default: redirect‘cms_index.php’; } The Login case handles user logins.. If no session variables exist with the user ID, access level, and username, then the application knows the user
Trang 1$result = mysql_query($sql, $db) or die(mysql_error($db));
if (mysql_num_rows($result) > 0) { $row = mysql_fetch_array($result);
redirect(‘cms_index.php’);
break;
case ‘Logout’:
$name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’;
$email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’;
$password_1 = (isset($_POST[‘password_1’])) ? $_POST[‘password_1’]
: ‘’;
$password_2 = (isset($_POST[‘password_2’])) ? $_POST[‘password_2’]
: ‘’;
$password = ($password_1 == $password_2) ? $password_1 : ‘’;
if (!empty($name) & & !empty($email) & & !empty($password)) { $sql = ‘INSERT INTO cms_users
(email, password, name) VALUES
(“’ mysql_real_escape_string($email, $db) ‘”, PASSWORD(“’ mysql_real_escape_string($password, $db) ‘”), “’ mysql_real_escape_string($name, $db) ‘”)’;
mysql_query($sql, $db) or die(mysql_error($db));
session_start();
$_SESSION[‘user_id’] = mysql_insert_id($db);
$_SESSION[‘access_level’] = 1;
$_SESSION[‘name’] = $name;
} redirect(‘cms_index.php’);
break;
case ‘Modify Account’:
$user_id = (isset($_POST[‘user_id’])) ? $_POST[‘user_id’] : ‘’;
$email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’;
$name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’;
$access_level = (isset($_POST[‘access_level’])) ?
$_POST[‘access_level’]
: ‘’;
if (!empty($user_id) & & !empty($name) & & !empty($email) & &
!empty($access_level) & & !empty($user_id)) {
Trang 2$sql = ‘UPDATE cms_users SET
case ‘Send my reminder!’:
$email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’;
$password = strtoupper(substr(sha1(time()), rand(0, 32), 8));
$subject = ‘Comic site password reset’;
$body = ‘Looks like you forgot your password, eh?
No worries ‘
‘We\’ve reset it for you!’ “\n\n”;
$body = ‘Your new password is: ‘ $password;
mail($email, $subject, $body);
$email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’;
$name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’;
if (!empty($name) & & !empty($email) & & !empty($_SESSION[‘user_id’]))
Trang 3if (isset($_REQUEST[‘action’])) {
} else { redirect(‘cms_index.php’);
}
You use a switch statement because of the flexibility it gives you If you expand the functionality of your CMS, you can end up having to add many more actions to cms_transact_user.php With
switch , it is a simple matter of adding a new case condition You could certainly use a long chain of
if / else statements instead of switch , but they can be cumbersome to work with and difficult to maintain over time
switch ($_REQUEST[‘action’]) {
default:
redirect(‘cms_index.php’);
}
The Login case handles user logins Your e - mail and password are what you use to log in to the CMS
If both are not passed, the user will not be logged in The address and password are filtered, and then the database is searched for a matching record in the cms_users table If a match is found, then a session is started, and $_SESSION[‘user_id’] , $_SESSION[‘name’] , and $_SESSION[‘access_
level’] are stored to log the user in
case ‘Login’:
$email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’;
$password = (isset($_POST[‘password’])) ? $_POST[‘password’] : ‘’;
$sql = ‘SELECT user_id, access_level, name FROM
cms_users WHERE
email = “’ mysql_real_escape_string($email, $db) ‘” AND password = PASSWORD(“’ mysql_real_escape_string($password, $db) ‘”)’;
$result = mysql_query($sql, $db) or die(mysql_error($db));
if (mysql_num_rows($result) > 0) {
Trang 4Logging someone out is quite simple, really If no session variables exist with the user ID, access level,
and username, then the application knows the user is not logged in All you need to do is purge the
session variables First you use session_start() to tell PHP you are accessing session variables
Then, you unset the session with session_unset() , which clears all the session variables, and
finally you destroy the session with session_destroy() , which destroys all of the data registered
to a session All login data should be removed after calling both the session_unset() and
To create an account, all of the required fields must be filled in, and the two password fields must
match (users are often required to enter their password twice when registering an account, to help
