Chapter 13: Building a Content Management System 421 $result = mysql_query($sql, $db) or die(mysql_error($db)); if (mysql_num_rows($result) > 0) { $row = mysql_fetch_array($result); extract($row); session_start(); $_SESSION[‘user_id’] = $user_id; $_SESSION[‘access_level’] = $access_level; $_SESSION[‘name’] = $name; } mysql_free_result($result); redirect(‘cms_index.php’); break; case ‘Logout’: session_start(); session_unset(); session_destroy(); redirect(‘cms_index.php’); break; case ‘Create Account’: $name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’; $email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’; $password_1 = (isset($_POST[‘password_1’])) ? $_POST[‘password_1’] : ‘’; $password_2 = (isset($_POST[‘password_2’])) ? $_POST[‘password_2’] : ‘’; $password = ($password_1 == $password_2) ? $password_1 : ‘’; if (!empty($name) & & !empty($email) & & !empty($password)) { $sql = ‘INSERT INTO cms_users (email, password, name) VALUES (“’ . mysql_real_escape_string($email, $db) . ‘”, PASSWORD(“’ . mysql_real_escape_string($password, $db) . ‘”), “’ . mysql_real_escape_string($name, $db) . ‘”)’; mysql_query($sql, $db) or die(mysql_error($db)); session_start(); $_SESSION[‘user_id’] = mysql_insert_id($db); $_SESSION[‘access_level’] = 1; $_SESSION[‘name’] = $name; } redirect(‘cms_index.php’); break; case ‘Modify Account’: $user_id = (isset($_POST[‘user_id’])) ? $_POST[‘user_id’] : ‘’; $email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’; $name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’; $access_level = (isset($_POST[‘access_level’])) ? $_POST[‘access_level’] : ‘’; if (!empty($user_id) & & !empty($name) & & !empty($email) & & !empty($access_level) & & !empty($user_id)) { c13.indd 421c13.indd 421 12/10/08 6:04:31 PM12/10/08 6:04:31 PM 422 Part II: Comic Book Fan Site $sql = ‘UPDATE cms_users SET email = “’ . mysql_real_escape_string($email, $db) . ‘”, name = “’ . mysql_real_escape_string($name, $db) . ‘”, access_level = “’ . mysql_real_escape_string ($access_level, $db) . ‘”, WHERE user_id = ‘ . $user_id; mysql_query($sql, $db) or die(mysql_error($db)); } redirect(‘cms_admin.php’); break; case ‘Send my reminder!’: $email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’; if (!empty($email)) { $sql = ‘SELECT email FROM cms_users WHERE email=”’ . mysql_real_escape_string($email, $db) . ‘”’; $result = mysql_query($sql, $db) or die(mysql_error($db)); if (mysql_num_rows($result) > 0) { $password = strtoupper(substr(sha1(time()), rand(0, 32), 8)); $subject = ‘Comic site password reset’; $body = ‘Looks like you forgot your password, eh? No worries. ‘ . ‘We\’ve reset it for you!’ . “\n\n”; $body .= ‘Your new password is: ‘ . $password; mail($email, $subject, $body); } mysql_free_result($result); } redirect(‘cms_login.php’); break; case ‘Change my info’: session_start(); $email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’; $name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’; if (!empty($name) & & !empty($email) & & !empty($_SESSION[‘user_id’])) { $sql = ‘UPDATE cms_users SET email = “’ . mysql_real_escape_string($email, $db) . ‘”, name = “’ . mysql_real_escape_string($name, $db) . ‘”, WHERE user_id = ‘ . $_SESSION[‘user_id’]; mysql_query($sql, $db) or die(mysql_error($db)); } redirect(‘cms_cpanel.php’); break; default: redirect(‘cms_index.php’); } } else { redirect(‘cms_index.php’); } ? > c13.indd 422c13.indd 422 12/10/08 6:04:31 PM12/10/08 6:04:31 PM Chapter 13: Building a Content Management System 423 How It Works The application needs to access the database and to redirect users to various pages after completing transactions. You take care of the former by including db.inc.php , and the latter by including cms_ http_functions.inc.php . Because transaction pages don ’ t display anything on the screen, you don ’ t need to include the cms_header.inc.php , cms_footer.inc.php , or cms_output_ functions.inc.php files. require_once ‘db.inc.php’; require_once ‘cms_http_functions.inc.php’; The $_REQUEST[‘action’] variable contains either the value of the button you clicked on the previous page, or a GET request in the URL (such as ?action=delete ). If $_REQUEST[‘action’] is empty, then you don ’ t do any transactions and simply redirect the user to the cms_index.php page: if (isset($_REQUEST[‘action’])) { } else { redirect(‘cms_index.php’); } You