[PHP] [MySQL] Simple Guestbook Script

Markshall · Apr 23, 2010

This is a simple guestbook script I made then. It only took me 20 minutes, and I made it to be released so I don't care what ever you do with it.

I cba uploading anything, so I will post the files here.

config.php

PHP:

<?php
/*Database info*/
$db[user] = 'user'; // the username attached to your database
$db[host] = 'localhost'; //usually 'localhost', if not - change it :-)
$db[name] = 'name'; //The name of your database
$db[pass] = 'pass'; //The password of your database

$db[connection] = mysql_connect($db[host], $db[user], $db[pass]);
if(!$db[connection]){
    die('Sorry. I could not connect to your Database!'); //Have you even created the database?
}

$db[select] = mysql_select_db($db[name]);
if(!$db[select]){
   die('Sorry. I could not open your Database!'); //The database has been created, but the user must be be attached to the database in the $db[name] variable, either that or the password is wrong!
    $error=1;
}
?>

index.php

PHP:

<?php
include "config.php";
//config
$title = 'Guestbook by markeriksson94';
$button = 'POST COMMENT';
$subtitle = 'Guestbook';
//config
?>
<html>
<head>
<title><?php echo $title; ?></title>
<link rel="stylesheet" type="text/css" href="css/css.css" />
</head>
<body>
<center><h1><?php echo $subtitle; ?></h1></center>
<div id="commentleft">
	<p id="review">Post a comment</p>
	<form method="post" action="post.php">
		<p>
			<label for="name">Your name</label><br>
			<input type="text" class="texts" name="name" id="name" size="40" maxlength="40">
		</p>
		<p>
			<label for="email">Your e-mail</label><br>
			<input type="text" class="texts" name="email" id="email" size="40" maxlength="150">
		</p>
		<p>
			<label for="comment">Comment</label><br>
			<textarea cols="50" class="texts" rows="10" name="comment" id="comment"></textarea>
		</p>
		<p>
			<input type="submit" class="sub_button" value="<?php echo $button; ?>" name="post">
		</p>
	</form>
</div>
<div id="commentright">
	<p id="review"><?php echo mysql_num_rows(mysql_query("SELECT * FROM gb")); ?> comment(s) to <?php echo $subtitle; ?></p>
	<?php
	$gb = mysql_query("SELECT * FROM gb ORDER BY `id` DESC");
	if(mysql_num_rows($gb) == 0){
		echo 'There are currently to guestbook reviews!';
	}else{
		echo '<ol class="commentlist">';
		while($row = mysql_fetch_array($gb)){
			$id = $row["id"];
			$name = $row["name"];
			$email = $row["email"];
			$comment = $row["comment"];
			$date = $row["date"];
			echo '<li id="guestbook-comment-'.$id.'">
				'.$name.' on '.$date.' 
				<div class="commentballoon"></div>
				<div class="commenttext">
					<p>'.$comment.'</p>
				</div>
			</li>';
		}
		echo '</ol>';
	}
	?>
</div>
<center>Guestbook script by markeriksson94/m0nsta./Monsta.<br>
© 2010.</center>
</div>
</html>

post.php

PHP:

<?php
include "config.php";

//vars
$name = strip_tags($_POST['name']);
$email = strip_tags($_POST['email']);
$comment = strip_tags($_POST['comment']);
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("F jS, Y g:i a");
//vars

if(!$name || !$email || !$comment){
	echo 'All fields are required!<br><br>Click <a href="index.php">here</a> to try again.';
}else{
	if(strpos($email, "@") == false || strpos($email, ".") == false){
		echo 'You must enter a valid e-mail.<br><br>Click <a href="index.php">here</a> to try again.';
	}else{
		$comment = str_replace('
', '<br>', $comment);
		$sql = "INSERT INTO `gb` (`name`, `email`, `comment`, `ip`, `date`) VALUES ('$name', '$email', '$comment', '$ip', '$date');";
		if(mysql_query($sql)){
			header("Location: index.php?post_success=1");
		}else{
			echo '<strong>MySQL Error:</strong> '.mysql_error();
		}
	}
}
?>

