Creating a File to Display the Form Now that the method exists to display the form, you need to create a file that will call that method.. This file will be called admin.php, and it wil
Trang 1}
?>
■ Caution You may want to include a time limit for tokens to increase security further Making sure a token is no older than 20 minutes, for instance, helps prevent a user from leaving a computer unattended and having a
mischievous user start poking around later For more information on tokens and preventing CSRF, visit Chris
Shiflett’s blog and read his article on the topic at http://shiflett.org/csrf
Creating a File to Display the Form
Now that the method exists to display the form, you need to create a file that will call that method This
file will be called admin.php, and it will reside in the root level of the public folder (/public/admin.php) Similar to view.php, this file accomplishes the following:
• Loads the initialization file
• Sets up a page title and CSS file array
• Includes the header
• Creates a new instance of the Calendar class
• Calls the displayForm() method
• Includes the footer
Next, add the following inside the new admin.php file:
<?php
/*
* Include necessary files
*/
include_once ' /sys/core/init.inc.php';
/*
* Output the header
*/
$page_title = "Add/Edit Event";
$css_files = array("style.css");
include_once 'assets/common/header.inc.php';
/*
* Load the calendar
*/
$cal = new Calendar($dbo);
Trang 2?>
<div id="content">
<?php echo $cal->displayForm(); ?>
</div><! end #content >
<?php
/*
* Output the footer
*/
include_once 'assets/common/footer.inc.php';
?>
After saving this code, navigate to http://localhost/admin.php to see the resulting form (see
Figure 5-1)
Figure 5-1 The form before adding any CSS styles
Adding a New Stylesheet for Administrative Features
Obviously, the preceding form needs some visual enhancement to make it more usable However, this form will ultimately be accessible only to administrators (because you don’t want just anyone making changes to your calendar), so the CSS rules will be separated out to a separate stylesheet called
admin.css You can find this file in the css folder (/public/assets/css/)
Again, since this book is not about CSS, the rules won’t be explained Essentially, the following CSS makes the form elements look more like what your user expects a form to look like; it also adds a couple rules for elements that will be created shortly
Now add the following code into admin.css:
fieldset {
border: 0;
Trang 3}
legend {
font-size: 24px;
font-weight: bold;
}
input[type=text],input[type=password],label {
display: block;
width: 70%;
font-weight: bold;
}
textarea {
width: 99%;
height: 200px;
}
input[type=text],input[type=password],textarea {
border: 1px solid #123;
-moz-border-radius: 6px;
-webkit-border-radius: 6px;
border-radius: 6px;
-moz-box-shadow: inset 1px 2px 4px #789;
-webkit-box-shadow: inset 1px 2px 4px #789;
box-shadow: inset 1px 2px 4px #789;
padding: 4px;
margin: 0 0 4px;
font-size: 16px;
font-family: georgia, serif;
}
input[type=submit] {
margin: 4px 0;
padding: 4px;
border: 1px solid #123;
-moz-border-radius: 6px;
-webkit-border-radius: 6px;
border-radius: 6px;
-moz-box-shadow: inset -2px -1px 3px #345,
inset 1px 1px 3px #BCF,
1px 2px 6px #789;
-webkit-box-shadow: inset -2px -1px 3px #345,
inset 1px 1px 3px #BCF,
1px 2px 6px #789;
box-shadow: inset -2px -1px 3px #345,
inset 1px 1px 3px #BCF,
1px 2px 6px #789;
background-color: #789;
font-family: georgia, serif;
text-transform: uppercase;
Trang 4font-weight: bold;
font-size: 14px;
text-shadow: 0px 0px 1px #fff;
}
.admin-options {
text-align: center;
}
.admin-options form,.admin-options p {
display: inline;
}
a.admin {
display: inline-block;
margin: 4px 0;
padding: 4px;
border: 1px solid #123;
-moz-border-radius: 6px;
-webkit-border-radius: 6px;
border-radius: 6px;
-moz-box-shadow: inset -2px -1px 3px #345, inset 1px 1px 3px #BCF,
1px 2px 6px #789;
-webkit-box-shadow: inset -2px -1px 3px #345, inset 1px 1px 3px #BCF,
1px 2px 6px #789;
box-shadow: inset -2px -1px 3px #345,
inset 1px 1px 3px #BCF,
1px 2px 6px #789;
background-color: #789;
color: black;
text-decoration: none;
font-family: georgia, serif;
text-transform: uppercase;
font-weight: bold;
font-size: 14px;
text-shadow: 0px 0px 1px #fff;
}
Trang 5Save this file, then add admin.css to the $css_files array in admin.php by making the changes shown
in bold:
<?php
/*
* Include necessary files
*/
include_once ' /sys/core/init.inc.php';
/*
* Output the header
*/
$page_title = "Add/Edit Event";
$css_files = array("style.css", "admin.css");
include_once 'assets/common/header.inc.php';
/*
* Load the calendar
*/
$cal = new Calendar($dbo);
?>
<div id="content">
<?php echo $cal->displayForm(); ?>
</div><! end #content >
<?php
/*
* Output the footer
*/
include_once 'assets/common/footer.inc.php';
?>
After saving the preceding code, reload http://localhost/admin.php to see the styled form (see
Figure 5-2)
Trang 6Figure 5-2 The form to add or edit events after applying CSS styles