prevent errors, and you will be implementing this in your CMS) After the incoming values are
filtered, if everything is good, then you create the record in the cms_users table, automatically log the
user in by setting $_SESSION[‘user_id’] , $_SESSION[‘name’] , and $_SESSION[‘access_
level’] , and redirect the user to cms_index.php
case ‘Create Account’:
$name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’;
$email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’;
$password_1 = (isset($_POST[‘password_1’])) ? $_POST[‘password_1’] : ‘’;
$password_2 = (isset($_POST[‘password_2’])) ? $_POST[‘password_2’] : ‘’;
$password = ($password_1 == $password_2) ? $password_1 : ‘’;
if (!empty($name) & & !empty($email) & & !empty($password)) {
$sql = ‘INSERT INTO cms_users
(email, password, name)
Trang 5When another user ’ s account is modified by an administrator, all of the fields must have data As long
as they do, then the account is updated in the database, and the administrator is redirected to the cms_
admin.php page:
case ‘Modify Account’:
$user_id = (isset($_POST[‘user_id’])) ? $_POST[‘user_id’] : ‘’;
$email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’;
$name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’;
$access_level = (isset($_POST[‘access_level’])) ? $_POST[‘access_level’]
: ‘’;
if (!empty($user_id) & & !empty($name) & & !empty($email) & &
!empty($access_level) & & !empty($user_id)) { $sql = ‘UPDATE cms_users SET
email = “’ mysql_real_escape_string($email, $db) ‘”, name = “’ mysql_real_escape_string($name, $db) ‘”, access_level = “’ mysql_real_escape_string($access_level, $db) ‘”,
WHERE user_id = ‘ $user_id;
mysql_query($sql, $db) or die(mysql_error($db));
} redirect(‘cms_admin.php’);
break;
If the user forgets his or her password, the user can have a new one generated and sent to the e - mail account registered in the system Here, we suggest sending a simple plaintext e - mail, but there is no reason you can ’ t take your wealth of knowledge from Chapter 11 and send HTML or multipart e - mail messages to your users
You filter the incoming e - mail address and search for it in the database If it can be found, then you know it is a registered address Then you create a new random password, enter a subject and body for your e - mail message (including new password), and send the message on its merry way You assume,
of course, that the user will immediately open his or her e - mail to read the password, so you conveniently redirect the user to the login page
case ‘Send my reminder!’:
$email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’;
if (!empty($email)) { $sql = ‘SELECT email FROM cms_users WHERE email=”’ mysql_real_escape_string($email, $db) ‘”’;
$result = mysql_query($sql, $db) or die(mysql_error($db));
if (mysql_num_rows($result) > 0) { $password = strtoupper(substr(sha1(time()), rand(0, 32), 8));
$subject = ‘Comic site password reset’;
$body = ‘Looks like you forgot your password, eh? No worries ‘ ‘We\’ve reset it for you!’ “\n\n”;
$body = ‘Your new password is: ‘ $password;
mail($email, $subject, $body);
} mysql_free_result($result);
} redirect(‘cms_login.php’);
break;
Trang 6The following code may look very familiar It is virtually identical to the previous Modify Account
case, except that this time, the user is changing his or her own data Because of this, the access level
does not get updated
case ‘Change my info’:
session_start();
$email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’;
$name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’;
if (!empty($name) & & !empty($email) & & !empty($_SESSION[‘user_id’]))
Try It Out Article Transactions
The previous transaction script wasn ’ t so bad, was it? While it might seem like a lot of code, much of it
is fairly simple and straightforward You check some variables, execute some SQL queries, and then
redirect the user That ’ s pretty much how most transactions work Now, let ’ s move on to the
transaction file for working with articles and comments
$db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD) or
die (‘Unable to connect Check your connection parameters.’);
case ‘Submit New Article’:
$title = (isset($_POST[‘title’])) ? $_POST[‘title’] : ‘’;
$article_text = (isset($_POST[‘article_text’])) ? $_POST[‘article
_text’]
: ‘’;
if (isset($_SESSION[‘user_id’]) & & !empty($title) & &
