I got the code for this guestbook from a tutorial, but I decided to add some security and ip checking to it. I am learning php while doing this. The problem I'm having is with the "If else" statements not checking anything and just adding it to the database. Here's the code:
if ($_POST['postbtn']) {
$name = strip_tags($_POST['name']);
$email = strip_tags($_POST['email']);
$message = strip_tags($_POST['message']);
$answer = 'abcdefg';
$response = strtolower(strip_tags($_POST['answer']));
// Check if all fields were filled out
if ($name && $email && $message && $response) {
$time = date("h:i A");
$date = date("m/d/Y");
$ip = $_SERVER['REMOTE_ADDR'];
}
else {
echo "<p style='color:red;'>You didn't fill out all of the fields.</p>";
}
// Check if security answer was correct
if ($response === $answer) {
echo "<p style='color:red;'>Security answer was incorrect.</p>";
} else {
// Check ip address
$checkIP = mysql_query("SELECT ip FROM guestbook WHERE ip = '$ip'");
}
if (mysql_num_rows($checkIP) > 0) {
echo "<p style='color:red;'>You already signed.</p>";
} else {
// add to the database
mysql_query("INSERT INTO guestbook VALUES (
'', '$name', '$email', '$message', '$time', '$date', '$ip'
)");
// refresh page
header('Location: http://www.example.com/guestbook');
}
}
Dorvalla :
if (isset($_POST['postbtn'])) {\n\n// define variables after the check if the postbtn is pressed \n\n $name = strip_tags($_POST['name']);\n $email = strip_tags($_POST['email']);\n $message = strip_tags($_POST['message']);\n $answer = 'abcdefg';\n $response = strtolower(strip_tags($_POST['answer']));\n\n// Check if all fields were filled out, I turned it arround for you, it checks now if it's empty, if so, process an error, else continue\n\n if (empty($name) || empty($email) || empty($message) || empty($response)) {\n echo \"<p style='color:red;'>You didn't fill out all of the fields.</p>\"; \n\n// Check if security answer was correct, you check here if its correct and state incorrect answer.\n\n }else if ($response != $answer) {\n echo \"<p style='color:red;'>Security answer was incorrect.</p>\";\n\n// so now we have all errors out of the way, lets go deeper\n\n }else{\n $time = date(\"h:i A\");\n $date = date(\"m/d/Y\");\n $ip = $_SERVER['REMOTE_ADDR'];\n\n $checkIP = mysql_query(\"SELECT ip FROM guestbook WHERE ip = '$ip'\");\n\n// check if we get anything back from the query\n if (mysql_num_rows($checkIP) > 0) {\n echo \"<p style='color:red;'>You already signed.</p>\";\n } else {\n mysql_query(\"INSERT INTO guestbook VALUES ('', '$name', '$email', '$message', '$time', '$date', '$ip')\"); \n// refresh page\n header('Location: http://www.example.com/guestbook');\n } \n }\n}\n\n\nI do this out of my head, so dont shoot me down on it. I tried to point out where your flaws where. For example, you had a flaw in the checking of your variables, you had a flaw for your security (you actually would give an error message when you typed in the right security answer)\n\nSo to explain it all, in if statements, you need to go deep into the rabbit hole as they say it nicely. Sometimes you need the else statement to continue and go deeper in. This way you can catch better your errors. For example. Your code would input anyway in the database, because even if you had a error it would just get to the point of entering it into the database. (your answers would be ignored, because variabels set inside an if else statement, cant be used outside of that loop. See it as a localized variable)\n\nBut if you keep digging deeper in if else statements, you can take them with you. \n\nedit\n\nAlso, I indent the code for you, so you see how deep we go and how many if-else statements there actually are. If you have any questions, please dont hesitate ;)\n\nedit2\n\nI actually replaced the response and answer check 1 if else statement down and made an else if to keep all errors near each other. You could also do this with the variable to check the num_rows, but I havent done it. You could also toss that in an else if statement after the security check. This should also work, but to make it prettier, you can go the way i described. \n\nIn theory, this should work fine.",
2014-10-15T07:34:14