Secure Modern Guestbook: From Legacy MySQL to PDO

By: fyvo August 2, 2025 PHP

Description

This snippet implements a simple guestbook. The original version is highly vulnerable; the update uses prepared statements and parameterized queries for security.

Original Code (Outdated)

```php
<?php
$db = mysql_connect('localhost', 'user', 'password');
mysql_select_db('guestbook', $db);

if (isset($_POST['submit'])) {
  $name = $_POST['name'];
  $comment = $_POST['comment'];
  mysql_query("INSERT INTO guestbook (name, comment) VALUES ('$name', '$comment')");
}

$result = mysql_query('SELECT * FROM guestbook');
while ($row = mysql_fetch_assoc($result)) {
  echo "Name: " . $row['name'] . "<br>Comment: " . $row['comment'] . "<br><br>";
}
?>
```

Updated Code (Modern)

```php
<?php

// Database credentials (should be in a config file or environment variables)
define('DB_HOST', 'localhost');
define('DB_USER', 'user');
define('DB_PASS', 'password');
define('DB_NAME', 'guestbook');

try {
    $pdo = new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME, DB_USER, DB_PASS);
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
    die("Database connection failed: " . $e->getMessage());
}

if (isset($_POST['submit'])) {
    $name = htmlspecialchars($_POST['name'], ENT_QUOTES);
    $comment = htmlspecialchars($_POST['comment'], ENT_QUOTES);

    $stmt = $pdo->prepare("INSERT INTO guestbook (name, comment) VALUES (:name, :comment)");
    $stmt->execute([':name' => $name, ':comment' => $comment]);
}

$stmt = $pdo->query("SELECT name, comment FROM guestbook");
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
    echo "Name: " . $row['name'] . "<br>Comment: " . $row['comment'] . "<br><br>";
}

?>
```

Discussion (0)