1. I wanted to keep a track of the number of posts people have made, is there a global variable I could store this information and update it evertyime someone submits an entry, or will I have to store it in a file?
Short answer: there is no PHP-specific mechanism to provide you with this.
Long answer: global variables have a life-span, at best, as long as the user session; at worst, they last only for each page request. To store information longer than either of these two cases, you need a permanent data store... such as a database or a file.
2. I havent worked with cookies before, but if I sent the user a cookie, would this prevent a script from continually posting messages?
Depends on how you use them.
Think of cookies as normal user input like GET and POST... except they work both ways (i.e., where GET and POST can only be used to send data from the client->server, cookies can do that as well as send data from the server->client). This means that if you were to send users a cookie that contained the number of posts they have made (or the time of the last post they made), it'd be very easy to abuse this from the client's standpoint, i.e. changing the number of posts they have made (or changing the time of the last post they had made), thereby bypassing your anti-spam system.
In conjunction with some sort of login or tracking system, cookies could help you out... but you'd only want to use them for authentication information.
Does that make sense?
Should I have an image next to the form and ask the user to input what the text in the image is?
Image verification is pretty simple, but requires you to have an image-rendering library installed and available to PHP, such as
GD. (Most commercial hosts already have it installed.) Lots of examples of how to implement this are available online.
To answer your question, though, it depends. Are you going to have some sort of registering/login system? Or is this a anyone-can-sign-the-guestbook sort of thing? If it's the latter, I'd say image verification would be ideal, though it can be annoying for users. If you're going with the former, though, I'd say image verification for posting new messages isn't required. Image verification would definitely be the easiest to implement.
Any reason in particular you want to use XML instead of MySQL for your data storage?