Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[PHP] [MySQL] Simple Guestbook Script

Markshall

Markshall

Web Developer
500 Posts 10 Happy Years
Joined
Oct 24, 2009
Messages
536
Reaction score
217
This is a simple guestbook script I made then. It only took me 20 minutes, and I made it to be released so I don't care what ever you do with it.

I cba uploading anything, so I will post the files here.

config.php
PHP: 
<?php
/*Database info*/
$db[user] = 'user'; // the username attached to your database
$db[host] = 'localhost'; //usually 'localhost', if not - change it :-)
$db[name] = 'name'; //The name of your database
$db[pass] = 'pass'; //The password of your database

$db[connection] = mysql_connect($db[host], $db[user], $db[pass]);
if(!$db[connection]){
    die('Sorry. I could not connect to your Database!'); //Have you even created the database?
}

$db[select] = mysql_select_db($db[name]);
if(!$db[select]){
   die('Sorry. I could not open your Database!'); //The database has been created, but the user must be be attached to the database in the $db[name] variable, either that or the password is wrong!
    $error=1;
}
?>

index.php
PHP: 
<?php
include "config.php";
//config
$title = 'Guestbook by markeriksson94';
$button = 'POST COMMENT';
$subtitle = 'Guestbook';
//config
?>
<html>
<head>
<title><?php echo $title; ?></title>
<link rel="stylesheet" type="text/css" href="css/css.css" />
</head>
<body>
<center><h1><?php echo $subtitle; ?></h1></center>
<div id="commentleft">
	<p id="review">Post a comment</p>
	<form method="post" action="post.php">
		<p>
			<label for="name">Your name</label><br>
			<input type="text" class="texts" name="name" id="name" size="40" maxlength="40">
		</p>
		<p>
			<label for="email">Your e-mail</label><br>
			<input type="text" class="texts" name="email" id="email" size="40" maxlength="150">
		</p>
		<p>
			<label for="comment">Comment</label><br>
			<textarea cols="50" class="texts" rows="10" name="comment" id="comment"></textarea>
		</p>
		<p>
			<input type="submit" class="sub_button" value="<?php echo $button; ?>" name="post">
		</p>
	</form>
</div>
<div id="commentright">
	<p id="review"><?php echo mysql_num_rows(mysql_query("SELECT * FROM gb")); ?> comment(s) to <?php echo $subtitle; ?></p>
	<?php
	$gb = mysql_query("SELECT * FROM gb ORDER BY `id` DESC");
	if(mysql_num_rows($gb) == 0){
		echo 'There are currently to guestbook reviews!';
	}else{
		echo '<ol class="commentlist">';
		while($row = mysql_fetch_array($gb)){
			$id = $row["id"];
			$name = $row["name"];
			$email = $row["email"];
			$comment = $row["comment"];
			$date = $row["date"];
			echo '<li id="guestbook-comment-'.$id.'">
				'.$name.' on '.$date.' 
				<div class="commentballoon"></div>
				<div class="commenttext">
					<p>'.$comment.'</p>
				</div>
			</li>';
		}
		echo '</ol>';
	}
	?>
</div>
<center>Guestbook script by markeriksson94/m0nsta./Monsta.<br>
© 2010.</center>
</div>
</html>

post.php
PHP: 
<?php
include "config.php";

//vars
$name = strip_tags($_POST['name']);
$email = strip_tags($_POST['email']);
$comment = strip_tags($_POST['comment']);
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("F jS, Y g:i a");
//vars

if(!$name || !$email || !$comment){
	echo 'All fields are required!<br><br>Click <a href="index.php">here</a> to try again.';
}else{
	if(strpos($email, "@") == false || strpos($email, ".") == false){
		echo 'You must enter a valid e-mail.<br><br>Click <a href="index.php">here</a> to try again.';
	}else{
		$comment = str_replace('
', '<br>', $comment);
		$sql = "INSERT INTO `gb` (`name`, `email`, `comment`, `ip`, `date`) VALUES ('$name', '$email', '$comment', '$ip', '$date');";
		if(mysql_query($sql)){
			header("Location: index.php?post_success=1");
		}else{
			echo '<strong>MySQL Error:</strong> '.mysql_error();
		}
	}
}
?>

Now follow these instructions:

