satan165

ok, i updated my script with teh code you provided above. i noticed when viewing my SQL db that there were entries with bogus dates/times. i took it that this meant the spammers were making their entries directly to my db, and foregoing the actual guestbook script. and you are saying the use of the mysql_real_escape_string() will make this impossible in the future, correct? second, how can i integrate striptags() into the same statements to prevent HTML? how can i integrate htmlentities() into this script (the 'view' portion of my guestbook)? thank you very much for this much needed security lesson! [code] <?php $db = mysql_connect("localhost", "xxx", "xxx"); mysql_select_db("xxx",$db); $result = mysql_query("SELECT *,DATE_FORMAT(added, '%M %D %Y') AS the_date FROM guestbook ORDER BY id DESC",$db); while ($myrow = mysql_fetch_array($result)) {         printf("<b>%s</b><BR><h1>%s</h1><i>%s</i><hr>\n",         $myrow[1], $myrow[3], $myrow['the_date']); } ?> [/code]

any possible help on this?

jan 1st 1970 is the unix date (date unix was invented or something) its related to that

a while back i had to import some SQL data from one host to another. the old host 'gave' me a php guestbook, but the actual script was not accessible so i figured it out (and with some help from this forum) i was able to write my own new php guestbook and also use my existing sql data (from the old guestbook) all was well but now im getting crushed by spammers im well aware i could use any of 1 million other guestbooks from elsewhere that would more easily keep the spammers out but i want to keep my own since i worked so hard on it in the 1st place i want to make it so html is definately not allowed to be input in any field as well as URLs (maybe some 'keywords' to be disallowed could be: 'www', '.com', 'net', etc...) maybe they will just spam anyways and find ways around it but maybe it will slow things down at any rate, id apprecaite some help with a patch to this script that woudl take care of these things thank you all very much!! [code] <?php if (isset($_POST['submit'])) { $error = null; if(empty($_POST['name'])) {    $name = FALSE;    $error .= '<B>Please enter your name</b><br>'; } else {   $name = $_POST['name']; } if (empty($_POST['comment'])) {    $comment = FALSE;   $error .= '<B>Please enter comments</b>'; } else {   $comment = $_POST['comment']; } // if they are both filled out if ($name && $comment) { $db = mysql_connect("localhost", "XXX", "XXX");   mysql_select_db("XXX",$db);   $sql = "INSERT INTO guestbook (name,email,comment,added) VALUES ('$name','$email','$comment','$added')";   $result = mysql_query($sql);   if ($result) {       echo "<h1>Thank you for signing the guestbook!</h1><p><a href='/guestbook.html'>return to guestbook...</a><BR>\n"; } } if (isset($error)) { echo $error; } } //submit else {   ?> <center> <h1>WWW.LOWPRO708.COM GUESTBOOK</h1><BR>   <form method="post" action="<?php echo $PHP_SELF?>">   <input type=hidden name="added" value="<?php echo date('Y-m-d h:i:s')  ?>">   <strong>Your Name: </strong><input type="Text" name="name"><p>   <strong>E-Mail Address: </strong><input type="Text" name="email"><br><I>Your address will not be subject to any unsolicited mail and<BR>will not be displayed in our guestbook publicly!</i><P>   <strong>Comment: </strong><input type="Text" size=55 name="comment"><p>   <input type="Submit" name="submit" value="Sign Guestbook">   </form> <?php } ?> [/code]