Sponsor
Now Playing
- Alix Perez – I'm Free 2 hours ago
- Alix Perez – Intersections 2 hours ago
- Alix Perez – Forsaken 3 hours ago
- Glen E Ston – Ouroboros (Original Mix) 3 hours ago
- Black Sun Empire – Everything 3 hours ago
Ultimate Guestbook Tutorial: How to build a Guestbook with a honeypot, error checking, IP banning, pagination, e-mail notification and smilies with PHP and mySQL
April 26, 2008,
47,482 views
In order to insert a guestbook entry into the database we need to establish a database connection and have a database with the correct structure. Start by making a new folder in the same directory as index.php, call it ‘includes’. Next make a file called config.php and paste this code into it:
<?php $host = 'localhost'; $username = 'yourusername'; $password = 'yourpassword'; $dbname = 'guestbook'; $connect = mysql_connect($host, $username, $password); $dbselect = mysql_select_db($dbname); ?>
Unfortunately i cannot help you here with the settings. You will need to ask your server administrator for them or find out for yourself. If you control the server then you should be able to make your own user name and password and create the database on your own. Make sure you have created the database and set its dbname above. Here is the database structure below, simply execute it to create it in your database:
CREATE TABLE `entries` ( `id` INT( 8 ) NOT NULL AUTO_INCREMENT PRIMARY KEY , `name` VARCHAR( 255 ) NOT NULL , `email` VARCHAR( 255 ) NOT NULL , `website` VARCHAR( 255 ) NOT NULL , `message` TEXT NOT NULL , `date` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP , `ip` VARCHAR( 15 ) NOT NULL ) ENGINE = MYISAM ;
Next open up index.php and the line after the first opening php tag and add:
include('includes/config.php');
Next refresh your index.php page in your browser and make sure no mysql errors popup. If you see no errors on the page that means you have successfully connected to the database (or you didn’t read above and include the config.php file).
Now that we have a connection established we can start inserting the entries into the database. We will use the index.php page for this. This is because we will extend the error checking module of the site.
Open up your index.php page and:
Below:
if(strlen($_POST['message']) < 2){
$error['message'] = 'Please enter a message';
}
Add:
if(!isset($error)){
$postentry = @mysql_query("INSERT INTO `entries` (name, email, website, message, date, ip) VALUES ('".addslashes($_POST['name'])."', '".addslashes($_POST['email'])."', '".addslashes($_POST['website'])."', '".addslashes($_POST['message'])."', now(), '".$_SERVER['REMOTE_ADDR']."')");
}
This is our SQL statement that inserts the entry into our database. It inserts all the form information plus a little bit extra. It puts a timestamp on the post, so that we can show when the post was submitted, plus it also inserts the visitors IP address, so that we can blacklist the IP if we need to.
What you might notice is all the addslashes() functions in the SQL statement. This is an anti-hack0r method which eliminates the possibility of visitors doing sql-injection operations on the database. This is basically done through escaping the SQL statement and inserting their own SQL statement. This is done heavily with spam bots, which may bypass any user input restrictions and basically overtake your websites content. Or it can be used to expose private data in the database. It is quite a big vulnerability. So that’s why it is there. If you don’t know what i am talking about above, don’t worry. You are somewhat safer than before basically.
If the SQL statement executes ok then the variable $postentry will be true and we will use that variable in our skin file now.
Open up the skin.php file and do:
Find:
<?php } ?>
Add replace it with:
<?php
}
if($postentry == true){
?>
<tr>
<td valign="top">Guestbook entry posted successfully. Thank you.</td>
</tr>
<tr>
<td height="10"></td>
</tr>
<?php
}
?>
This checks to see if the SQL statement was true, if it was then it shows a success message. If it wasn’t then it does nothing! And yes, that’s right. I did make a success style. Here is the CSS you can add into your stylesheet:
.success {
border: #999999 solid 1px;
color: #FFFFFF;
background: #36c952;
font-size: 14px;
padding: 10px;
}
Before we get going on showing the posts i want to add some features to the form first. This includes some more error handling and the honeypot!
Posted by VoiDeT –
60 Comments
Hello VOIDET
I spent last night going through this tutorial and it was great and informative.
One question I have is that I see your guestbook example has had some spambot action. Is this because there are new techniques that your tutorial doesn’t cover? I’d like to keep this kind of crap off my guest book if possible.
Thanks for your great tutorial and your feedback.
Best,
CGar
Hey Cgar,
This is both true and unfortunate.
I only taught one spam catching technique.
However more can be applied if need be. Generating a captcha form, or having an ip-ban with 30 day cool off period. Running known ip blocking from black lists.
The honey pot technique is just one! Surprisingly, it rejects quite alot!
Let me know if i can help you out further!
VoiDeT
Hi there,
A great tut! Im trying to put it on my site.
But there is one little problem. The honeypot.. when is add this link:
a new text field appears on my guestbook, while you where saying that it was hidden?
How is that possible?
Dennis
Hi there. Thanks for the great tut. Sorry…forgot to read the last side, as I didn’t used all of the tut for my guestbook at the moment. So I implemented the guestbook in my website without asking you first. And…I’m not completly ready, still working on some things as the honeypot and the pagination.
Hello VOIDET,
This is the best tutorial on the internet so far!
I’m stuck at stage 7 – 10,
it looked fine until stage 7 then the succes-message never showed up.
The IP thing didin’t work for me :/ so I jumped that part and now I’m trying to get the entries to work out, but it show me this message:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\xampp\htdocs\guestbook\templates\entries.php on line 6
do you have a idea of what’s wrong?
I would be happy for any help, just contact my email!
Regards Zime
@Zime:
Thanks a lot for the kind words.
That’s a shame that you can’t get the guestbook working. It looks as though your data isn’t being insert correctly. What you can do however is check your database for any records. If they aren’t in there then check what’s going on with data you’re inserting, and the insert commands.
If you do see the data in there, then check what’s happening when you try and retrieve the records.
I’m thinking i might rewrite this tutorial to use OOP with PHP5.
Or maybe save that for a whole new tutorial.
Hi
First great thanks to the author of this tutorial/workshop
Its working great. But there is only a single problem with the website links in the db entrys they re not working.
The link includes the hole file path i.e.(http://htdocs/mywebsite/www.pcsh.it) whats wrong?
thx in advance and best regards
Oli
THX a lot
love this tut
hey, where can i find the turtorial?
greetings
Dude, many thanks for this nice and clean tutorial. Took me about an hour to read it all up and add own commands.