Jump to content

Things to do before submitting guestbook


arbitter

Recommended Posts

So I'm making a guestbook for my site. It's the first time I'm doing this, so i don't know what precautions to take. Does the whole page get messed up if someone types a quote? Or other things?

 

I've read about htmlentities(), but is that all I must do, or should I do more? And what about the striptags() and trim()?

 

Probably it's a simple solution, but I want to make sure nothing goes wrong...

Link to comment
Share on other sites

Then all I get is these free scripts made out of dozens of files. That's not what I want. I already have mine, I just don't know what to do with the text that's given.

 

So I asked someone else if htmlentities itself is good, he said that'd be fine for me.

 

But when for example I type: '<font color='green'>blabla</font>' my script doesn't do anything. And no, I don't want to make the text green, I want it to save and display '<font color='green'>blabla</font>'.

 

Any help?

Link to comment
Share on other sites

At the moment it sounds like you're not sanitizing your users input. Failing to to do this will make your script prone to SQL Injection attacks. To help prevent this you should use mysql_real_escape_string at minimum.

 

Allowing users to post HTML in your guestbook doesn't sound like a good idea either. If you're going to allow HTML to be posted you should limit them to certain HTML tags such as <b>, <i>, <u> etc. You can implement this using strip_tags. The alternative is to use BBCode tags such as [, , and etc. There are many tutorials on the net making your own BBCode Parser.

Link to comment
Share on other sites

It was not my intention of letting users use html, seen they won't know that and it'll open up attacks. I was just trying some things to see if htmlentities worked fully.

 

BBCode sounds really interesting too, thanks a lot! Didn't know how that was called.

Link to comment
Share on other sites

So for the BBCode parser;

 

I took this function of a website:

function bbcode_format($postje){
   // Convert all special HTML characters into entities to display literally
   $postje = htmlentities($postje);
   // The array of regex patterns to look for
   $format_search =  array(
      '#\[b\](.*?)\[/b\]#is', // Bold ([b]text[/b]
      '#\[i\](.*?)\[/i\]#is', // Italics ([i]text[/i]
      '#\[u\](.*?)\[/u\]#is', // Underline ([u]text[/u])
      '#\[s\](.*?)\[/s\]#is', // Strikethrough ([s]text[/s])
      '#\[quote\](.*?)\[/quote\]#is', // Quote ([quote]text[/quote])
      '#\[code\](.*?)\[/code\]#is', // Monospaced code [code]text

)

      '#\|1[0-9]|20)\](.*?)\[/size\]#is', // Font size 1-20px text)

      '#\{3}|[A-F0-9]{6})\](.*?)\[/color\]#is', // Font color (text)

      '#\(.*?)\[/url\]#i', // Hyperlink with descriptive text ()

      '#\[url\]((?:ftp|https?)://.*?)\[/url\]#i', // Hyperlink ()

      '#\[img\]))\[/img\]#i' // Image (url_to_image)

  );

  // The matching array of strings to replace matches with

  $format_replace = array(

      '<strong>$1</strong>',

      '<em>$1</em>',

      '<span style="text-decoration: underline;">$1</span>',

      '<span style="text-decoration: line-through;">$1</span>',

      '<blockquote>$1</blockquote>',

      '<pre>$1</'.'pre>',

      '<span style="font-size: $1px;">$2</span>',

      '<span style="color: #$1;">$2</span>',

      '<a href="$1">$2</a>',

      '<a href="$1">$1</a>',

      '<img src="$1" alt="" />'

  );

  // Perform the actual conversion

  $postje = preg_replace($format_search, $format_replace, $postje);

  // Convert line breaks in the <br /> tag

  $postje = nl2br($postje);

  return $postje;

}[/code]

 

It doesn't work for some reason.

When I have a mysql database with "example"

I do:

while($rows=mysql_fetch_array($result)){
$postje = $rows['post'];
bbcode_format($postje);
$gbpost = "
<table width='400' border='0' align='center' cellpadding='0' cellspacing='1' bgcolor='#d7d7d7'>
<tr>
	<td>
		<table width='400' border='0' cellpadding='3' cellspacing='1' bgcolor='#ffffff'>
			<tr><td width='*' bgcolor='#e2e2e2' align='left'><b>" . $rows['naam'] . "</b></td><td bgcolor='#e2e2e2' align='right'width='80'>" . $rows['datum'] . "</td></tr>

			<tr>

				<td>   " . $postje . "</td>
			</tr>

		</table>
	</td>
</tr>
</table>
<BR>";
echo $gbpost;
}

 

but for the post itself, the BBCode still gets shown between brackets, so it doesn't show in bold...

 

 

 

 

Also another mysql question; how can I order my guestbook by date? Because if I move away a guestbook post, say I have guestbook ID's from 1 to 10 and I erase the 5th, the guestbook post with ID will come in place 5 with number 11, instead of just adding to the list.

(And actually, it'd be best if all came to the top of the list, that the latest gets shown first)

 

Link to comment
Share on other sites

Also another mysql question; how can I order my guestbook by date? Because if I move away a guestbook post, say I have guestbook ID's from 1 to 10 and I erase the 5th, the guestbook post with ID will come in place 5 with number 11, instead of just adding to the list.

(And actually, it'd be best if all came to the top of the list, that the latest gets shown first)

 

you can order your guestbook using the MySQL  'ORDER BY'

see: http://dev.mysql.com/doc/refman/5.1/en/select.html

 

and.... i think you should try to keep 1 subject in 1 thread, ... (i hope its in the forum rules somewhere....

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.