Now follow these instructions:

create a folder called 'css'
copy and paste this code below and name it 'css.css'

css/css.css

Code:

body {
	font-family: verdana;
	font-size: 11px;
	background-color:black;
}
	
#commentleft {
     font:normal 10px verdana;
     color:#ffffff;
	padding: 0px;
	margin: 0px 40px 0px 0px;
	line-height:20px;
	float:left;
	width:450px;
}

h1{
	color: white;
}

#commentleft a{
     text-decoration:none;
     color:#FF0000;
}

#commentleft small{
     color:#777777;
     font:normal 10px verdana;
}

.texts{
     background-color:#333333;
     border:1px solid #444444;
     width:90%;
     padding:2px
     font:normal 12px verdana;
     color:#f5f5f5; 
}

#review{
     font:normal 12px verdana;
     color:#FF0000;
     padding:10px;
     border:1px solid #292929;
     background-color:#111111;
}

#commentright{
     font:normal 11px verdana;
     color:#aaaaaa;
     float:left;
     width:500px;
}

#commentright a{
     text-decoration:none;
     color:#FF0000;
}

.commentballoon {
	clear: both;
	margin: 3px 0px 0px 0px;
	padding: 0px;
	height:10px;
	background: url(../images/comment.png) no-repeat top left;
	
}

.commenttext {
	clear: both;
	margin: 0px 0px 10px 0px;
	padding: 10px 10px 5px 10px;
	width: 420px;
	background: #333333;
	line-height:18px;
	
}

.sub_button{
     background-color:#333333;
     border:1px solid #444444;
     padding:2px
     font:normal 12px verdana;
     color:#f5f5f5;    
}

And then follow these instructions:

create a folder named 'images'
save this image in the 'images' folder you have just created and name it 'comment.png'

images/comment.png
http://mark-eriksson.com/guestbook/images/comment.png

I have setup a demo on my personal site, click
You must be registered to see links
to try it out!

Enjoy,
- Mark.

sachav · Apr 24, 2010

Mind if I test it on your personal site for SQL injections?

Cause as I see it's not well protected.

And by the way the user of $array[key] is deprecated, use $array['key'] instead.

Anyhow, thanks for releasing

Markshall · Apr 24, 2010

sachav said:
Mind if I test it on your personal site for SQL injections?

Cause as I see it's not well protected.

And by the way the user of $array[key] is deprecated, use $array['key'] instead.

Anyhow, thanks for releasing

Go for it.

sachav · Apr 24, 2010

I couldn't delete any messages as you can't run multi queries with mysql_query().

XSS injection was done after a few trials.

jMerliN · Apr 24, 2010

Use strip_tags to rip out html tags you don't want. Then sanitize your inputs with mysql_real_escape_string.

sachav · Apr 24, 2010

You can just use htmlentities().

And make sure to use htmlentities() or strip_tags() on the DISPLAY part, not the saving.

Markshall · Apr 24, 2010

Someone attempted to inject the site.
Good job too, if anything they've done me a favour.

Here is a new, edited post.php

post.php

PHP:

<?php
include "config.php";

//vars
$name = (stripslashes(strip_tags($_POST['name'])));
$email = (stripslashes(strip_tags($_POST['email'])));
$comment = nl2br(stripslashes(strip_tags($_POST['comment'])));
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("F jS, Y g:i a");
//vars

if(!$name || !$email || !$comment){
	echo 'All fields are required!<br><br>Click <a href="index.php">here</a> to try again.';
}else{
	if(strpos($email, "@") == false || strpos($email, ".") == false){
		echo 'You must enter a valid e-mail.<br><br>Click <a href="index.php">here</a> to try again.';
	}else{
		$sql = "INSERT INTO `gb` (`name`, `email`, `comment`, `ip`, `date`) VALUES ('$name', '$email', '$comment', '$ip', '$date');";
		if(mysql_query($sql)){
			header("Location: index.php?post_success=1");
		}else{
			echo '<strong>MySQL Error:</strong> '.mysql_error();
		}
	}
}
?>

vLife · Apr 24, 2010

Nice release monsta.

sachav · Apr 24, 2010

Woah? This isn't better...
Oh and I was the one who attempted to inject it as you said I could...

