In the code below, we show one third of the code needed for a website guestbook. The code in which the sign-in data gets submitted via an HTML form is in the file PHP-guestbook.php, explained in Script to Sign In to Guestbook. And the code in which the guestbook data gets viewed is in the file view-our-guestbook.php, explained in Script to View Our Guestbook.

According to wikipedia, "a guestbook is a paper or electronic means for a visitor to acknowledge their visitation to a site, physical or web-based, and leave their name, postal or electronic address (if desired), and a comment or note, if desired." Paper-based guestbooks are traditional in hotels, churches, at weddings, funerals, Bed and Breakfasts, museums and other private facilities. Even some private homes maintain guestbooks. Funeral homes maintain guestbooks and online memorials keep alive the memory of the dealy departed. Using guestbooks, you can build a sense of community with your site visitors and get feedback from these site visitors as well.

This script processes the data sent to it from the action script in the form on the PHP-guestbook.php page. It is the form's form handling script. It will be trimming the data if it is too long, throwing out unacceptable characters, and running a security function on the data before sticking it into the MySQL database table called guestbook.

Now—on to the script code:

After using the config.php file to get the necessary magic words for db connection, we put all the data POSTed to this script into PHP variables. Then we use the built-in PHP date() function to put date and time into the variable $datetime.

Next, if they got the correct answer to the captcha question, the rest of the script is allowed to run. If not, what runs is the else at the end of the script in which the alert box displays "Wrong captcha answer." Then the user is returned to the sign-in page, PHP-guestbook.php.

If they solved the captcha the script will next trim all the POSTed data with the PHP substring function substr(). Then regular expression replacement patterns are defined for name, email/url, and comment, respectively. You may decide for yourself what characters are allowed and what are not. Next, the PHP strip_tags() function gets all the dangerous and undangerous HTML tags out of the data since if they are there it likely indicates that some ass clown is trying to play fast and loose with your MySQL database. (Take THAT, you nasty tags from you nasty hackers.)

Next, all the unacceptable characters vanish in a puff of smoke via the preg_replace() function, to be replaced by an empty string, i.e., nothing, nada, bupkiss, zip. (Take THAT, you nasty characters.) Then we make the data (relatively) safe for inserting in a db table via the PHP function mysql_real_escape_string(). Don't put stuff into your db without it, unless only YOU, the trusted webmaster are entering it via this script or directly into the db table via phpMyAdmin, which is an open source tool written in PHP intended to handle the administration of MySQL over the World Wide Web. It is, we have found out from experience, an invaluable tool if you use MySQL databases.

Finally, we insert the data, all filtered and washed and sparkly clean, into the db table. If the MySQL query worked okay, we give the user the message "Entries were made OK." Then they see the link that will let them View the Guestbook. If the db table data INSERTing failed, the JavaScript alert "Entries were NOT made—something went wrong." shows up and the user is sent back to the sign-in page. Note that the first message is just echoed text and the second is a JavaScript alert. Serious users leave JavaScript on, so this is okay. We tend to use JavaScript alerts when we need the script to pause while the user clicks OK, and simple echoes of text when the script does not take the user back to the calling script automatically via window.location="somepage.php".

This file is named: add-a-guest-to-guestbook.php

<html>
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<TITLE>PHP Guestbook Add a Guest Script</TITLE>
<meta name="description" content="PHP Guestbook Add a Guest Script">
<meta name="keywords" content="PHP Guestbook Add a Guest Script,Guestbook Script,add guest,php,mysql,dhtml, DHTML">
</head>
<body>

<?php

include_once"config.php";

$name=$_POST['name'];
$email=$_POST['email'];
$comment=$_POST['comment'];
$websiteURL=$_POST['websiteURL'];
$answer=$_POST['answer'];
$answer=strip_tags($answer);

$datetime=date("y-m-d h:i:s");

if($answer=="of"){

$name=substr($name,0,42);
$email=substr($email,0,62);
$websiteURL=substr($websiteURL,0,62);
$comment=substr($comment,0,200);
$pattern1 = '/[^a-zA-Z0-9\\_\\s]/i';
$pattern2 = '/[^a-zA-Z0-9\\.\\,\\!\\;\\-\\_\\*\\@\\=\\+\\$\\/\\&\\[\\]\\#\\?\\047\\:\\(\\)]/i';
$pattern3 = '/[^a-zA-Z0-9\\s\\.\\,\\!\\;\\-\\_\\"\\?\\047\\:\\(\\)]/i';
$replacement = '';
$websiteURL=strip_tags($websiteURL);
$name=strip_tags($name);
$email=strip_tags($email);
$comment=strip_tags($comment);
$websiteURL=preg_replace($pattern2, $replacement, $websiteURL);
$comment=preg_replace($pattern3, $replacement, $comment);
$email=preg_replace($pattern2, $replacement, $email);
$name=preg_replace($pattern1, $replacement, $name);
$name=mysql_real_escape_string($name);
$websiteURL=mysql_real_escape_string($websiteURL);
$email=mysql_real_escape_string($email);
$comment=mysql_real_escape_string($comment);

$sql="INSERT INTO guestbook(name, email, websiteURL, comment, datetime)
VALUES('$name', '$email', '$websiteURL', '$comment', '$datetime')";
$res=mysql_query($sql);

if($res){
echo "<div style='margin:100px 0 0 400px'>Entries were made OK.";
echo "<BR>";
echo "<a href='view-our-guestbook.php'>View our guestbook</a></div>";
}else{echo '<script language="javascript">alert("Entries were NOT made—something went wrong."); window.location="PHP-guestbook.php";</script>';}

}else{echo '<script language="javascript">alert("Wrong captcha answer."); window.location="PHP-guestbook.php";</script>';}

mysql_close();

?>

</body>
</html>