Recent Changes - Search:




Summary: Provide a simple guestbook.
Prerequisites: 2.??

See important security fixes below.

Note: to edit this page please use wiki as a password.


Notes and Comments

  • Download and put guestbook.php in local/cookbook/
  • Download and put guestbook-i18n-en.php or guestbook-i18n-nl.php in the cookbook folder.
  • Add include_once("$FarmD/cookbook/guestbook.php"); in your local/config.php file;
  • Make a page for the guestbook (e.g., Guestbook.HomePage) and include the directive (:$Guestbook:) someplace on the guestbook page. The directive can be placed at the top or the bottom of the page. The dialog box opens at the position of the directive. Great guest book! Thank you all for this addition. Old Al.


This was originally written by Zet ( for PmWiki v1 and kindly updated for PmWiki 2.x beta by Patrick Ogay at my request. I take zero credit for this addon and am only posting it here at Radu's request because Patrick seems to be busy.

The version posted above has been slightly modified from Patrick's version by:

  • Changing the first line to <?php if (!defined('PmWiki')) exit(); (per the recommendation in the Module Guidelines).
  • Commenting out the calls to TestLog (which caused errors).
  • Certain minor stylistic changes.

Due to destructive spam attacks, this page is now password protected.


  • The guestbook is translated in Dutch. Kenneth (02/24/2006)
  • I've been having a configuration specific problem in pmwiki-2.0.beta48: Caspian (07/29/2005)
    • I am using Guestbook, PITS, and Per Group Subdirectories. And there-in lies the problem. If I remove the Per Group Subdirectories option and make sure that Guestbook include_once('cookbook/guestbook.php'); is the first entry in the local/config.php it seems to work. However if I turn on the Per Group Subdirectories then Guestbook quits working. If I put Guestbook in after PITS include_once('cookbook/PITS.php');, PITS doesn't find its files correctly but Guestbook does work. pm did look at this a bit and said that he thought there was a problem in Guestbook and specifically with $pagename.
      <SNIP> from an email from pm
      The guestbook.php recipe takes some serious liberties with setting the value of $pagename -- in particular, it undoes any setting of $pagename that might've been done by a previous recipe or config.php setting. So, guestbook.php needs to be rewritten to not do this; in the meantime it means it must be loaded before anything else.
      Per Group Subdirectories being active is important to me and any help is appreciated.
  • It works great for me, I'm very pleased with it. Oneida (03/18/2005)
  • nice script :) but it looks like it doesn't work with Cookbook/CleanUrls. The form action wants to send the data to index.php/Forum/Guestbook -Uli
  • Hmmm, I've had no problem with it working with CleanUrls. You might try posting your configuration on the mailing list, as people there are really great at helping to troubleshoot things like that. Oneida (03/23/2005)
  • I just modified line 40 (use "?" instead "/"). Now it works. Holger (03/24/2005)
  • Oddly enough, I had to modify line 40 to use "?n=" instead of "/", using v2beta51 - David A Spitzley (7/29/05)
  • Could something like this be easily implemented now with AddDeleteLine? - Martin Fick
  • Would you advise me what to change in the script to remove boxes "name" and "homepage" and to receive as senders name the $AuthId ? Jiri
  • It is totally open for SPAM. I think there should be (at least) two additions: a Captcha as well as a possibility to not admit what Spammers like to post ... PKHG


Below is a modified code with a few important security fixes (see PKHG's comment above):

  1. It prevents attacks by HTML and wiki-markup injections in the input fields, and,
  2. It also has a simple captcha implementation.
  3. The latest version has a simple Javascript-based form validation to prevent submission of advertisement URLs.

Download the code here (just the English version): guestbook-secure-en.phpΔ

  • Installation:
    • Copy the file to cookbook folder.
    • In local/config.php add lines:
      • $GuestbookCaptcha = TRUE; (This enables the captcha feature. This must come before the include_once line.)
      • $GuestbookValidation = TRUE; (This enables the form validation feature. This must come before the include_once line.)
      • include_once("FarmD/cookbook/guestbook-secure-en.php");
  • Live demo:

To enable captcha (disabled by default):

  • Set $GuestbookCaptcha = TRUE; in config.php.
  • (Troubleshoot) If session is not enabled, you may also need to include the following lines of code in config.php (before the include_once line):

To enable Javascript-based form validation to prevent submission of URLs in the main fields (disabled by default):

  • Set $GuestbookValidation = TRUE; in config.php.

Subhrajit November 06, 2010, at 12:22 AM ; Subhrajit September 05, 2011, at 04:28 PM

Comments on the security fixes

Comment by Holger May 22, 2011, at 03:25 PM
Unfortunately the whole message is in one line, no line break visible. Any idea to realize line breaks in spite of rawdecode?

In the PHP script, where it reads Keep(rawurldecode(PSS('$1'))) (line 14), just replace it with Keep(str_replace(\"\\n\",\"<br/>\",rawurldecode(PSS('$1'))))
I will post a updated version with a few more features some time soon. Subhrajit May 30, 2011.

Comment by Holger June 02, 2011, at 05:58 AM
Thanks a lot for your feedback Subhrajit. :-) Meanwhile I have been found another solution for my website but nevertheless I am very interested in your updated version.

Comment by M. Denning June 19, 2012, at 11:23 PM
In attempting to implement your code edit upgrade from 2010 to the 2012 code, I found that the Hidden Text was not hidden and there is a tag being used that I cannot locate or identify. But in actually hiding the text, I found it very useful to replace the markup being used and use an "if" directive. The advantage of this is that the text entered is truly hidden from public view as noted and advertised on the page, made available only to those who have edit authority.
Old Code (Line 158):

                (($_POST["contact"])?"[%== %color=#666688%(:rawdecode:)"
                .rawurlencode(strip_tags(htmlspecialchars(StripCSlashes($_POST["contact"]))))."(:rawdecodeend:)%%[[<<]] ==%]":"").

New Code (Line 158):

                (($_POST["contact"])?"(:if false:) "
                .rawurlencode(strip_tags(htmlspecialchars(StripCSlashes($_POST["contact"]))))." (:ifend:)":"").

Also, I have noticed that the posting does not happen on ever page (if more than two or three page links deep) and I am not sure why. But, as the first link off of the home page it will work every time. Just something I have noticed.

hello M. Denning. Thanks for pointing this out. It's true that the markup for the hidden text was not included in the guestbook's PHP code (I had it separately in my web-site, so missed including it). But here is the code for the markup:
 // [%== ... ==%] comment visible only to editor
 Markup('blockcommentvisitor','<blockcomment','/\\[%==(.*?)==%\\]/esi',"(!RetrieveAuthPage($pagename, 'edit', false, READPAGE_CURRENT)) ? Keep('') : PSS('$1')"); 
I will include this in the next version (will be adding a few additional security features as well). Subhrajit July 05, 2012, at 04:57 PM
Edit - History - Print - Recent Changes - Search
Page last modified on November 05, 2013, at 06:21 PM