PHP for Absolute Beginners PHẦN 9 ppt

Adding Password Protection to Administrative Links One of the last things you need to add before you can call your blog “web-ready” is to hide the administrative links from users who ar

Trang 1

{

// If set, store the entry from which we came

$loc = isset($_POST['url']) ? $_POST['url'] : ' /';

// If the user clicked "Yes", continue with deletion

if($_POST['confirm'] == "Yes")

{

// Include and instantiate the Comments class

include_once 'comments.inc.php';

$comments = new Comments();

// Delete the comment and return to the entry

Trang 2

At this point, you can delete comments from the database, thus removing them from your entry display You can test this out by deleting your test comment Navigate to the entry that you we entered for the comment in a browser, then click the delete link Next, click Yes to confirm that you want to delete the comment This takes you back to the entry, but the comment is no longer there Instead, you see the default message: “There are no comments for this entry” (see Figure 10-6)

Figure 10-6 After deleting your test comment, you see this default message

Summary

In this chapter, you learned how to add an interactive element to your blog by allowing users to

comment on your blog entries In doing so, you also learned a little more about object-oriented

programming

In the next chapter, you’ll learn how to build a login system that lets you hide administrative controls from users who aren’t logged in, giving you better control over your blog

Trang 3

Adding Password Protection

to Administrative Links

One of the last things you need to add before you can call your blog “web-ready” is to hide the

administrative links from users who aren’t authorized to view them In this chapter, you’ll learn how to build a system that lets you create administrators and require them to log in with a password before they can create, edit, and delete entries on the blog

Creating this system requires that you master the following tasks:

• Adding an admin table to the simple_blog database

• Building a function to place administrators in the admin table

• Using sessions to hide controls from unauthorized users

• Creating a login form that allows administrators to log in to the blog

• Writing code to check submitted form data and display its controls if valid

Adding an admin Table to the Database

Enabling administrators for your site requires that you create a table to store their information This

simple table, admin, stores the following information:

• username: The administrator’s login name

• password: The administrator’s password

Your username needs to be unique, so make it the table’s primary key Specify both fields as of the VARCHAR type, limit the username to 75 characters, and limit the password to 40 characters

To create the admin table, navigate to http://localhost/phpmyadmin in a browser and open the SQL tab Enter the following command to create your table:

CREATE TABLE simple_blog.admin

(

username VARCHAR(75) PRIMARY KEY,

password VARCHAR(40)

)

Trang 4

Adding Administrators in the Database

You have a place to store administrators; now you’re ready to start creating them Your first step is to create a form that allows you to enter a username and password in an HTML form Once you accomplish this, you need to store the information in the database for later use

Building an HTML Form

To build your HTML form, you need to write a new function, named createUserForm() When called, this function returns a string of HTML that displays a form that asks for a username and password for the new admin

You can add the code in bold to functions.inc.php to make the createUserForm() function:

<input type="submit" name="submit" value="Create" />

<input type="submit" name="submit" value="Cancel" />

<input type="hidden" name="action" value="createuser" />

To make this URL call the createUserForm() function, you need to add an if block to admin.php that triggers when the $page variable you use to determine what page is being edited is set to createuser

Next, modify admin.php with the code in bold to incorporate the new form into your blog:

<?php

/*

* Include the necessary files

*/

Trang 5

include_once 'inc/functions.inc.php';

include_once 'inc/db.inc.php';

// Open a database connection

$db = new PDO(DB_INFO, DB_USER, DB_PASS);

Trang 6

// Set the legend of the form

$legend = "Edit This Entry";

$e = retrieveEntries($db, $page, $url);

// Set the legend

$legend = "New Entry Submission";

// Set the variables to null if not editing

</head>

<body>

<h1> Simple Blog Application </h1>

Trang 7

Figure 11-1 The form you use to create site administrators

Saving New Administrators in the Database

You submit your form to update.inc.php with a hidden input named action that sends the value,

createuser To store administrators created through your createUserForm() HTML form, you need to

modify update.inc.php to catch form information with an action of createuser

Trang 8

You need to prepare an SQL statement that places the username and password into the admin table Do this after you ensure that the form was sent using the POST method, that the action is set to createuser, and that the username and password inputs were not submitted with empty values

