Help posting to guestbook

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Thekid
    New Member
    • Feb 2007
    • 145
    #1

    Help posting to guestbook

    Hi, I'm using xampplite and I'm trying to make a guestbook and a forms page where you can post to the guestbook with PHP & MySQL. I got the code from a website but it wasn't working so I tinkered with it a little and it's closer but not quite right. I made a database named 'guestbook' with a table named 'visitors'. In it are the following fields:
    TimeStamp
    Name
    Last
    email
    comment

    Here is the code to the guestbook (guestbook.php) , followed by forms page (insertguest.ph p) and finally the script that should add it to the database (add2tbl.php)

    guestbook.php (which seems to work ok?)
    Code:
    <html>
<head><title>Guest book - display the info</title>
</head>

<body bgcolor=#ffffff>

<?php

if (empty($srt)) {
$srt='TimeStamp';
}

if (empty($offset)) {
$offset='0';
}

echo '<h2>Entries from the guest book sorted by </h2>';


mysql_connect('localhost','root','passwordhere') or die ('Problem connecting to DataBase');
$query = "SELECT * FROM visitors order by $srt limit $offset,10";
$result = mysql_db_query("guestbook", $query);

if ($result) { //Print results in table

echo "<table width=90% align=center border=1><tr>
<td align=center bgcolor=#00FFFF><a href=\"guestbook.php?
srt=TimeStamp\">Visit time and date</a></td>
<td align=center bgcolor=#00FFFF><a href=\"guestbook.php?srt=Name\">Name</a></td>
<td align=center bgcolor=#00FFFF><a href=\"guestbook.php?srt=Last\">Last
Name</a></td>
<td align=center bgcolor=#00FFFF><a href=\"guestbook.php?
srt=email\">Email</a></td>
<td align=center bgcolor=#00FFFF><a href=\"guestbook.php?
srt=comment\">Comment</a></td>
</tr>";

while ($r = mysql_fetch_array($result)) {
$TimeStamp = $r["TimeStamp"];
$Name = $r["Name"];
$Last = $r["Last"];
$email = $r["email"];
$comment = $r["comment"];
echo "<tr>
<td>$TimeStamp</td>
<td>$Name</td>
<td>$Last</td>
<td>$email</td></tr>
<tr> <td colspan=4 bgcolor=\"#ffffa0\">$comment</td>
</tr>";
} //End while loop
echo "</table>";
} //End if true
else { //Begin if false
echo "error.";
} //end if false
mysql_free_result($result);

$next=$offset+'10'; //View next or previous entries
$prev=$offset-'10';

$query = "SELECT * FROM visitors";
$res = mysql_db_query("guestbook", $query);
$num=mysql_num_rows($res);

echo "<table align=center><tr>";

if ($prev>='0')
{
echo "<form method='post'>";
echo "<input type=hidden name=offset value=$prev>";
echo "<input type=hidden name=srt value=$srt>";
echo "<td align=center><input type=submit value='Previous Entries'></td>";
echo "</form>";
}

if ($num>=$next)
{
echo "<form method='post'>";
echo "<input type=hidden name=offset value=$next>";
echo "<input type=hidden name=srt value=$srt>";
echo "<td align=center><input type=submit value='Next Entries'></td>";
echo "</form>";
}

echo "</tr></table>";


?>


</body>
</html>
    insertguest.php (come up as form and will display the text from add2tbl.php)
    Code:
    <html>
<head><title>Adding entry to guest book</title>
</head>

<body bgcolor=#ffffff>

<h1>Add an entry</h1>


<form method="post" action="add2tbl.php">
<table width=90% align=center>
<tr><td>First Name:</td><td><input type=text name='Name' size=40
maxlength=100></td></tr>
<tr><td>Last Name:</td><td><input type=text name='Last' size=40 maxlength=100></td></tr>
<tr><td>email:</td><td><input type=text name='email' size=40 maxlength=100></td></tr>
<tr><td>Your Comment:</td><td><textarea name=comment rows=4
cols=60></textarea></td></tr>
<tr><td></td><td><input type=submit></td></tr>
</table>
<input type=hidden name=timestamp <?php $dte=date("d/m/Y H:i:s");
echo "value='$dte'";?>><br>
</form>
</body>
</html>
    add2tbl.php -for some reason the VALUES won't add properly. If left as is below, it works but will add the values as the text, ie TimeStamp, Name. I've tried changing them to variables like: VALUES ('$TimeStamp', '$Name', '$Last', etc...but that doesn't work either. I need the VALUES to reflect the input from insertguest.php . Thank you!
    Code:
    <?php
echo '<b><p>Thank you for your input!</p></b>';
mysql_connect('localhost','root','passwordhere') or die ('Problem connecting to DataBase');
$query = "INSERT INTO `guestbook`.`visitors` (`TimeStamp`, `Name`, `Last`, `email`, `comment`) 
VALUES ('TimeStamp', 'Name', 'Last', 'email', 'comment')";
$result = mysql_db_query('guestbook', $query);
?>
    Tags: None
    • numberwhun
      Recognized Expert Moderator Specialist
      • May 2007
      • 3467
      #2
      Originally posted by Thekid
      Hi, I'm using xampplite and I'm trying to make a guestbook and a forms page where you can post to the guestbook with PHP & MySQL. I got the code from a website but it wasn't working so I tinkered with it a little and it's closer but not quite right. I made a database named 'guestbook' with a table named 'visitors'. In it are the following fields:
      TimeStamp
      Name
      Last
      email
      comment

