Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /*
- * a simple guest book with escaping sql and html
- * using mysqli and htmlentities
- *
- * by Inndy @ 2013/12/01
- */
- error_reporting(0);
- define("DB_HOST", "127.0.0.1");
- define("DB_USER", "guestbook");
- define("DB_PASS", "nr168crD2Uv8r62m");
- define("DB_NAME", "mysqli_sample_guestbook");
- $db = new mysqli(DB_HOST, DB_USER, DB_PASS);
- if ($db->errno)
- exit("Can't connect to DB.");
- if (!$db->select_db(DB_NAME))
- exit("Can't select DB.");
- $db->query("CREATE TABLE IF NOT EXISTS `messages` ( `mid` int(11) NOT NULL AUTO_INCREMENT, `name` varchar(128) NOT NULL, `age` int(11) NOT NULL, `msg` varchar(4096) NOT NULL, PRIMARY KEY (`mid`)) AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;");
- ?><!DOCTYPE HTML>
- <html>
- <head>
- <meta charset="UTF-8">
- <title>mysqli sample guestbook</title>
- <style type="text/css">
- html, body, div { margin: 0; padding: 0; line-height: 1; }
- body { font-family: sans-serif; background-color: #333; color: #EEE; text-shadow: 0 0 1px black; }
- input[type=text], textarea { width: 100%; outline: 0; }
- label { cursor: pointer; display: block; }
- button {
- background-color: #63C;
- border: 0;
- border-radius: 4px;
- color: #DDD;
- padding: 6px 16px;
- }
- button:hover {
- background-color: #84F;
- color: #FFF;
- }
- button:active {
- background-color: #429;
- color: #CCC;
- }
- pre { word-wrap: break-word; }
- #content { max-width: 1000px; margin: 0 auto; }
- table { border-collapse: collapse; width: 100%; max-width: 100%; }
- th, td { padding: 6px 8px; }
- #table_form td { text-align: right; }
- #msgs td { border: 1px solid white; }
- </style>
- </head>
- <body>
- <div id="content">
- <h1>MySQLi Sample Guest Book</h1>
- <hr />
- <h2>Leave a message!</h2>
- <form action="index.php" method="post">
- <input type="hidden" name="act" value="new_msg" />
- <table id="table_form">
- <tr>
- <th><label for="name">Name</label></th>
- <td><input type="text" name="name" id="name" /></td>
- </tr>
- <tr>
- <th><label for="age">Age</label></th>
- <td><input type="text" name="age" id="age" /></td>
- </tr>
- <tr>
- <th><label for="msg">Message</label></th>
- <td><textarea name="msg" id="msg" cols="30" rows="10"></textarea></td>
- </tr>
- <tr><td colspan="2"><button type="submit">Submit</button></td></tr>
- </table>
- <?php
- if (isset($_POST['act']) && $_POST['act'] == "new_msg") {
- $st = $db->prepare("INSERT INTO `messages` VALUES(NULL, ?, ?, ?)");
- // magic quotes has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
- // if (get_magic_quotes_gpc())
- // array_map(stripslashes, $_POST);
- // to escape HTML
- $_POST = array_map(htmlentities, $_POST);
- $st->bind_param("sis", $_POST['name'], $_POST['age'], $_POST['msg']);
- /*
- http://us2.php.net/mysqli.prepare
- s for string
- i for integer
- d for double
- b for blob
- */
- $msg = $st->execute() ?
- '<p style="color: #3F3;">Your message have been recorded successfully.</p>' :
- '<p style="color: #F33; font-weight: bold;">Your message recorded failed.</p>';
- echo $msg;
- }
- ?>
- </form>
- <hr />
- <h2>Messages</h2>
- <table id="msgs">
- <?php
- $msgs = $db->query("SELECT * FROM `messages`");
- foreach ($msgs as $data):
- ?>
- <tr>
- <td style="width: 30px;">#<?php echo $data['mid']; ?></td>
- <td style="width: 70px;">Age: <?php echo $data['age']; ?></td>
- <td><?php echo $data['name']; ?></td>
- </tr>
- <tr>
- <td colspan="3"><?php echo $data['msg']; ?></td>
- </tr>
- <?php endforeach; ?>
- </table>
- <br />
- <p style="text-align: center; font-size: 75%;">By <a style="color: #39F;" href="http://inndyxd.blogspot.tw">Inndy</a></p>
- </div>
- </body>
- </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