  1. create a folder called 'css'
  2. copy and paste this code below and name it 'css.css'

css/css.css
Code: 
body {
	font-family: verdana;
	font-size: 11px;
	background-color:black;
}
	
#commentleft {
     font:normal 10px verdana;
     color:#ffffff;
	padding: 0px;
	margin: 0px 40px 0px 0px;
	line-height:20px;
	float:left;
	width:450px;
}

h1{
	color: white;
}

#commentleft a{
     text-decoration:none;
     color:#FF0000;
}

#commentleft small{
     color:#777777;
     font:normal 10px verdana;
}

.texts{
     background-color:#333333;
     border:1px solid #444444;
     width:90%;
     padding:2px
     font:normal 12px verdana;
     color:#f5f5f5; 
}

#review{
     font:normal 12px verdana;
     color:#FF0000;
     padding:10px;
     border:1px solid #292929;
     background-color:#111111;
}

#commentright{
     font:normal 11px verdana;
     color:#aaaaaa;
     float:left;
     width:500px;
}

#commentright a{
     text-decoration:none;
     color:#FF0000;
}

.commentballoon {
	clear: both;
	margin: 3px 0px 0px 0px;
	padding: 0px;
	height:10px;
	background: url(../images/comment.png) no-repeat top left;
	
}

.commenttext {
	clear: both;
	margin: 0px 0px 10px 0px;
	padding: 10px 10px 5px 10px;
	width: 420px;
	background: #333333;
	line-height:18px;
	
}

.sub_button{
     background-color:#333333;
     border:1px solid #444444;
     padding:2px
     font:normal 12px verdana;
     color:#f5f5f5;    
}

And then follow these instructions:

  1. create a folder named 'images'
  2. save this image in the 'images' folder you have just created and name it 'comment.png'

images/comment.png
http://mark-eriksson.com/guestbook/images/comment.png

I have setup a demo on my personal site, click
You must be registered to see links
to try it out!

Enjoy,
- Mark.
 
The Best DDoS Protected Servers
S

sachav

Junior Spellweaver
Joined
Apr 12, 2006
Messages
121
Reaction score
26
Mind if I test it on your personal site for SQL injections?

Cause as I see it's not well protected.

And by the way the user of $array[key] is deprecated, use $array['key'] instead.

Anyhow, thanks for releasing :)
 
S

sachav

Junior Spellweaver
Joined
Apr 12, 2006
Messages
121
Reaction score
26
I couldn't delete any messages as you can't run multi queries with mysql_query().

XSS injection was done after a few trials.
 
S

sachav

Junior Spellweaver
Joined
Apr 12, 2006
Messages
121
Reaction score
26
You can just use htmlentities().

And make sure to use htmlentities() or strip_tags() on the DISPLAY part, not the saving.
 
Markshall

Markshall

Web Developer
500 Posts 10 Happy Years
Joined
Oct 24, 2009
Messages
536
Reaction score
217
Someone attempted to inject the site.
Good job too, if anything they've done me a favour.

Here is a new, edited post.php

post.php
PHP: 
<?php
include "config.php";

//vars
$name = (stripslashes(strip_tags($_POST['name'])));
$email = (stripslashes(strip_tags($_POST['email'])));
$comment = nl2br(stripslashes(strip_tags($_POST['comment'])));
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("F jS, Y g:i a");
//vars

if(!$name || !$email || !$comment){
	echo 'All fields are required!<br><br>Click <a href="index.php">here</a> to try again.';
}else{
	if(strpos($email, "@") == false || strpos($email, ".") == false){
		echo 'You must enter a valid e-mail.<br><br>Click <a href="index.php">here</a> to try again.';
	}else{
		$sql = "INSERT INTO `gb` (`name`, `email`, `comment`, `ip`, `date`) VALUES ('$name', '$email', '$comment', '$ip', '$date');";
		if(mysql_query($sql)){
			header("Location: index.php?post_success=1");
		}else{
			echo '<strong>MySQL Error:</strong> '.mysql_error();
		}
	}
}
?>
 
S

sachav

Junior Spellweaver
Joined
Apr 12, 2006
Messages
121
Reaction score
26
Woah? This isn't better...
Oh and I was the one who attempted to inject it as you said I could...