!empty($article_text)) {
$sql = ‘INSERT INTO cms_articles
(user_id, submit_date, title, article_text)
Trang 7VALUES (‘ $_SESSION[‘user_id’] ‘, “’ date(‘Y-m-d H:i:s’) ‘”, “’ mysql_real_escape_string($title, $db) ‘”, “’ mysql_real_escape_string($article_text, $db) ‘”)’;
mysql_query($sql, $db) or die(mysql_error($db));
} redirect(‘cms_index.php’);
break;
case ‘Edit’:
redirect(‘cms_compose.php?action=edit & article_id=’
$_POST[‘article_id’]);
break;
case ‘Save Changes’:
$article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’]
: ‘’;
$user_id = (isset($_POST[‘user_id’])) ? $_POST[‘user_id’] : ‘’;
$title = (isset($_POST[‘title’])) ? $_POST[‘title’] : ‘’;
$db) ‘”, submit_date = “’ date(‘Y-m-d H:i:s’) ‘”
WHERE article_id = ‘ $article_id;
if (!empty($user_id)) { $sql = ‘ AND user_id = ‘ $user_id;
} mysql_query($sql, $db) or die(mysql_error($db));
}
if (empty($user_id)) { redirect(‘cms_pending.php’);
} else { redirect(‘cms_cpanel.php’);
} break;
case ‘Publish’:
$article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’]
: ‘’;
if (!empty($article_id)) { $sql = ‘UPDATE cms_articles SET is_published = TRUE, publish_date = “’ date(‘Y-m-d H:i:s’) ‘”
WHERE article_id = ‘ $article_id;
mysql_query($sql, $db) or die(mysql_error($db));
}
Trang 8case ‘Submit Comment’:
$article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’]
$sql = ‘INSERT INTO cms_comments
(article_id, user_id, comment_date, comment_text)
Trang 9redirect(‘cms_view_article.php?article_id=’ $article_id);
break;
default:
redirect(‘cms_index.php’);
}} else { redirect(‘cms_index.php’);
}
?
How It Works
As with cms_transact_user.php , you check the $_REQUEST[‘action’] value in cms_transact_
article.php to see if a button was pressed or an action was specified in the URL, and if so, then you act on it accordingly with the appropriate branch of a switch statement The user is redirected to the main index page if no action was passed or if the action was not recognized by cms_transact_
article.php
if (isset($_REQUEST[‘action’])) { switch ($_REQUEST[‘action’]) {
default:
redirect(‘cms_index.php’);
}} else { redirect(‘cms_index.php’);
}
Your first case handles the adding of a new article in the database You first ensure that the title and article ’ s body were both passed to the script and that the user is logged in (tested by the presence of the $_SESSION[‘user_id’] ) Then, you insert the article into the database, including the user ’ s ID for the article ’ s author and the date for its submission date
case ‘Submit New Article’:
$title = (isset($_POST[‘title’])) ? $_POST[‘title’] : ‘’;
$article_text = (isset($_POST[‘article_text’])) ? $_POST[‘article_text’]
: ‘’;
if (isset($_SESSION[‘user_id’]) & & !empty($title) & &
!empty($article_text)) { $sql = ‘INSERT INTO cms_articles (user_id, submit_date, title, article_text) VALUES
(‘ $_SESSION[‘user_id’] ‘, “’ date(‘Y-m-d H:i:s’) ‘”, “’ mysql_real_escape_string($title, $db) ‘”, “’ mysql_real_escape_string($article_text, $db) ‘”)’;
mysql_query($sql, $db) or die(mysql_error($db));
} redirect(‘cms_index.php’);
break;
Trang 10Handling the Edit case is simple The cms_compose.php page will be set up to retrieve an article and
preload it into the title and body fields, if the appropriate data is supplied in the URL You simply
need to append action=edit and article_id=nn to the address
case ‘Edit’:
redirect(‘cms_compose.php?action=edit & article_id=’ $_POST[‘article_
id’]);
break;
To save changes to an article, you take in and filter the article ’ s ID, author ’ s user ID, the article ’ s title,
and the body text If the $user_id has a value, then you know a user is editing her or his own
document, and you must add a condition to match the ID to the SQL statement You then redirect the
user either to the control panel, if the user is editing his or her own article, or to the review page, if the
user is a moderator editing someone else ’ s article
case ‘Save Changes’:
$article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’] : ‘’;
$user_id = (isset($_POST[‘user_id’])) ? $_POST[‘user_id’] : ‘’;
$title = (isset($_POST[‘title’])) ? $_POST[‘title’] : ‘’;
$article_text = (isset($_POST[‘article_text’])) ? $_POST[‘article_text’]
: ‘’;
if (!empty($article_id) & & !empty($title) & & !empty($article_text)) {
$sql = ‘UPDATE cms_articles SET
In the Publish case, you accept in and filter the article ’ s ID, and then modify its record in the database