Dealing with Passwords

You need to take extra precautions now that you’re dealing with passwords Passwords are sensitive information, and you do not want to store a password as plain text in the database Fortunately, both PHP and MySQL provide means for encrypting strings

For the blog, you can use SHA1(), which is a basic encryption algorithm Calling SHA1() on a string returns a 40-character string that is difficult to decode

No te For more information on encrypting passwords, look up the PHP manual entries on md5() and sha1()

Saving the Admin

To save the admin information, you need to include the database credentials and open a new connection to your database

The SQL statement you use for this is a standard insert, except that you need to use MySQL’s built-in support for creating SHA1 hashes After you insert the new entry into the table, you send the user back to the default blog home page

In update.inc.php, insert the following code in bold just before the last else block:

// If an admin is being created, save it here

else if($_SERVER['REQUEST_METHOD'] == 'POST'

&& $_POST['action'] == 'createuser'

$db = new PDO(DB_INFO, DB_USER, DB_PASS);

$sql = "INSERT INTO admin (username, password)

Trang 9

You can now save new administrators to your admin table Navigate to http://localhost/

simple_blog/admin/createuser in a browser and create a new user with the username of admin and the

password of admin Now click the Create button, navigate to http://localhost/phpmyadmin in a browser, select the simple_blog database and the admin table, then click the Browse tab Your administrator is

now saved in the table, and the password is saved as an encrypted hash (see Figure 11-2)

Figure 11-2 Your first administrator

Trang 10

Hiding Controls from Unauthorized Users

You can use sessions to keep track of which users are authorized to view administrative links on your blog A session allows the user to log in once, then navigate anywhere on the site without losing his administrative privileges

No te For a refresher on how sessions work, refer to the section on sessions in Chapter 3

Your first task is to wrap all administrative links in an if block; this ensures that a session variable is set for the current user Call your session variable loggedin and store it in the

$_SESSION['loggedin'] string

Modifying index.php

Your next task is to hide all the admin links in index.php from unauthorized users You need to enable sessions, which you can accomplish in a couple steps: call session_start(), then wrap all the admin links in your check for the $_SESSION[‘loggedin’] variable Now modify index.php with the code in bold

to make your changes:

// Figure out what page is being requested (default is blog)

Trang 11

// Determine if an entry URL was passed

$url = (isset($_GET['url'])) ? $_GET['url'] : NULL;

// Load the entries

// Get the fulldisp flag and remove it from the array

title="My Simple Blog - RSS 2.0"

Trang 12

// If the full display flag is set, show the entry

if($fulldisp==1)

{

// Get the URL if one wasn't passed

$url = (isset($url)) ? $url : $e['url'];

if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == 1) {

// Build the admin links

$admin = adminLinks($page, $url);

// Format the image if one exists

$img = formatImage($e['image'], $e['title']);

Trang 13

<?php if($page=='blog'): ?>

<a href="./">Back to Latest Entries</a>

</p>

<h3> Comments for This Entry </h3>

<?php echo $comment_disp, $comment_form; endif; ?>

<?php

} // End the if statement

// If the full display flag is 0, format linked entry titles

} // End the foreach loop

} // End the else

Trang 14

Post a New Entry

Trang 15

Modifying comments.inc.php

Next, you want to hide the delete link from unauthorized users on any posted comments You can do

this by modifying the Comments class in comments.inc.php

The only method you need to modify in the Comments class is showComments() Add your session check by inserting the code in bold to showComments():

// Generates HTML markup for displaying comments

public function showComments($blog_id)

// Prevent empty fields if no comments exist

if(!empty($c['date']) && !empty($c['name']))

