diff options
Diffstat (limited to 'submitguest.php')
-rw-r--r-- | submitguest.php | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/submitguest.php b/submitguest.php new file mode 100644 index 0000000..96c27a9 --- /dev/null +++ b/submitguest.php @@ -0,0 +1,61 @@ + +<?php + +// Change this to your connection info. +$DATABASE_HOST = 'YourHost'; +$DATABASE_USER = 'YourDatabaseUser'; +$DATABASE_PASS = 'YourDatabasePassword'; +$DATABASE_NAME = 'YourDatabaseName'; + + +// Try and connect using the info above. +$conn = new mysqli($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME); +// Check connection +if ($conn->connect_error) { + die("Connection failed: " . $conn->connect_error); +} + + +//echo ' submitting...'; + +$name = $_POST['g_name']; +$message = $_POST['g_message']; + +//this is commented out but might be useful for debugging. NOTE: there are no special chars so javascript can be executed here +//but it would only hurt the attacker +/* +echo $name; +echo $message; +*/ + +//SQL query +$stmt = $conn->prepare("INSERT INTO `guestbook` (g_name, g_message) VALUES (?, ?)"); + +//echo 'statement prepared!'; + +if ($stmt){ +//Prepared statement to secure from SQL injection +$stmt->bind_param("ss", $name, $message); + +$stmt->execute(); + +//echo' and done!'; + + + +//to redirect after the query to your site, enter the url you want to go to +header("Location: http://www.yourwebsite.com/"); + + + + +} +else{ + echo 'something went wrong!'; +} + +?> + + + + |