Anyhow, here's the script, edited to avoid any SQL/XSS injection. Also added a better email check :

post.php
PHP: 
   <?php
include "config.php";

//vars, SQL injection protection
$name = mysql_real_escape_string($_POST['name']);
$email = mysql_real_escape_string($_POST['email']);
$comment = mysql_real_escape_string($_POST['comment']);
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("F jS, Y g:i a");
//vars

if(!$name || !$email || !$comment){
    echo 'All fields are required!<br><br>Click <a href="index.php">here</a> to try again.';
}else{
    if(!preg_match('#^[a-z]{3,}\@[a-z]{3,}\.[a-z]{1,4}$#i', $email)){
        echo 'You must enter a valid e-mail.<br><br>Click <a href="index.php">here</a> to try again.';
    }else{
        $sql = "INSERT INTO `gb` (`name`, `email`, `comment`, `ip`, `date`) VALUES ('$name', '$email', '$comment', '$ip', '$date');";
        if(mysql_query($sql)){
            header("Location: index.php?post_success=1");
        }else{
            echo '<strong>MySQL Error:</strong> '.mysql_error();
        }
    }
}
?>

index.php

PHP: 
<?php
include "config.php";
//config
$title = 'Guestbook by markeriksson94';
$button = 'POST COMMENT';
$subtitle = 'Guestbook';
//config
?>
<html>
<head>
<title><?php echo $title; ?></title>
<link rel="stylesheet" type="text/css" href="css/css.css" />
</head>
<body>
<center><h1><?php echo $subtitle; ?></h1></center>
<div id="commentleft">
    <p id="review">Post a comment</p>
    <form method="post" action="post.php">
        <p>
            <label for="name">Your name</label><br>
            <input type="text" class="texts" name="name" id="name" size="40" maxlength="40">
        </p>
        <p>
            <label for="email">Your e-mail</label><br>
            <input type="text" class="texts" name="email" id="email" size="40" maxlength="150">
        </p>
        <p>
            <label for="comment">Comment</label><br>
            <textarea cols="50" class="texts" rows="10" name="comment" id="comment"></textarea>
        </p>
        <p>
            <input type="submit" class="sub_button" value="<?php echo $button; ?>" name="post">
        </p>
    </form>
</div>
<div id="commentright">
    <p id="review"><?php echo mysql_num_rows(mysql_query("SELECT * FROM gb")); ?> comment(s) to <?php echo $subtitle; ?></p>
    <?php
    $gb = mysql_query("SELECT * FROM gb ORDER BY `id` DESC");
    if(mysql_num_rows($gb) == 0){
        echo 'There are currently to guestbook reviews!';
    }else{
        echo '<ol class="commentlist">';
        while($row = mysql_fetch_array($gb)){
            $row = array_map('htmlentities', $row); // XSS protection
            $id = $row["id"];
            $name = $row["name"];
            $email = $row["email"];
            $comment = $row["comment"];
            $date = $row["date"];
            echo '<li id="guestbook-comment-'.$id.'">
                '.$name.' on '.$date.' 
                <div class="commentballoon"></div>
                <div class="commenttext">
                    <p>'.$comment.'</p>
                </div>
            </li>';
        }
        echo '</ol>';
    }
    ?>
</div>
<center>Guestbook script by markeriksson94/m0nsta./Monsta.<br>
© 2010.</center>
</div>
</html>
 
Last edited:
G

Glataraftet

Guest
pandora christmas charms

Pretty nice post. I simply stumbled upon your weblog and wished to mention that I have really loved browsing your weblog posts. In any case I will be subscribing to your rss feed and I am hoping you write again soon!
You must be registered to see links
<a href="http://disneypandoracharmsoutlet.blogspot.com">bracelet charms pandora</a>
 
You must log in or register to reply here.

About Us

RaGEZONE® is a website dedicated to the development of massively multiplayer online role-playing games (MMORPGs).

Online statistics

Members online
222
Guests online
2,259
Total visitors
2,481
Totals may include hidden visitors.

Forum statistics

Threads
428,871
Messages
4,589,118
Members
279,523
Latest member
badboykenzie
Most visitors online was 8830 , on 6 Feb 2024

RaGEZONE Sponsor

    HyperFilter
Back
Top