Pages

Wednesday 13 April 2011

PHP & MySQL - Simple Guestbook

Now that we have our environment set up and ready to go, I decided it would be a good time to start experimenting with PHP, but before we go any further let's first stick to the hello, world tradition.


<?php
echo "hello, world";
?>



Ok now that the "hello, world" example is done let's start working on the real task at hand i.e. a PHP/MySQL powered guestbook.

The entire project is made up of the following 5 files.



I will go through each of the above files throughout this post.

index.php

Index.php is the main page and is the only page the user will interact with, it lists all existing guestbook entries as well as provide the user with a form to input additional entries.



Although this entire PHP application could have easily been implemented in just a single index.php file, it is considered bad practice to mix page markup with PHP code, I have therefore segregated all PHP code to separate files residing in the /include directory each of which is called whenever required using the include() or include_once() function, it is important to use the include_once() function on files which should only be executed once e.g. the MySQL connection include file, you only need the connection to be established once.

PHP includes

Line 9 - inc_mysql_conn.php is included, this assigns a database connection to the $db_conn variable which would then be available throughout the script.

Line 10 - submit_entry.php is included, this script is triggered only when the submit button is pressed and after validating the entry will insert the entry into the database.

Line 14 - list_all_entries.php is included, this script outputs all entries in the guestbook to the browser in an HTML table.

I will go through the PHP code on each of the above included files later in the post.

Input Form

The above html form submits data back to the index.php page using the post method (line 18), although for this application the get method would have been fine, I usually prefer using post over get just to keep the URL clear from any query string clutter.

There are 3 visible text fields, name, email and comment and one hidden field. Since the form is posting to itself the hidden field will be used later by submit_entry.php which will read it's value to check whether the submit button has been pressed and therefore data needs to be inserted in the database.


inc_mysql_conn.php

This php file opens a mySQL connection with the database which can later be used in any part of the application.


This script opens a connection to a MySQL server logging in with the credentials defined in the par_db.php script. Once this script is included it makes the $db_conn connection available throughout the execution which is the main reason why this is usually one of the first included script in any project. It is considered good practice to unset any variables which are no longer required.

par_db.php

This php file is used to define the mySQL connection parameters, the primary reason why this data is contained within a separate file is simply to prevent modifying files which contains functional logic whenever these parameters need to be altered.
The above script simply defines the credentials used to login to the MySQL database.

list_all_entries.php

This code will output all guestbook entries in an HTML table, this page

This script will retrieve all guest book entries from the database and iterates through each record to output an HTML table to the browser, this script is included whenever the guestbook entries are to be listed.

submit_entry.php


The above script is responsible for validating and inserting guest book entries into the database. It first checks if the form has been submitted or not, since we are posting to the same page we would only want to execute the insert statement when the submit button has actually been pressed, the most common way of doing this is by placing a hidden field on the form and then checking if the variable has been set or not using the isset() function.

I am then validating the inputs to verify that all fields have been populated and when valid inserting the values into the database by executing an insert statement.

The above code is considered safe against SQL injection attacks, as all user inputs are passed through the mysql_real_escape_string() function which escapes special characters, it is still vulnerable to other injection attacks such as cross site scripting.


Seeing it in action

The first time the page is loaded the user is only presented with the input form.


The user is now able to input guestbook entries simply by populating all fields and pressing the submit button. The data is validated prior to being inserted in the database and as you can see below, the submission was rejected because both the email address and comments field were left blank.

In the example below, all fields where populated and the comment was inserted in the database, "Comment added..." success message and the actual comment are immediately shown on screen as the form submits to itself so no refresh is required.


The below screenshot shows how multiple comments would be displayed.


I have attached all sources mentioned above in the attachment below for anyone interested.
PHPsimpleGuestBook.rar

0 comments:

Post a Comment