Shoutbox system

Posted on


I wrote a little Shoutbox System which is working fine, but I want to know if there is something I can improve about this code.

Here is my Shoutbox Overlay:

<div class="article_body" id="article_body" name="article_body">

    $query = "SELECT * FROM `shoutbox` ORDER BY entryid DESC LIMIT 5";
    $stmt = $db->prepare($query);
    $result = $stmt->get_result();
    while($obj = $result->fetch_object()) {
        if ($obj != null || !empty($obj)) {

            <p style='font-size: 14px;'>
            <table style='width: 100%; font-size: 11px;'>
                    <td style='text-align: start;'>
                        Von: <a style='font-size: 11px'; href='?".$obj->user."'>".$obj->user."
                    <td style='text-align: end;'>
                        Am: ".$obj->date_time."
        else {
            echo("<center>Shout-Box is empty</center>");
    if ($_SESSION['besucht'] == 1 && $_SESSION['user-ban-status'] - 1 == 0) {
        echo("<form action='./tools/php/shoutbox/shoutbox.php' method='POST'>
            <input type='text' name='shout' maxlength='500' style='width: 186px;'><button>Senden</button>
    if ($_SESSION['besucht'] == 1 && $_SESSION['user-ban-status'] - 1 == 1) {
        echo("<h5 style='color: red;'>You Are Banned. This Function Isn't Allowed For Banned Members.</h5>");

The $_SESSION[‘besucht’] is for the Visited and logged in check.
The $_SESSION[‘user-ban-status’] is to check if the user is banned and if that is true the post function is disabled.
I limited the View per to the latest 5 entrys in my database so only the newest thing would be shown.

Here is my Backend Script for the input of the Shoutbox:

    if (!empty($_POST['shout']) || $_POST['shout'] != null) {


        if (!empty($_SESSION['user-username']) || $_SESSION['user-username'] != null) {

            $text = $_POST['shout'];

            $user = $_SESSION['user-username'];

            $timestamp = time();
            $datum = date("Y-m-d H:i:s",$timestamp);

            $stmt = $db->prepare("INSERT INTO `shoutbox`(`text`, `user`, `date_time`) VALUES (?,?,?)");
            $stmt->bind_param('sss', $text, $user, $datum);

            header("Location: ../");
        else {
            header("Location: ../");
    else {
        header("Location: ../");


  • I recommend writing session_start(); first and unconditionally.

  • !empty() performs two checks: if the variable isset() AND contains a non-falsey value. This means $obj != null is not necessary. That said, your while() loop will halt if $obj is falsey.

  • There’s nothing wrong with using prepared statements, but for the record your first query will be just as stable/secure without it.

  • I noticed mysqli_close($db);. You should keep all of your query syntax object-oriented.

  • Rather than declaring new variables to feed to $stmt->bind_param() (single-use variables), just write the original variables as parameters. There isn’t much benefit in adding more variables to global scope.

  • It looks like all roads lead to:

    header("Location: ../");

    If this is true for you actual project script, write a single if block, then whether its contents are executed or not, after the condition block execute your redirect.

  • Don’t mix database logic and display logic (HTML). Prepare the data first and then display it in HTML when you have everything ready.
  • Try to avoid mysqli in new projects. Use PDO whenever possible. If you must use mysqli then stick to the object-oriented style.
  • Don’t close connection object or the statement. PHP will do that for you and you avoid mistakes by not doing it manually.
  • Don’t use date() and time() functions. Use DateTime class.
  • Don’t put parentheses after echo. It’s not a function and these parentheses are extremely confusing. Same applies to require
  • Reduce cyclomatic complexity by performing inverse checks. exit will kill the script so you can use that to finish early without wrapping whole code blocks in braces.
  • Use strict comparison (===).
  • Use htmlspecialchars() to avoid XSS.

Leave a Reply

Your email address will not be published. Required fields are marked *