Building a Hacker-Era Guestbook (with 2025-Grade Security)

Posted on Sat 26 April 2025 in guides

kei-nova@project2501:~$ cat hacker-guestbook.md

💀 Rebooting the Web Nostalgia Layer

I wanted a guestbook on my site.

Not a comment section.
Not a "subscribe to my updates" widget.

A terminal-style shrine — where fellow netrunners could drop messages like they just jacked out of a system breach in '97.

But here’s the thing: most of the 90s guestbooks were held together with duct tape and SQL injection holes the size of /dev/null.

So I brought the vibe back — but hardened it with modern infosec practices.

🛠️ Stack Overview

  • Frontend: Static site generated with Pelican
  • Backend: PHP (hosted via Namecheap cPanel)
  • Database: MariaDB
  • Storage: Guest messages logged via form
  • Security: Rate-limiting, XSS mitigation, password isolation, cache protection

🧠 Backend Logic (aka The Ghost Trap)

🔐 1. Database Creds in a Secure Location

Instead of hardcoding credentials:

php $password = "plaintext_bad";

I dropped them into a secure file outside the public web root:

php
define('DB_HOST', 'localhost');
define('DB_USER', 'guestbook_user');
define('DB_PASS', 'super_secure_password');
define('DB_NAME', 'guestbook_db');

Then included it via require_once.

No creds in public view. Ever.

🛡️ 2. Input Sanitization & CSRF Token

Every message passes through:

  • strip_tags() to nuke HTML/JS
  • trim() to remove blank spam
  • A simple csrf_token check on submission (just enough to scare off bots)

📈 3. Rate-Limiting To block script kiddies trying to spam, I added file-based IP throttling:

$rate_file = '/rate-limits/'.md5($ip);
$cooldown = 10; // seconds between requests

Hit the endpoint too fast? ⛔ 429 Rate limit exceeded.

💽 4. Cache Rules Everything Around Me.

Each /entries.php call checks for a 15-second cache before hitting the DB. Why? Because if this thing ever makes Hacker News and melts my hosting — I’ll be ready.

💬 Real-Time Guest Feed (With Glitch)

Entries load via fetch() and get typed out line-by-line like a terminal log:

typeOut(el, `@${entry.name}: ${entry.message}`);

The result? Visitors see each guest log appear like it was jacked in from another system.

🕸️ Why This Matters

You can build cool, nostalgic web features and still follow real security practices.

This isn’t just about the vibe — it’s about teaching new hackers how to build oldschool features the right way.

💾 Want to Build One Yourself?

Hit me up. Fork my code. Copy the CSS and glitch it out harder.

Leave a message: Guestbook Terminal ➝

Ghosted in the Shellcode. Kei Nova out.

guestbook php sql cybersecurity retro web guide