Welcome, this tutorial will show you how to make a basic Guestbook. This is also quite a secure script, so you won't have to worry too much about people exploiting your site. This is also Flat-File based, so no mysql required! Although the user must have JavaScript enabled to see posts as the guestbook stores message + name data inside a JavaScript file.
Lets begin, i will be explaining the whole script through the use of comments or //.

Create a directory calls guestbook/ in your main sites directory and create the following files:
index.html
processpost.php
posts.js

I'll start off showing you the html code you could use for the Gbook, although you could easily make your own/skin my one. I will not comment this code much either, as this tutorial is to teach you PHP, not html.

Note: the comments in html are done like this: <!--comment-->

index.html:
<html>
<head>
<title>My GuestBook</title>
<style> <!--Add some css for the style-->
body{
color:#000000;
font-family:Tahoma;
}
</style>
<script>
<!--This script defines the help function, i made it alert with some help when the user clicks the help button-->
function showHelp(){
alert("You must enter something in every input box, if you don't your message won't be added and you will just be taken to a white screen.\n\n All html is blocked, you also may not use single quotes.")
}
</script>
</head>
<body> <!--starting the body and main table-->
<table border="1" bordercolor="000000" style="border-collapse:collapse;" align="center" width="700">
<tr>
<td align="center">
Welcome to the GuestBook!
<!--welcome message to the Gbook-->
</td>
</tr>
<tr>
<td>
<table align="center" width="550">
<form method="post" action="processpost.php"><!--form to post messages from-->
<tr>
<td align="right" valign="top">
Your name:
</td>
<td align="left">
<input type="text" name="username">
</td>
</tr>
<tr>
<td align="right" valign="top">
Your message:
</td>

<td align="left">
<textarea name="message"></textarea>
</td>
</tr>
<td align="right" valign="top">
Finished?
</td>
<td align="left">
<input type="submit" value="Submit">
</td>
</form> <!--End of message submission form-->
<tr><td></td><td></td></tr> <!--this activates the showhelp function from earlier.-->
<tr><td></td><td align="left"><a href="JavaScript:showHelp()" style="cursor:help;">Need help?</a></td></tr>
</table>
</td>
</tr>
<tr><td align="center">Entries:</td></tr>
<tr>
<td align="center">
<table align="center" width="550" border="1" style="border-collapse:collapse;">
<script src="posts.js">
<!--this includes the posts.js file which contains what people have posted-->
</script>
</table>
</td>
</tr>
</table>
</body>
</html>

PART 2:

Okay, now that you have your html file, lets get this php file done!

processpost.php:
<?php
//Pull down post data, set to variables
$username = $_POST['username'];
$message = $_POST['message'];

//Start of security check
if($message == "" && $username ==""){ //check if both fields are empty
echo "No name or message was entered.";
}
elseif($message == ""){
echo "No message entered"; //check if no message entered
}
elseif($username == ""){
echo "No name entered"; //check if no name entered
}
elseif(strstr($message, '<')){
echo "HTML is not allowed in the guestbook."; //check if contains a <
}
elseif(strstr($message, '>')){
echo "HTML is not allowed in the guestbook."; //check if contains a >
}
elseif(strstr($message, "'")){
echo "Single quotes are blocked in the guestbook.";
//check if contains a ', which messes up the posts.js
}
elseif(strstr($username, '>')){
echo "HTML is not allowed in the guestbook.";
//check if name contains a >
}
elseif(strstr($username, '<')){
echo "HTML is not allowed in the guestbook.";
//check if name contains a <
}
elseif(strstr($username, "'")){
echo "Single quotes are blocked in the guestbook.";
//Check if name contains single quotes, whcih mess up posts.js
}
elseif(strlen($message)>100){
echo "Your message must be below 100 characters, please lower the amount of characters or post your message over 2 seperate messages.";
//check if message is too long for the script
}
elseif(strlen($username)>30){
echo "Your username must be lower than 30 characters.";
//check if name is too long
}
//end of security check, if none of these are errors are met, start the else
else{
//security check passed
//open the posts.js file, in append mode
$fp = fopen("posts.js", "a");