Saving New Events in the Database
To save events entered in the form, you create a new method in the Calendar class called processForm()
that accomplishes the following:
• Sanitizes the data passed from the form via POST
• Determines whether an event is being edited or created
• Generates an INSERT statement if no event is being edited; or it generates an
UPDATE statement if an event ID was posted
• Creates a prepared statement and binds the parameters
• Executes the query and returns TRUE or the error message on failure
The following code creates the processForm() method in the Calendar class:
<?php
class Calendar extends DB_Connect
{
private $_useDate;
Trang 7private $_m;
private $_y;
private $_daysInMonth;
private $_startDay;
public function construct($dbo=NULL, $useDate=NULL) { }
public function buildCalendar() { }
public function displayEvent($id) { }
public function displayForm() { }
/**
* Validates the form and saves/edits the event
*
* @return mixed TRUE on success, an error message on failure
*/
public function processForm()
{
/*
* Exit if the action isn't set properly
*/
if ( $_POST['action']!='event_edit' )
{
return "The method processForm was accessed incorrectly";
}
/*
* Escape data from the form
*/
$title = htmlentities($_POST['event_title'], ENT_QUOTES);
$desc = htmlentities($_POST['event_description'], ENT_QUOTES);
$start = htmlentities($_POST['event_start'], ENT_QUOTES);
$end = htmlentities($_POST['event_end'], ENT_QUOTES);
/*
* If no event ID passed, create a new event
*/
if ( empty($_POST['event_id']) )
{
$sql = "INSERT INTO `events`
(`event_title`, `event_desc`, `event_start`,
`event_end`)
VALUES
(:title, :description, :start, :end)";
}
Trang 8/*
* Update the event if it's being edited
*/
else
{
/*
* Cast the event ID as an integer for security
*/
$id = (int) $_POST['event_id'];
$sql = "UPDATE `events`
SET
`event_title`=:title,
`event_desc`=:description,
`event_start`=:start,
`event_end`=:end
WHERE `event_id`=$id";
}
/*
* Execute the create or edit query after binding the data */
try
{
$stmt = $this->db->prepare($sql);
$stmt->bindParam(":title", $title, PDO::PARAM_STR); $stmt->bindParam(":description", $desc, PDO::PARAM_STR); $stmt->bindParam(":start", $start, PDO::PARAM_STR); $stmt->bindParam(":end", $end, PDO::PARAM_STR);
$stmt->execute();
$stmt->closeCursor();
return TRUE;
}
catch ( Exception $e )
{
return $e->getMessage();
}
}
private function _loadEventData($id=NULL) { }
private function _createEventObj() { }
private function _loadEventById($id) { }
}
?>
Trang 9Adding a Processing File to Call the Processing Method
The form to add and edit events is submitted to a file called process.inc.php, which is located in the inc folder (/public/assets/inc/process.inc.php) This file checks the submitted form data and saves or
updates entries by performing the following steps:
1 Enables the session
2 Includes the database credentials and the Calendar class
3 Defines constants (as occurs in the initialization file)
4 Creates an array that stores information about each action
5 Verifies that the token was submitted and is correct, and that the submitted
action exists in the lookup array If so, go to Step 6 If not, go to Step 7
6 Creates a new instance of the Calendar class
• Calls the processForm() method
• Sends the user back to the main view or output an error on failure
7 Sends the user back out to the main view with no action if the token doesn’t
match
The array created in Step 4 allows you to avoid a long, repetitive string of if elseif blocks to test
for each individual action Using the action as the array key and storing the object, method name, and
page to which the user should be redirected as array values means that you can write a single block of
logic using the variables from the array
Insert the following code into process.inc.php to complete the steps just described:
<?php
/*
* Enable sessions
*/
session_start();
/*
* Include necessary files
*/
include_once ' / / /sys/config/db-cred.inc.php';
/*
* Define constants for config info
*/
foreach ( $C as $name => $val )
{
define($name, $val);
}
/*
* Create a lookup array for form actions
Trang 10*/
$actions = array(
'event_edit' => array(
'object' => 'Calendar',
'method' => 'processForm',
'header' => 'Location: / /'
)
);
/*
* Make sure the anti-CSRF token was passed and that the
* requested action exists in the lookup array
*/
if ( $_POST['token']==$_SESSION['token']
&& isset($actions[$_POST['action']]) )
{
$use_array = $actions[$_POST['action']];
$obj = new $use_array['object']($dbo);
if ( TRUE === $msg=$obj->$use_array['method']() )
{
header($use_array['header']);
exit;
}
else
{
// If an error occured, output it and end execution die ( $msg );
}
}
else
{
// Redirect to the main index if the token/action is invalid header("Location: / /");
exit;
}
function autoload($class_name)
{
$filename = ' / / /sys/class/class.'
strtolower($class_name) '.inc.php';
if ( file_exists($filename) )
{
include_once $filename;
}
}
?>