Anyhow, here's the script, edited to avoid any SQL/XSS injection. Also added a better email check :

post.php

PHP:

   <?php
include "config.php";

//vars, SQL injection protection
$name = mysql_real_escape_string($_POST['name']);
$email = mysql_real_escape_string($_POST['email']);
$comment = mysql_real_escape_string($_POST['comment']);
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("F jS, Y g:i a");
//vars

if(!$name || !$email || !$comment){
    echo 'All fields are required!<br><br>Click <a href="index.php">here</a> to try again.';
}else{
    if(!preg_match('#^[a-z]{3,}\@[a-z]{3,}\.[a-z]{1,4}$#i', $email)){
        echo 'You must enter a valid e-mail.<br><br>Click <a href="index.php">here</a> to try again.';
    }else{
        $sql = "INSERT INTO `gb` (`name`, `email`, `comment`, `ip`, `date`) VALUES ('$name', '$email', '$comment', '$ip', '$date');";
        if(mysql_query($sql)){
            header("Location: index.php?post_success=1");
        }else{
            echo '<strong>MySQL Error:</strong> '.mysql_error();
        }
    }
}
?>

index.php

PHP:

<?php
include "config.php";
//config
$title = 'Guestbook by markeriksson94';
$button = 'POST COMMENT';
$subtitle = 'Guestbook';
//config
?>
<html>
<head>
<title><?php echo $title; ?></title>
<link rel="stylesheet" type="text/css" href="css/css.css" />
</head>
<body>
<center><h1><?php echo $subtitle; ?></h1></center>
<div id="commentleft">
    <p id="review">Post a comment</p>
    <form method="post" action="post.php">
        <p>
            <label for="name">Your name</label><br>
            <input type="text" class="texts" name="name" id="name" size="40" maxlength="40">
        </p>
        <p>
            <label for="email">Your e-mail</label><br>
            <input type="text" class="texts" name="email" id="email" size="40" maxlength="150">
        </p>
        <p>
            <label for="comment">Comment</label><br>
            <textarea cols="50" class="texts" rows="10" name="comment" id="comment"></textarea>
        </p>
        <p>
            <input type="submit" class="sub_button" value="<?php echo $button; ?>" name="post">
        </p>
    </form>
</div>
<div id="commentright">
    <p id="review"><?php echo mysql_num_rows(mysql_query("SELECT * FROM gb")); ?> comment(s) to <?php echo $subtitle; ?></p>
    <?php
    $gb = mysql_query("SELECT * FROM gb ORDER BY `id` DESC");
    if(mysql_num_rows($gb) == 0){
        echo 'There are currently to guestbook reviews!';
    }else{
        echo '<ol class="commentlist">';
        while($row = mysql_fetch_array($gb)){
            $row = array_map('htmlentities', $row); // XSS protection
            $id = $row["id"];
            $name = $row["name"];
            $email = $row["email"];
            $comment = $row["comment"];
            $date = $row["date"];
            echo '<li id="guestbook-comment-'.$id.'">
                '.$name.' on '.$date.' 
                <div class="commentballoon"></div>
                <div class="commenttext">
                    <p>'.$comment.'</p>
                </div>
            </li>';
        }
        echo '</ol>';
    }
    ?>
</div>
<center>Guestbook script by markeriksson94/m0nsta./Monsta.<br>
© 2010.</center>
</div>
</html>

Glataraftet · Aug 21, 2012

pandora christmas charms

Pretty nice post. I simply stumbled upon your weblog and wished to mention that I have really loved browsing your weblog posts. In any case I will be subscribing to your rss feed and I am hoping you write again soon!

You must be registered to see links

<a href="http://disneypandoracharmsoutlet.blogspot.com">bracelet charms pandora</a>

[PHP] [MySQL] Simple Guestbook Script

Markshall

Web Developer

sachav

Junior Spellweaver

Markshall

Web Developer

sachav

Junior Spellweaver

jMerliN

Ginger by design.

sachav

Junior Spellweaver

Markshall

Web Developer

vLife

Super-Moderator

sachav

Junior Spellweaver

Glataraftet

Guest

About Us

Online statistics

Forum statistics

RaGEZONE Sponsor