to set the status and publication date
Trang 11mysql_query($sql, $db) or die(mysql_error($db));
} redirect(‘cms_pending.php’);
break;
The Retract case is actually quite similar to the Publish case preceding it, only this time, after checking the article ID, you set is_published to false and clear out the publish_date field Retracting an article in this case simply returns it to its prepublished state
case ‘Retract’:
$article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’] : ‘’;
if (!empty($article_id)) { $sql = ‘UPDATE cms_articles SET is_published = FALSE, publish_date = “0000-00-00 00:00:00”
WHERE article_id = ‘ $article_id;
mysql_query($sql, $db) or die(mysql_error($db));
} redirect(‘cms_pending.php’);
break;
To delete an article, you check to see that an article ID was passed and then use it to delete the appropriate record You use a JOIN in your query so you can delete any comments that have been made on the article as well
case ‘Delete’:
$article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’] : ‘’;
if (!empty($article_id)) { $sql = ‘DELETE a, c FROM cms_articles a LEFT JOIN cms_comments c ON a.article_id = c.article_id
WHERE a.article_id = ‘ $article_id ‘ AND is_published = FALSE’;
mysql_query($sql, $db) or die(mysql_error($db));
} redirect(‘cms_pending.php’);
break;
The final case handles adding new comments In the Submit Comment case, you insert the referenced article ’ s ID, the user ID of the individual writing the comment, the date the comment was written, and finally the comment text itself Afterwards, you redirect the user back to the article, so he or she can see the newly saved comment
case ‘Submit Comment’:
$article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’] : ‘’;
$comment_text = (isset($_POST[‘comment_text’])) ? $_POST[‘comment_text’] : ‘’;
if (isset($_SESSION[‘user_id’]) & & !empty($article_id) & &
!empty($comment_text)) { $sql = ‘INSERT INTO cms_comments (article_id, user_id, comment_date, comment_text)
Trang 12Whew! We hope you aren ’ t getting bummed out that you ’ ve done all this coding and don ’ t have
anything to show in a browser yet! You ’ ve created your reusable functions and transaction pages, but
haven ’ t yet actually seen any real on - screen functionality Well, now ’ s your chance In this section, we ’ re
going to be creating the scripts that make up the various user interface screens Dust off your browser,
and let ’ s get started!
General Functionality
The first group of files you ’ ll be creating here is going to provide general user access to the site Scripts
similar to these are found on many sites across the Internet, so you ’ ll probably be familiar with their
functionality
Try It Out Main Index/Login Screen
The first scripts you ’ re going to code will deal with the action of a user visiting the site, logging in,
requesting a new password and creating a new account
< td > < label for=”email” > Email Address: < /label > < /td >
< td > < input type=”text” id=”email” name=”email” maxlength=”100”/ > < /td >
< /tr > < tr >
< td > < label for=”password” > Password: < /label > < /td >
< td > < input type=”password” id=”password” name=”password” maxlength=”20”/ >
Trang 13< h1 > Email Password Reminder < /h1 >
< > Forgot your password? Just enter your email address, and we’ll email you a new one! < /p >
< form method=”post” action=”cms_transact_user.php” >
div >
< label for=”email” > Email Address: < /label >
< input type=”text” id=”email” name=”email” maxlength=”100”/ >
< input type=”submit” name=”action” value=”Send my reminder!”/ >
include ‘cms_header.inc.php’;
$sql = ‘SELECT article_id FROM
cms_articles WHERE
is_published = TRUE ORDER BY
publish_date DESC’;
$result = mysql_query($sql, $db);
if (mysql_num_rows($result) == 0) { echo ‘ < > < strong > There are currently no articles to view < /strong > < /p >
} else {
Trang 14while ($row = mysql_fetch_array($result)) {
output_story($db, $row[‘article_id’], TRUE);
5 Click the Login link on the page, and cms_login.php will open up next in your browser
(Figure 13 - 2 ) Enter the e - mail address and password you previously stored in the database
with db_ch13.php , and click the Login button
Trang 15Figure 13-2 You should now see the cms_index.php page again, but this time you will see the new menu options that are available This is shown in Figure 13 - 3