//prepare the message it is going to append to the file.
$finishedmessage = "\ndocument.write('<tr><td align>Name:</td><td>$username</td></tr><tr><t d>Message:</td><td>$message</td></tr><tr><td> </td><td> </td></tr><tr><td> </td><td> </td></tr>')";
//message prepared

fwrite($fp, $finishedmessage);
//write the message to the file (posts.js)
fclose($fp);
//close posts.js

echo "<script>
alert('Message posted, click okay to be taken back to the guestbook. Note: After you click okay you must reload the page to see your message.')
window.location='http://www.YOURDOMAIN.TLD/gu estbook/' //change this to your domain/tld
</script>";
//this bit will echo out a javascript alert, then redirect back to the homepage
}
?>

Woo, 2 down, 1 to go. This one is the easiest aswell!

posts.js:
<!--Start this with a simple message, and after that the php script will write the rest!-->
document.write('<tr><td> </td><td> </td></tr><tr><td> </td><td> </td></tr><tr><td align><b>Name:</b></td><td>YOURNAME</td></tr> <tr><td><b>Message:</b></td><td>Welcome to our new guestbook!</td></tr><tr><td> </td><td> </td></tr><tr><td> </td><td> </td></tr>')
<!--also add your name and the first message you want in your Gbook-->

Okay, that concludes this guestbook tutorial.

Any questions? Just ask.

-Jordan

This is insecure, you are not even attempting to filter html. And you are using javascript, that eliminates 10% of the web users.

Insecure as hell..

You have alot to learn before writing tutorials.
Sure, use it yourself if you want to, but it really sucks lol..

But I don't wanna use javascript on my page :( That and guestbooks are tacky anyway, it's like "sign my book praising my site and boost my ego!" That and with everyone else saying that this gb is insecure, then no one should be using it unless they learn how to make it secure.

You've also ruined the concept of a guestbook. People should be able to use quotes and they should be able to use basic html like bold, underline and italic (no links because that could be a disaster if it's bad and someone clicks on it). People shouldn't be afraid to post in a guestbook if someone has one on their website.

The only insecurity i can think of is people submitting loads and loads of spam...

At 11/13/06 11:28 AM, Jordan wrote: The only insecurity i can think of is people submitting loads and loads of spam...

That's why you need to learn more.

At 11/13/06 11:31 AM, seel wrote: That's why you need to learn more.

Say these insecurities then, and please don't say something like "There are too many to list".

Aribity html injection.
Html can carry embeded scripts. Nasty scripts. Nasty scripts that runs in the sandbox of your site.

At 11/13/06 11:56 AM, henke37 wrote: Aribity html injection.
Html can carry embeded scripts. Nasty scripts. Nasty scripts that runs in the sandbox of your site.

How would one go about doing this? All <, >, ' are blocked.

Or you could save yourself from a long code and use htmlspecialchars() ...

Very nice tutorial.

You might want to post it in PHP: Main :)

the only problem i see is

else if(strstr($message, '<')){

that should be

else if(strstr($message, '<')===FALSE){

(and this goes for all of the if..strstr statements)

if < is the first character of the $message variable, the function will return 0, which will pass.
you want strict equality to FALSE to check to see if FALSE was returned.

At 11/14/06 09:29 PM, authorblues wrote: that should be

else if(strstr($message, '<')===FALSE){

(and this goes for all of the if..strstr statements)

No, the way it was done without the false works fine, however, in php the code is "elseif" not "else if" I think, but I might be wrong.

At 11/13/06 06:12 AM, henke37 wrote: And you are using javascript, that eliminates 10% of the web users.

Not really, actually piczo, a huge website maker for those little teenage punks who cant code for beans, uses javascript, just their functions anyone can use and are very easy to exploit.