
    email varchar(100)
    comment varchar(200)

    You should be all set and have a guestbook for your website.

    Let me know what you think, or add on to it!
    Speakup Reviewed by Speakup on . [PHP] Guestbook I was a little bored so I coded a PHP guest book for my site. I felt like sharing it with KWWH as well! index.php <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Guest Book</title> </head> Rating: 5

  2.   Sponsored Links

  3.     
    #2
    Respected Developer
    Website's:
    wrzc.org
    Your entering raw data directly into the database. That's very dangerous and the script is prone to attack. You want to do checks on the data before inserting it like mysql_real_escape_string so it will be like:
    PHP Code: 
    $name mysql_real_escape_string($_POST['name']);
    $email mysql_real_escape_string($_POST['email']);
    $comment mysql_real_escape_string($_POST['comment']); 
    The other problem is you don't really do checks to see if all the data was entered or entered correctly. eg if someone enters the name and email and then clicks submit before they enter the comment it will still be entered into the database. You should try and add an error message saying please complete all fields.

    Otherwise nice job.

    EDIT: while I'm at it. If it's a fairly busy site then say 100 people enter comments (which is totally possible) then you'll have 100 comments after another. This isn't great as it's going to be a really long page and not very efficent on the server. Consider adding a LIMIT to the display and maybe add a basic page navigation if it's needed. I'd also suggest using ORDER BY and display the comments in order of date with say the more recent first. You don't want to be reading comments that are a few months old and a comment from yesterday a few pages back.

    If you need help with any of the above just ask.
    Tutorial How to SEO your Warez Site a guide to help you increase your organic traffic

    Huge list of Warez Sites and free Multiposter Templates

  4.     
    #3
    Member
    Looks like it will show todays date for every comment, you should add a column for date stamp, and your displaying the email add of people that have commented, you should remove it or use a function to display the email add. as an image.

    and of course escape the strings before there inserted.

  5.     
    #4
    Member
    Quote Originally Posted by Mr Happy View Post
    Your entering raw data directly into the database. That's very dangerous and the script is prone to attack. You want to do checks on the data before inserting it like mysql_real_escape_string so it will be like:
    PHP Code: 
    $name mysql_real_escape_string($_POST['name']);
    $email mysql_real_escape_string($_POST['email']);
    $comment mysql_real_escape_string($_POST['comment']); 
    The other problem is you don't really do checks to see if all the data was entered or entered correctly. eg if someone enters the name and email and then clicks submit before they enter the comment it will still be entered into the database. You should try and add an error message saying please complete all fields.

    Otherwise nice job.
    Quote Originally Posted by Gav0 View Post
    Looks like it will show todays date for every comment, you should add a column for date stamp, and your displaying the email add of people that have commented, you should remove it or use a function to display the email add. as an image.

    and of course escape the strings before there inserted.
    Thanks for the advice from both of you. I am just learning how to code so patching/writing secure code probably is going to be difficult at the moment. I wrote a login script that had about 10 vulns someone told me. So I m learning and will take what you guys said into consideration. I m a little confused as to what you mean by collum since it displays the date than name email comment.

  6.     
    #5
    Respected Developer
    Website's:
    wrzc.org
    Well spotted Gav0. Didn't notice that.

    What Gav0 means about the date is you should add it here
    Replace:
    PHP Code: 
    $add mysql_query("INSERT INTO guestbook (name, email, comment) VALUES ('$name','$email','$comment')"); 
    with
    PHP Code: 
    $time now();
    $add mysql_query("INSERT INTO guestbook (name, email, comment, date) VALUES ('$name','$email','$comment', '$time')"); 
    You'll then also have to select the data from the database when dispalying the post. The way you have it done is your just always showing todays date and not the date when the topic was made.

    You'll also have to have a field in the database to hold the date. Something like:
    date int(10)
    Tutorial How to SEO your Warez Site a guide to help you increase your organic traffic

    Huge list of Warez Sites and free Multiposter Templates

  7.     
    #6
    Member
    Add a coloum to the database so each comment has a timestamp.
    PHP Code: 
    ALTER TABLE guestbook ADD timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP

    Then to display the comment date
    PHP Code: 
    date("d/m/y"$row['timestamp']) 

    << Mr Happy got there 1st 2 diferant methods

  8.     
    #7
    Member
    When I did mysql_real_escape_string it gave me errors.

  9.     
    #8
    Member
    I think you need the database connection 1st

  10.     
    #9
    Respected Developer
    Website's:
    wrzc.org
    Quote Originally Posted by Speakup View Post
    When I did mysql_real_escape_string it gave me errors.
    Put this above the part I edited earlier. You have to be connected to the database for it to check the inputs to make sure their clean.
    PHP Code: 
    mysql_connect("localhost","username","password") or die(mysql_error());
    mysql_select_db("database") or die(mysql_error()); 
    So it will be like this:
    PHP Code: 
    mysql_connect("localhost","username","password") or die(mysql_error());
    mysql_select_db("database") or die(mysql_error());

    $name mysql_real_escape_string($_POST['name']);
    $email mysql_real_escape_string($_POST['email']);
    $comment mysql_real_escape_string($_POST['comment']); 
    $time now();
    $add mysql_query("INSERT INTO guestbook (name, email, comment, date) VALUES ('$name','$email','$comment', '$time')"); 
    Edit: Gav0 beat me this time
    Tutorial How to SEO your Warez Site a guide to help you increase your organic traffic

    Huge list of Warez Sites and free Multiposter Templates

  11.     
    #10
    Member
    Quote Originally Posted by Mr Happy View Post
    Put this above the part I edited earlier. You have to be connected to the database for it to check the inputs to make sure their clean.
    PHP Code: 
    mysql_connect("localhost","username","password") or die(mysql_error());
    mysql_select_db("database") or die(mysql_error()); 
    So it will be like this:
    PHP Code: 
    mysql_connect("localhost","username","password") or die(mysql_error());
    mysql_select_db("database") or die(mysql_error());

    $name mysql_real_escape_string($_POST['name']);
    $email mysql_real_escape_string($_POST['email']);
    $comment mysql_real_escape_string($_POST['comment']); 
    $time now();
    $add mysql_query("INSERT INTO guestbook (name, email, comment, date) VALUES ('$name','$email','$comment', '$time')"); 
    Edit: Gav0 beat me this time
    Call to undefined function now()
    that is to the

    $time = now();

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Creating a Guestbook in RVSiteBuilder
    By Areon in forum Server Management
    Replies: 0
    Last Post: 3rd Mar 2014, 03:12 PM

Tags for this Thread

BE SOCIAL