[PHP] Guestbook

[Speakup]

I was a little bored so I coded a PHP guest book for my site. I felt like sharing it with WJ as well!

index.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Guest Book</title>
</head>

<body bgcolor="#000000" text="#FFFFFF" link="#FFFFFF">


Please leave your comments.

<form action="../post.php" method="post">
Name: <br />
<input type="text" name="name" />
<br />
Email: <br />
 <input type="text" name="email" />
<br />
Comment: 
<br />
 <textarea name="comment"></textarea>
<br />
<input type="submit" value="Submit Your Comment" />
</form>

<br />
<br />
Comments....
<br />
......................................... 
<br /><br />

<?php
mysql_connect("localhost","username","password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

$result = mysql_query("SELECT * FROM guestbook");


while($row = mysql_fetch_assoc($result)){
     
                 echo 'Comment Date:       '. date('m-d-Y') ."<br/>";
                echo "Name: ".$row['name']."<br/> Email: ".$row['email']."<br/> Comment: ".$row['comment']."<br/>......................................... <br/>";
                               
                               }
                               
                               
?>

</body>
</html>

post.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Posted</title>
</head>

<body>
<?php
$name = $_POST['name'];
$email = $_POST['email'];
$comment = $_POST['comment'];

mysql_connect("localhost","username","password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

$add = mysql_query("INSERT INTO guestbook (name, email, comment) VALUES ('$name','$email','$comment')");


echo "Your name: $name.";
echo "<br/>";
echo "Your email: $email.";
echo "<br/>";
echo "Your Comment: $comment";

?>
<br /><br />
To view the guestbook click <a href="/index.php">here</a>
</body>
</html>

The Database needs a table called guestbook and 4 fields
id, name, email, comment.

id, int, auto_increment
name varchar(40)
email varchar(100)
comment varchar(200)

You should be all set and have a guestbook for your website.

Let me know what you think, or add on to it!

 

[Mr Happy]

Your entering raw data directly into the database. That's very dangerous and the script is prone to attack. You want to do checks on the data before inserting it like mysql_real_escape_string so it will be like:

$name = mysql_real_escape_string($_POST['name']);
$email = mysql_real_escape_string($_POST['email']);
$comment = mysql_real_escape_string($_POST['comment']);

The other problem is you don't really do checks to see if all the data was entered or entered correctly. eg if someone enters the name and email and then clicks submit before they enter the comment it will still be entered into the database. You should try and add an error message saying please complete all fields.

Otherwise nice job.

EDIT: while I'm at it. If it's a fairly busy site then say 100 people enter comments (which is totally possible) then you'll have 100 comments after another. This isn't great as it's going to be a really long page and not very efficent on the server. Consider adding a LIMIT to the display and maybe add a basic page navigation if it's needed. I'd also suggest using ORDER BY and display the comments in order of date with say the more recent first. You don't want to be reading comments that are a few months old and a comment from yesterday a few pages back.

If you need help with any of the above just ask.

 

[Tango]

Looks like it will show todays date for every comment, you should add a column for date stamp, and your displaying the email add of people that have commented, you should remove it or use a function to display the email add. as an image.

and of course escape the strings before there inserted.

 

[Speakup]

Your entering raw data directly into the database. That's very dangerous and the script is prone to attack. You want to do checks on the data before inserting it like mysql_real_escape_string so it will be like:

$name = mysql_real_escape_string($_POST['name']);
$email = mysql_real_escape_string($_POST['email']);
$comment = mysql_real_escape_string($_POST['comment']);

The other problem is you don't really do checks to see if all the data was entered or entered correctly. eg if someone enters the name and email and then clicks submit before they enter the comment it will still be entered into the database. You should try and add an error message saying please complete all fields.

Otherwise nice job.

Looks like it will show todays date for every comment, you should add a column for date stamp, and your displaying the email add of people that have commented, you should remove it or use a function to display the email add. as an image.

and of course escape the strings before there inserted.

Thanks for the advice from both of you. I am just learning how to code so patching/writing secure code probably is going to be difficult at the moment. I wrote a login script that had about 10 vulns someone told me. So I m learning and will take what you guys said into consideration. I m a little confused as to what you mean by collum since it displays the date than name email comment.

 

[Mr Happy]

Well spotted Gav0. Didn't notice that.

What Gav0 means about the date is you should add it here
Replace:

$add = mysql_query("INSERT INTO guestbook (name, email, comment) VALUES ('$name','$email','$comment')");

with

$time = now();
$add = mysql_query("INSERT INTO guestbook (name, email, comment, date) VALUES ('$name','$email','$comment', '$time')");

You'll then also have to select the data from the database when dispalying the post. The way you have it done is your just always showing todays date and not the date when the topic was made.

You'll also have to have a field in the database to hold the date. Something like:
date int(10)

 

[Tango]

Add a coloum to the database so each comment has a timestamp.

ALTER TABLE guestbook ADD timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP;

Then to display the comment date

date("d/m/y", $row['timestamp'])

<< Mr Happy got there 1st :P 2 diferant methods

 

[Speakup]

When I did mysql_real_escape_string it gave me errors.

 

[Tango]

I think you need the database connection 1st

 

[Mr Happy]

When I did mysql_real_escape_string it gave me errors.

Put this above the part I edited earlier. You have to be connected to the database for it to check the inputs to make sure their clean.

mysql_connect("localhost","username","password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

So it will be like this:

mysql_connect("localhost","username","password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

$name = mysql_real_escape_string($_POST['name']);
$email = mysql_real_escape_string($_POST['email']);
$comment = mysql_real_escape_string($_POST['comment']); 
$time = now();
$add = mysql_query("INSERT INTO guestbook (name, email, comment, date) VALUES ('$name','$email','$comment', '$time')");

Edit: Gav0 beat me this time

 

[Speakup]

Put this above the part I edited earlier. You have to be connected to the database for it to check the inputs to make sure their clean.

mysql_connect("localhost","username","password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

So it will be like this:

mysql_connect("localhost","username","password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

$name = mysql_real_escape_string($_POST['name']);
$email = mysql_real_escape_string($_POST['email']);
$comment = mysql_real_escape_string($_POST['comment']); 
$time = now();
$add = mysql_query("INSERT INTO guestbook (name, email, comment, date) VALUES ('$name','$email','$comment', '$time')");

Edit: Gav0 beat me this time

Call to undefined function now()
that is to the

$time = now();

 

[Mr Happy]

Call to undefined function now()
that is to the

$time = now();

Shit sorry it's late here and I'm not thinking straight. Use time() instead. You can also use date. Have a look at http://www.php.net/manual/en/function.date.php to see what type of day you want and how you want it displayed.

eg 1st July 2010, 1-7-2010, 7-1-10, etc etc.

I've moved this to the coding area as it's more of a coding topic than a Tutorial.

 

[Speakup]

So would it be $time = time(m-d-Y); ?

Yea that is right. Thanks for all the help!

 

[Tango]

If you use what i posted you dont need to do that, when the data is inserted it automatically inserts a timestamp aswell.

just echo date("d/m/y", $row['timestamp'])

 

[dermechove]

this still vuln to many other attacks other than SQL injection(XSS,CSRF,....).
User input should be validated correctly for any HTML/PHP tags for that u can use strip_tags or htmlspecialchars.
And don't you ever trust the user.Always filter their input.