      Here is the code to the guestbook (guestbook.php) , followed by forms page (insertguest.ph p) and finally the script that should add it to the database (add2tbl.php)

      guestbook.php (which seems to work ok?)
      Code:
      <html>
<head><title>Guest book - display the info</title>
</head>

<body bgcolor=#ffffff>

<?php

if (empty($srt)) {
$srt='TimeStamp';
}

if (empty($offset)) {
$offset='0';
}

echo '<h2>Entries from the guest book sorted by </h2>';


mysql_connect('localhost','root','passwordhere') or die ('Problem connecting to DataBase');
$query = "SELECT * FROM visitors order by $srt limit $offset,10";
$result = mysql_db_query("guestbook", $query);

if ($result) { //Print results in table

echo "<table width=90% align=center border=1><tr>
<td align=center bgcolor=#00FFFF><a href=\"guestbook.php?
srt=TimeStamp\">Visit time and date</a></td>
<td align=center bgcolor=#00FFFF><a href=\"guestbook.php?srt=Name\">Name</a></td>
<td align=center bgcolor=#00FFFF><a href=\"guestbook.php?srt=Last\">Last
Name</a></td>
<td align=center bgcolor=#00FFFF><a href=\"guestbook.php?
srt=email\">Email</a></td>
<td align=center bgcolor=#00FFFF><a href=\"guestbook.php?
srt=comment\">Comment</a></td>
</tr>";

while ($r = mysql_fetch_array($result)) {
$TimeStamp = $r["TimeStamp"];
$Name = $r["Name"];
$Last = $r["Last"];
$email = $r["email"];
$comment = $r["comment"];
echo "<tr>
<td>$TimeStamp</td>
<td>$Name</td>
<td>$Last</td>
<td>$email</td></tr>
<tr> <td colspan=4 bgcolor=\"#ffffa0\">$comment</td>
</tr>";
} //End while loop
echo "</table>";
} //End if true
else { //Begin if false
echo "error.";
} //end if false
mysql_free_result($result);

$next=$offset+'10'; //View next or previous entries
$prev=$offset-'10';

$query = "SELECT * FROM visitors";
$res = mysql_db_query("guestbook", $query);
$num=mysql_num_rows($res);

echo "<table align=center><tr>";

if ($prev>='0')
{
echo "<form method='post'>";
echo "<input type=hidden name=offset value=$prev>";
echo "<input type=hidden name=srt value=$srt>";
echo "<td align=center><input type=submit value='Previous Entries'></td>";
echo "</form>";
}

if ($num>=$next)
{
echo "<form method='post'>";
echo "<input type=hidden name=offset value=$next>";
echo "<input type=hidden name=srt value=$srt>";
echo "<td align=center><input type=submit value='Next Entries'></td>";
echo "</form>";
}

echo "</tr></table>";


?>


</body>
</html>
      insertguest.php (come up as form and will display the text from add2tbl.php)
      Code:
      <html>
<head><title>Adding entry to guest book</title>
</head>

