By using this site you agree to the use of cookies by Brugbart and our partners.

Learn more

Creating the Submit Form

How to create a HTML Submit form, and accept new Messages in the Guestbook MySQL database, that are posted through the submit form.

Edited: 2015-07-10 16:42

The time has come to create a HTML Form, which can be used to submit messages to the Guestbook. I'm going to use a normal Submit Form, with its action set to POST in this Tutorial. I won't explain the difference between GET and POST, that's something i will do in a separate Article.

If we take the Script provided in the Tutorial on How to Insert Rows in the MySQL Table, we can easily modify it to take input from the Form. This is where you should be careful, and remember to validate the input for security reasons, (more about this later).

The Script to Insert Rows:

<?php

$TimeStamp = time();

mysql_query("INSERT INTO GuestBook_Posts (Text, Time) VALUES (
    'This is some Example Text', 
    '$TimeStamp')", $Connection) or die(mysql_error());

?>

Including the Submit Form

This is a very simple Guestbook, currently only allowing the visitor to leave a message. But we will extend this later to include Name, and e-mail.

The HTML for the Submit Form is shown below, for simplicity i named the elements according to the fields in the MySQL Table. But you could name them whatever you like.

<form action="GuestBook.php" method="post">
 <p>Message: <input type="text" name="Text"></p>
 <p><input type="submit"></p>

</form>

We are going to include the above HTML, in the Script which is used to Output Entries from the MySQL Table. For this to be valid, we should Of cause also include the html, head, and body elements, which gives us the following code:

<!DOCTYPE html>
<html lang="en">

  <head>

  </head>

  <body>
    <form action="guestbook.php" method="post">
     <p>Message: <input type="text" name="Text"></p>
     <p><input type="submit"></p>

    </form>
<?php

$SelectedRows = mysql_query("SELECT * FROM GuestBook_Posts ORDER BY PostID DESC", $Connection);
while ($Row = mysql_fetch_array($SelectedRows, MYSQL_ASSOC)) {
  echo "<p>" . $Row['Text'] . "</p>";
}

?>

  </body>

</html>

Above would display the messages from the Guestbook, just below the submit form. Now we want to make it possible to submit messages from the browser, to do this, we will have to modify the script some more.

Accepting new Messages

This Guestbook is a nice 1 file script, which both handles submissions, and displays the messages. So we should include an php else if statement first in the script, to check which action was performed by the user, and to validate the input for security reasons.

$TimeStamp = time();

The first part seen above gets the time, while the following if statement is used to check if a message was posted.

if (empty($_POST['Text'])) { // PHP If Statement, checking if something was posted.
  $GBMsg = 'Welcome to my Guestbook';
} else if (preg_match("/^[A-Za-z0-9.\-_,;:=\"\s\(\)\/\&]{3,}$/", $_POST['Text'])) { // If something was posted, it gets validated.
mysql_query("INSERT INTO GuestBook_Posts (Text, Time) VALUES (
    '{$_POST['Text']}', 
    '$TimeStamp')", $Connection) or die(mysql_error());

  $GBMsg = 'Message Posted';
} else { // If something was posted, but if it was invalid.
  $GBMsg = 'Error: Your message contained invalid characters, please try again.';
}

If a valid message was posted, then it gets inserted into the MySQL Table. Otherwise an error is shown. If no message was posted at all, we simply display a welcome message.

The Full Example

Remember to add the connection, and enter your user name and password for the Database, as demonstrated in Connecting to the Database Tutorial

<?php
$TimeStamp = time();

if (empty($_POST['Text'])) { // PHP If Statement
  $GBMsg = 'Welcome to my Guestbook';
} else if (preg_match("/^[A-Za-z0-9.\-_,;:=\"\s\(\)\/\&]{3,}$/", $_POST['Text'])) {
mysql_query("INSERT INTO GuestBook_Posts (Text, Time) VALUES (
    '{$_POST['Text']}', 
    '$TimeStamp')", $Connection) or die(mysql_error());

  $GBMsg = 'Message Posted';
} else {
  $GBMsg = 'Error: Your message contained invalid characters, please try again.';
}
?>
<!DOCTYPE html>
<html lang="en">

  <head>

  </head>

  <body>
    <form action="guestbook.php" method="post">
     <p>Message: <input type="text" name="Text"></p>

     <p><input type="submit"></p>
    </form>
<?php

echo "<p>" . $GBMsg . "</p>";

$SelectedRows = mysql_query("SELECT * FROM GuestBook_Posts ORDER BY PostID DESC", $Connection);
while ($Row = mysql_fetch_array($SelectedRows, MYSQL_ASSOC)) {
  echo "<p>" . $Row['Text'] . "</p>";
}

?>

  </body>

</html>

About the Validation

An if statement is used with a simple regular expression to validate the input from the user. This makes sure that they won't submit HTML, JavaScript, and the like. It could also be used to block sql characters, but i recommend to use a function like addslashes() for that, since its likely these characters would be of use to your users. Simply think about which characters are likely to be used under normal circumstances, and then disallow everything else.

I chose to allow letters and numbers, plus some punctuation. A-Za-z0-9.-_,;:=@()/&, plus spaces and linebreaks \s. As seen, some of these characters need to be excaped with a backlash when used in regular expressions, otherwise they may break the intended pattern.

Before you use addslashes(), you may want to check whether your setup of MySQL requires it. This is done using get_magic_quotes_gpc(). Some setups automatically add slashes, so it could get messy if you also added them before. Best option would be to just disable it in php.ini, but this is not always possible. For scripts intended for broader distribution, i recommend you simply check whether its on. How to do this is shown in the below Example.

<?php
$TimeStamp = time();

if (empty($_POST['Text'])) { // PHP If Statement
  $GBMsg = 'Welcome to my Guestbook';
} else if (preg_match("/^[A-Za-z0-9.\-_,;:=\"\s\(\)\/\&]{3,}$/", $_POST['Text'])) {

  // Check if magic quotes is on
if (!get_magic_quotes_gpc()) {
  $Text = addslashes($_POST['Text']);
} else {
  $Text = $_POST['Text'];
}


  // Insert Message
mysql_query("INSERT INTO GuestBook_Posts (Text, Time) VALUES (
    '$Text', 
    '$TimeStamp')", $Connection) or die(mysql_error());

  $GBMsg = 'Message Posted';
} else {
  $GBMsg = 'Error: Your message contained invalid characters, please try again.';
}
?>
<!DOCTYPE html>
<html lang="en">

  <head>

  </head>

  <body>
    <form action="guestbook.php" method="post">
     <p>Message: <input type="text" name="Text"></p>

     <p><input type="submit"></p>
    </form>
<?php

echo "<p>" . $GBMsg . "</p>";

$SelectedRows = mysql_query("SELECT * FROM GuestBook_Posts ORDER BY PostID DESC", $Connection);
while ($Row = mysql_fetch_array($SelectedRows, MYSQL_ASSOC)) {
  echo "<p>" . $Row['Text'] . "</p>";
}

?>

  </body>

</html>