3 Replies Latest reply on Aug 28, 2007 3:19 PM by Newsgroup_User

    php simple guestbook problem

    Jos00
      hi,

      ive been modifying a simple guestbook file which was working fine on my old site but i've tried uploading it and i can't get it working at all.

      http://www.unearth-online.net/book/readbook.php

      as you can see, if you try filling out the form and submitting your entry it just seems to refresh the page without adding anything. ive set the permissions of the txt file to '666' so theres no problems there. i've zipped the files and uploaded them so if anyone could have a quick and see if anything looks dodgy hat'd be great. thanks

      http://www.unearth-online.net/guestbook.zip
        • 1. Re: php simple guestbook problem
          Level 7
          Jos00 wrote:
          > ive been modifying a simple guestbook file which was working fine on my old
          > site but i've tried uploading it and i can't get it working at all.

          There are two main problems: you're relying on register_globals being
          turned on, and your opening conditional logic isn't logical.

          What's register_globals? It's a PHP setting that automatically converts
          form input into variables with the same name, so name becomes $name,
          etc. It's massively unsecure, and the default has been to turn it off
          since 2002. However, a lot of badly run hosting companies switch it back
          on so that badly written scripts like yours don't break.

          The other problem is that you check whether magic quotes are turned on,
          but don't do anything about it if they're turned off. As a consequence,
          the following section of script will never run if magic quotes are off:

          if (get_magic_quotes_gpc()) {
          $name = stripslashes($name);
          $email = stripslashes($email);
          $rating = stripslashes($rating);
          $message = stripslashes($message);
          }

          Change it to this:

          if (get_magic_quotes_gpc()) {
          $name = stripslashes($_POST['name']);
          $email = stripslashes($_POST['email']);
          $rating = stripslashes($_POST['rating']);
          $message = stripslashes($_POST['message]);
          }
          else {
          $name = $_POST['name'];
          $email = $_POST['email'];
          $rating = $_POST['rating'];
          $message = $_POST['message];
          }

          There is a shorthand way of writing this, but it's less easy to read,
          particularly if you're only a beginner with PHP.

          I don't know whether you got that script from a book or an online
          tutorial, but the code that you're using is very outdated, and comes
          from the days when the web was a more innocent place. Nowadays, you need
          to build a lot of security into PHP scripts, particularly when handling
          user input. Since you're writing only to a text file, it should be
          fairly harmless, but do try to find more up-to-date learning materials.
          Otherwise, you'll learn lots of bad habits.

          --
          David Powers, Adobe Community Expert
          Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
          Author, "PHP Solutions" (friends of ED)
          http://foundationphp.com/
          • 2. Re: php simple guestbook problem
            Jos00 Level 1
            ah ok...cheers

            so it'd be better to do a new one using MySQL aswell right? rather than trying to fix a rubbish script, lol
            • 3. Re: php simple guestbook problem
              Level 7
              Jos00 wrote:
              > so it'd be better to do a new one using MySQL aswell right? rather than trying to fix a rubbish script, lol

              If you want to do anything with PHP and/or MySQL, you would be well
              advised to make sure that you're working with secure scripts. Although a
              lot of hosting companies still offer only PHP 4, official support for
              PHP is being dropped at the end of this year. Learn to code to PHP 5
              standards now. Except for advanced stuff, 98% of PHP 5 code runs on PHP
              4 servers anyway.

              --
              David Powers, Adobe Community Expert
              Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
              Author, "PHP Solutions" (friends of ED)
              http://foundationphp.com/