<body bgcolor=#ffffff>

<h1>Add an entry</h1>


<form method="post" action="add2tbl.php">
<table width=90% align=center>
<tr><td>First Name:</td><td><input type=text name='Name' size=40
maxlength=100></td></tr>
<tr><td>Last Name:</td><td><input type=text name='Last' size=40 maxlength=100></td></tr>
<tr><td>email:</td><td><input type=text name='email' size=40 maxlength=100></td></tr>
<tr><td>Your Comment:</td><td><textarea name=comment rows=4
cols=60></textarea></td></tr>
<tr><td></td><td><input type=submit></td></tr>
</table>
<input type=hidden name=timestamp <?php $dte=date("d/m/Y H:i:s");
echo "value='$dte'";?>><br>
</form>
</body>
</html>
      add2tbl.php -for some reason the VALUES won't add properly. If left as is below, it works but will add the values as the text, ie TimeStamp, Name. I've tried changing them to variables like: VALUES ('$TimeStamp', '$Name', '$Last', etc...but that doesn't work either. I need the VALUES to reflect the input from insertguest.php . Thank you!
      Code:
      <?php
echo '<b><p>Thank you for your input!</p></b>';
mysql_connect('localhost','root','passwordhere') or die ('Problem connecting to DataBase');
$query = "INSERT INTO `guestbook`.`visitors` (`TimeStamp`, `Name`, `Last`, `email`, `comment`) 
VALUES ('TimeStamp', 'Name', 'Last', 'email', 'comment')";
$result = mysql_db_query('guestbook', $query);
?>
      Hopefully one of the experts will correct me if I am wrong, but I don't think you can just reference the values as you have. When you hit submit on the form, the names, as you have them above are actually values, but they are part of the $_REQUEST array. So, you can reference them with:

      Code:
      $_REQUEST['TimeStamp']
      I only used the TimeStamp variable above just to give you an idea of what I am talking about. Try replacing the names in the VALUES section as shown above for each one and then see if it works.

      Just to rule out any questions, here is what I am talking about:

      Code:
      <?php
echo '<b><p>Thank you for your input!</p></b>';
mysql_connect('localhost','root','passwordhere') or die ('Problem connecting to DataBase');
$query = "INSERT INTO `guestbook`.`visitors` (`TimeStamp`, `Name`, `Last`, `email`, `comment`) 
VALUES ($_REQUEST['TimeStamp'], $_REQUEST['Name'], $_REQUEST['Last'], $_REQUEST['email'], $_REQUEST['comment'])";
$result = mysql_db_query('guestbook', $query);
?>
      Regards,

      Jeff

        Comment

        • TheServant
          Recognized Expert Top Contributor
          • Feb 2008
          • 1168
          #3
          The PHP $_REQUEST variable contains the contents of $_GET, $_POST, and $_COOKIE. I suggest just using one, so more than likely for a form (and what is already there - method="post") to use $_POST. $_REQUEST will work but searching for $_GET and $_COOKIE variables is not required if all your data is in the $_POST array. Hope that made sense.
          Confirming numberwhun's comment that it cannot be values referenced like that, but need to be a variable as suggested. I might also take this time to make sure that some data checking is going on. DO NOT EVER just trust user input and try put the $_POST['variable_name'] into your database without checking and cleaning it! Any input should be checked and sanitized so that SQL Injection cannot happen. You should have something like:
          Code:
          <?php 
$TimeStamp = sanitize( $_POST['TimeStamp'] );
$Name = sanitize( $_POST['Name'] );
$Last = sanitize( $_POST['Last'] );
$email = sanitize( $_POST['email'] );
$comment = sanitize( $_POST['comment] );
$result = mysql_query( "INSERT INTO visitors (TimeStamp, Name, Last, email, comment) VALUES ($TimeStamp, $Name, $Last, $email, $comment)" ); 
?>
          Where sanitize() is your own function. As already said, you should check the data entered in the form and reject it if it does not match what you expected it to look like (checking number fields are numbers, and names don't have special characters, etc...)

            Comment

            • Markus
              Recognized Expert Expert
              • Jun 2007
              • 6092
              #4
              Further reading:

                Comment

                • Thekid
                  New Member
                  • Feb 2007
                  • 145
                  #5
                  Thank you guys for your replies. This is what I ended up with and it works:

                  Code:
                  <?php
echo '<b><p>Thank you for your input!</p></b>';
mysql_connect('localhost','root','passwordhere') or die ('Problem connecting to DataBase');
$TimeStamp = htmlentities( $_POST['TimeStamp'] );
$Name = htmlentities( $_POST['Name'] );
$Last = htmlentities( $_POST['Last'] );
$email = htmlentities( $_POST['email'] );
$comment = htmlentities( $_POST['comment'] );
$query = "INSERT INTO `guestbook`.`visitors` (`TimeStamp`, `Name`, `Last`, `email`, `comment`) 
VALUES ('$TimeStamp', '$Name', '$Last', '$email', '$comment')";
$result = mysql_db_query('guestbook', $query);
?>

                    Comment

                    • Markus
                      Recognized Expert Expert
                      • Jun 2007
                      • 6092
                      #6
                      Note: you're not preventing yourself from SQL Injection here.

                        Comment

                        Previous template Next
                        Working...