Reviving a Vulnerable PHP Guestbook
Description
This ancient PHP guestbook script demonstrates common vulnerabilities found in early web applications. It directly inserts user input into a database query, leaving it wide open to SQL injection attacks.
Original Code (Outdated)
<?php
$dbhost = 'localhost';
$dbuser = 'user';
$dbpass = 'password';
$dbname = 'guestbook';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);
if (isset($_POST['message'])) {
$message = $_POST['message'];
$sql = "INSERT INTO entries (message) VALUES ('$message')";
mysql_query($sql);
}
$result = mysql_query("SELECT * FROM entries");
while ($row = mysql_fetch_assoc($result)) {
echo "<p>". $row['message'] . "</p>";
}
mysql_close($conn);
?>Updated Code (Modern)
<?php
$dbhost = 'localhost';
$dbuser = 'user';
$dbpass = 'password';
$dbname = 'guestbook';
try {
$pdo = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbuser, $dbpass);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
die("Database connection failed: " . $e->getMessage());
}
if (isset($_POST['message'])) {
$message = trim($_POST['message']);
if (strlen($message) > 255) {
die('Message too long!');
}
$stmt = $pdo->prepare("INSERT INTO entries (message) VALUES (:message)");
$stmt->execute([':message' => $message]);
}
$stmt = $pdo->query("SELECT message FROM entries");
foreach ($stmt as $row) {
echo "<p>". htmlspecialchars($row['message']) . "</p>";
}
?>