What are the best practices for implementing a guestbook functionality in PHP, especially in terms of data handling and security?
When implementing a guestbook functionality in PHP, it is important to ensure proper data handling and security measures are in place to prevent vulnerabilities such as SQL injection and cross-site scripting attacks. To mitigate these risks, use prepared statements for database queries, validate user input to prevent malicious code injection, and sanitize output to prevent XSS attacks.
<?php
// Establish connection to the database
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "guestbook";
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// Validate and sanitize user input
$name = mysqli_real_escape_string($conn, $_POST['name']);
$message = mysqli_real_escape_string($conn, $_POST['message']);
// Insert data into the database using prepared statements
$stmt = $conn->prepare("INSERT INTO entries (name, message) VALUES (?, ?)");
$stmt->bind_param("ss", $name, $message);
if ($stmt->execute()) {
echo "New entry added successfully";
} else {
echo "Error: " . $stmt->error;
}
$stmt->close();
$conn->close();
?>