用php实现留言板
数据库设计
创建名为messages的数据库表,包含以下字段:
id:自增主键name:留言者姓名(VARCHAR)email:留言者邮箱(VARCHAR)content:留言内容(TEXT)created_at:留言时间(TIMESTAMP)
SQL创建语句示例:
CREATE TABLE messages (
id INT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(100) NOT NULL,
email VARCHAR(100) NOT NULL,
content TEXT NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
连接数据库
创建config.php文件存放数据库连接信息:
<?php
$host = 'localhost';
$dbname = 'message_board';
$username = 'root';
$password = '';
try {
$pdo = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch(PDOException $e) {
die("Connection failed: " . $e->getMessage());
}
?>
提交留言功能
创建submit.php处理表单提交:

<?php
require 'config.php';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$name = htmlspecialchars($_POST['name']);
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
$content = htmlspecialchars($_POST['content']);
if ($email === false) {
die('Invalid email format');
}
$stmt = $pdo->prepare("INSERT INTO messages (name, email, content) VALUES (?, ?, ?)");
$stmt->execute([$name, $email, $content]);
header('Location: index.php');
exit;
}
?>
显示留言功能
创建index.php显示所有留言:
<?php
require 'config.php';
$stmt = $pdo->query("SELECT * FROM messages ORDER BY created_at DESC");
$messages = $stmt->fetchAll(PDO::FETCH_ASSOC);
?>
<!DOCTYPE html>
<html>
<head>
<title>留言板</title>
<style>
.message { border: 1px solid #ddd; padding: 10px; margin-bottom: 10px; }
</style>
</head>
<body>
<h1>留言板</h1>
<form method="post" action="submit.php">
姓名: <input type="text" name="name" required><br>
邮箱: <input type="email" name="email" required><br>
留言: <textarea name="content" required></textarea><br>
<button type="submit">提交</button>
</form>
<hr>
<?php foreach ($messages as $message): ?>
<div class="message">
<h3><?= htmlspecialchars($message['name']) ?></h3>
<small><?= $message['email'] ?> - <?= $message['created_at'] ?></small>
<p><?= nl2br(htmlspecialchars($message['content'])) ?></p>
</div>
<?php endforeach; ?>
</body>
</html>
安全增强措施
实现CSRF防护:

session_start();
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
die('Invalid CSRF token');
}
// 继续处理表单
}
// 在显示表单时生成token
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
添加XSS防护:
// 对所有输出使用htmlspecialchars
echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
// 对URL参数使用filter_var
$id = filter_var($_GET['id'], FILTER_VALIDATE_INT);
分页功能实现
修改留言查询语句实现分页:
$page = isset($_GET['page']) ? (int)$_GET['page'] : 1;
$perPage = 5;
$offset = ($page - 1) * $perPage;
$stmt = $pdo->prepare("SELECT * FROM messages ORDER BY created_at DESC LIMIT :offset, :perPage");
$stmt->bindValue(':offset', $offset, PDO::PARAM_INT);
$stmt->bindValue(':perPage', $perPage, PDO::PARAM_INT);
$stmt->execute();
添加分页导航:
$total = $pdo->query("SELECT COUNT(*) FROM messages")->fetchColumn();
$pages = ceil($total / $perPage);
for ($i = 1; $i <= $pages; $i++) {
echo "<a href='?page=$i'>$i</a> ";
}