{

// Outputs similar to: July 8, 2009 at 4:39PM

$format = "F j, Y \a\\t g:iA";

// Convert $c['date'] to a timestamp, then format

$date = date($format, strtotime($c['date']));

// Generate a byline for the comment

// Generate delete link for the comment display

$admin = "<a href=\"/simple_blog/inc/update.inc.php"

Trang 17

Modifying admin.php

None of the actions performed by this page should be available to unauthorized users, so you want to

require authorization before any of the functionality of admin.php can be accessed Doing this is as

simple as wrapping the entire page in a conditional statement

Modify admin.php by adding the code in bold:

<?php

session_start();

// If the user is logged in, we can continue

if(isset($_SESSION['loggedin']) && $_SESSION['loggedin']==1):

Trang 18

// Set the legend of the form

$legend = "Edit This Entry";

Trang 19

// Set the legend

$legend = "New Entry Submission";

// Set the variables to null if not editing

<title> Simple Blog </title>

Trang 20

<input type="text" name="title" maxlength="150"

value="<?php echo $title ?>" />

<textarea name="entry" cols="45"

rows="10"><?php echo $entry ?></textarea>

</label>

<input type="hidden" name="id"

value="<?php echo $id ?>" />

<input type="hidden" name="page"

value="<?php echo $page ?>" />

<?php endif; // Ends the section available to logged in users ?>

At this point, you’ve barred anyone who isn’t logged in from seeing administrative links and performing administrative tasks such as creating, editing, and deleting entries

Creating a Login Form

Now that you require authorization for a user to view administrative links, you need to build in the functionality that allows your administrators to log in and gain access to those links

To do this, you first need to create a login form where a user can enter her credentials to request access to the administrative links

A logical location to place your login form is at http://localhost/simple_blog/admin For the moment, admin.php shows a blank page if the user hasn’t logged in because authorization is required before the page will do anything at all You can fix that by placing the login form at the bottom of

admin.php, inside an else block Doing so shows a login screen to anyone who isn’t logged in already

Your login form requests a username and password and uses the POST method to send this information to update.inc.php, along with a hidden input named action that passes the value, login

Trang 21

At the bottom of admin.php, just after the closing </html> tag, modify the file with the code in

bold:

</html>

<?php

/*

* If we get here, the user is not logged in Display a form

* and ask them to log in

Trang 22

<input type="hidden" name="action" value="login" />

<input type="submit" name="submit" value="Log In" />

Figure 11-5 Users not logged in see a login screen

Displaying Controls to Authorized Users

Your next steps are to modify update.inc.php to check whether the login credentials supplied via the login form are valid; if they are, you set $_SESSION['loggedin'] to 1, which causes all administrative links and actions to become available to the user

In update.inc.php, you add an else if block that checks whether it was the POST method that submitted the login form You do this by checking whether the value of $_POST['action'] is set to login and whether the values of the username and password fields were submitted with values

Trang 23

If these criteria are met, you load the database credentials and open a connection Next, you set

up a SQL query that gets the number of matches found by comparing the submitted username and the SHA1() hash of the submitted password against the database

No te You must check the SHA1() hash of the password because that’s what you saved in the database There’s

no way to reverse a SHA1() hash, but the encryption algorithm always returns the same hash for a given string

The user is authorized to view the blog if a match is returned, whereupon you can add

$_SESSION['loggedin'] to the session and set its value to 1

To accomplish this, you use session_start() at the top of update.inc.php, then add the else if block at the bottom, just above your block that checks whether you’re creating a user

Modify update.inc.php by adding the code in bold:

// Instantiate the class and set a save dir

$image = new ImageHandler("/simple_blog/images/");

// Process the uploaded image and save the returned path

$img_path = $image->processUploadedImage($_FILES['image']);

}

Tiêu đề	Adding A Commenting System To Your Blog
Trường học	WoweBook
Chuyên ngành	PHP Programming
Thể loại	bài viết

Định dạng
Số trang	41
Dung lượng	1,18 MB