Hudzilla.org - the homepage of Paul Hudson
Contents > Practical PHP > Creating a guestbook Wish List | Report Bug | About Me ]

22.2.3     Problems in paradise: Guestbook v2

This is NOT the latest copy of this book; click here for the latest version.

Even our simple guestbook is problematic to use, for a variety of reasons. Firstly, all fields are optional currently, which means we can get entries like this: "Posted by on 24th of March 2004" - not ideal. Secondly, people can add HTML to their posts freely, and thereby take over our site in any number of ways. Finally, visitors can post all sorts of obscenities on our guestbook, as we make no attempt to filter things out.

So, it is time to reanalyse the guestbook design and have a think about where we can solve these problems. It is relatively simple to have all fields required, using code something like this:

if (!empty($_POST['GuestName']) && !empty($_POST['GuestEmail']) && !empty($_POST['GuestMessage'])) {

Note that empty() does not generate an error if the variable is not set, so this should work fine. It is also possible to have empty variables with replaced with a text value along the lines of "no value provided", e.g.:

if (empty($_POST['GuestName'])) { $GuestName = "Anonymous Coward"; }

As you can see, it is not difficult, so do not spend too much time thinking about it right now. Stripping HTML tags is also simple, thanks to the strip_tags() function, so again do not worry about this. The main problem is the filtering required for messages - as it stands, our visitors can post whatever they want, which may not be appropriate for your site. While it is of course impossible to automatically filter out content based on meaning (racism, sexism, etc), it is certainly easy to filter out content based on words, which means it is easy to match and filter swear words from our guestbook.

Naturally I am not about to list a load of swear words here for the guestbook to ban, as it would hardly be fit to print! So, for the sake of this example, "dog" and "hamster" are the words we will be filtering. Filtering can either be done at the time of submission, or it can be done at the time of display; both have their advantages. The advantage to filtering at submission (removing unsavoury content before it gets into the database) is speed - you only need filter it once. The advantage to filtering at display time (that is, storing content unfiltered and filtering it live each time read.php is loaded) is you always have a copy of the original text - this is helpful if you later amend the words you filter, as it will take effect on all messages immediately.





<< 22.2.2 Development   22.2.4 Fixing the problems >>
Table of Contents
 Want to see this stuff in print? PHP in a Nutshell takes the core topics covered here, adds in thousands of edits from the editorial team and myself, and combines them to make an unbeatable reference for PHP programmers at all levels.



My latest book has hundreds more tips on how to use PHP, Apache, and MySQL, plus Perl, Python, shell scripts, performance tuning, and more!
Top-right shadow
 
Bottom-left shadow Bottom shadow

Comments from other readers
Be the first to add a comment to this chapter!



Add comment
Please note that by posting a comment here you are committing it to the public domain. This is important so that others can make use of your code themselves, and also so that I can incorporate helpful notes directly into the main text. Comments are limited to 2000 characters in length.

If you are reporting an error in the content, please tell me directly.

Your name/email address:
Your comment:
 
Now, in order to verify that you're a real person, please answer this simple question: what is zero plus six?
The answer is:
(please write in
numbers, eg 19)


Top-right shadow
 
Bottom-left shadow Bottom shadow

This website and its content is copyright © Paul Hudson 2005, all rights reserved.