use a switch statement because of the flexibility it gives you. If you expand the functionality of your CMS, you can end up having to add many more actions to cms_transact_user.php . With switch , it is a simple matter of adding a new case condition. You could certainly use a long chain of if / else statements instead of switch , but they can be cumbersome to work with and difficult to maintain over time. switch ($_REQUEST[‘action’]) { default: redirect(‘cms_index.php’); } The Login case handles user logins. Your e - mail and password are what you use to log in to the CMS. If both are not passed, the user will not be logged in. The address and password are filtered, and then the database is searched for a matching record in the cms_users table. If a match is found, then a session is started, and $_SESSION[‘user_id’] , $_SESSION[‘name’] , and $_SESSION[‘access_ level’] are stored to log the user in. case ‘Login’: $email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’; $password = (isset($_POST[‘password’])) ? $_POST[‘password’] : ‘’; $sql = ‘SELECT user_id, access_level, name FROM cms_users WHERE email = “’ . mysql_real_escape_string($email, $db) . ‘” AND password = PASSWORD(“’ . mysql_real_escape_string($password, $db) . ‘”)’; $result = mysql_query($sql, $db) or die(mysql_error($db)); if (mysql_num_rows($result) > 0) { c13.indd 423c13.indd 423 12/10/08 6:04:31 PM12/10/08 6:04:31 PM 424 Part II: Comic Book Fan Site $row = mysql_fetch_array($result); extract($row); session_start(); $_SESSION[‘user_id’] = $user_id; $_SESSION[‘access_level’] = $access_level; $_SESSION[‘name’] = $name; } mysql_free_result($result); redirect(‘cms_index.php’); break; Logging someone out is quite simple, really. If no session variables exist with the user ID, access level, and username, then the application knows the user is not logged in. All you need to do is purge the session variables. First you use session_start() to tell PHP you are accessing session variables. Then, you unset the session with session_unset() , which clears all the session variables, and finally you destroy the session with session_destroy() , which destroys all of the data registered to a session. All login data should be removed after calling both the session_unset() and session_destroy() functions. case ‘Logout’: session_start(); session_unset(); session_destroy(); redirect(‘cms_index.php’); break; To create an account, all of the required fields must be filled in, and the two password fields must match (users are often required to enter their password twice when registering an account, to help prevent errors, and you will be implementing this in your CMS). After the incoming values are filtered, if everything is good, then you create the record in the cms_users table, automatically log the user in by setting $_SESSION[‘user_id’] , $_SESSION[‘name’] , and $_SESSION[‘access_ level’] , and redirect the user to cms_index.php . case ‘Create Account’: $name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’; $email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’; $password_1 = (isset($_POST[‘password_1’])) ? $_POST[‘password_1’] : ‘’; $password_2 = (isset($_POST[‘password_2’])) ? $_POST[‘password_2’] : ‘’; $password = ($password_1 == $password_2) ? $password_1 : ‘’; if (!empty($name) & & !empty($email) & & !empty($password)) { $sql = ‘INSERT INTO cms_users (email, password, name) VALUES (“’ . mysql_real_escape_string($email, $db) . ‘”, PASSWORD(“’ . mysql_real_escape_string($password, $db) . ‘”), “’ . mysql_real_escape_string($name, $db) . ‘”)’; mysql_query($sql, $db) or die(mysql_error($db)); session_start(); $_SESSION[‘user_id’] = mysql_insert_id($db); $_SESSION[‘access_level’] = 1; $_SESSION[‘name’] = $name; } redirect(‘cms_index.php’); break; c13.indd 424c13.indd 424 12/10/08 6:04:32 PM12/10/08 6:04:32 PM Chapter 13: Building a Content Management System 425 When another user ’ s account is modified by an administrator, all of the fields must have data. As long as they do, then the account is updated in the database, and the administrator is redirected to the cms_ admin.php page: case ‘Modify Account’: $user_id = (isset($_POST[‘user_id’])) ? $_POST[‘user_id’] : ‘’; $email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’; $name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’; $access_level = (isset($_POST[‘access_level’])) ? $_POST[‘access_level’] : ‘’; if (!empty($user_id) & & !empty($name) & & !empty($email) & & !empty($access_level) & & !empty($user_id)) { $sql = ‘UPDATE cms_users SET email = “’ . mysql_real_escape_string($email, $db) . ‘”, name = “’ . mysql_real_escape_string($name, $db) . ‘”, access_level = “’ . mysql_real_escape_string($access_level, $db) . ‘”, WHERE user_id = ‘ . $user_id; mysql_query($sql, $db) or die(mysql_error($db)); } redirect(‘cms_admin.php’); break; If the user forgets his or her password, the user can have a new one generated and sent to the e - mail account registered in the system. Here, we suggest sending a simple plaintext e - mail, but there is no reason you can ’ t take your wealth of knowledge from Chapter 11 and send HTML or multipart e - mail messages to your users. You filter the incoming e - mail address and search for it in the database. If it can be found, then you know it is a registered address. Then you create a new random password, enter a subject and body for your e - mail message (including new password), and send the message on its merry way. You assume, of course, that the user will immediately open his or her e - mail to read the password, so you conveniently redirect the user to the login page. case ‘Send my reminder!’: $email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’; if (!empty($email)) { $sql = ‘SELECT email FROM cms_users WHERE email=”’ . mysql_real_escape_string($email, $db) . ‘”’; $result = mysql_query($sql, $db) or die(mysql_error($db)); if (mysql_num_rows($result) > 0) { $password = strtoupper(substr(sha1(time()), rand(0, 32), 8)); $subject = ‘Comic site password reset’; $body = ‘Looks like you forgot your password, eh? No worries. ‘ . ‘We\’ve reset it for you!’ . “\n\n”; $body .= ‘Your new password is: ‘ . $password; mail($email, $subject, $body); } mysql_free_result($result); } redirect(‘cms_login.php’); break; c13.indd 425c13.indd 425 12/10/08 6:04:32 PM12/10/08 6:04:32 PM 426 Part II: Comic Book Fan Site The following code may look very familiar. It is virtually identical to the previous Modify Account case, except that this time, the user is changing his or her own data. Because of this, the access level does not get updated. case ‘Change my info’: session_start(); $email = (isset($_POST[‘email’])) ? $_POST[‘email’] : ‘’; $name = (isset($_POST[‘name’])) ? $_POST[‘name’] : ‘’; if (!empty($name) & & !empty($email) & & !empty($_SESSION[‘user_id’])) { $sql = ‘UPDATE cms_users SET email = “’ . mysql_real_escape_string($email, $db) . ‘”, name = “’ . mysql_real_escape_string($name, $db) . ‘”, WHERE user_id = ‘ . $_SESSION[‘user_id’]; mysql_query($sql, $db) or die(mysql_error($db)); } redirect(‘cms_cpanel.php’); break; Try It Out Article Transactions The previous transaction script wasn ’ t so bad, was it? While it might seem like a lot of code, much of it is fairly simple and straightforward. You check some variables, execute some SQL queries, and then redirect the user. That ’ s pretty much how most transactions work. Now, let ’ s move on to the transaction file for working with articles and comments. 1. Enter cms_transact_article.php : < ?php require_once ‘db.inc.php’; require_once ‘cms_http_functions.inc.php’; $db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD) or die (‘Unable to connect. Check your connection parameters.’); mysql_select_db(MYSQL_DB, $db) or die(mysql_error($db)); if (isset($_REQUEST[‘action’])) { switch ($_REQUEST[‘action’]) { case ‘Submit New Article’: $title = (isset($_POST[‘title’])) ? $_POST[‘title’] : ‘’; $article_text = (isset($_POST[‘article_text’])) ? $_POST[‘article _text’] : ‘’; if (isset($_SESSION[‘user_id’]) & & !empty($title) & & !empty($article_text)) { $sql = ‘INSERT INTO cms_articles (user_id, submit_date, title, article_text) c13.indd 426c13.indd 426 12/10/08 6:04:32 PM12/10/08 6:04:32 PM Chapter 13: Building a Content Management System 427 VALUES (‘ . $_SESSION[‘user_id’] . ‘, “’ . date(‘Y-m-d H:i:s’) . ‘”, “’ . mysql_real_escape_string($title, $db) . ‘”, “’ . mysql_real_escape_string($article_text, $db) . ‘”)’; mysql_query($sql, $db) or die(mysql_error($db)); } redirect(‘cms_index.php’); break; case ‘Edit’: redirect(‘cms_compose.php?action=edit & article_id=’ . $_POST[‘article_id’]); break; case ‘Save Changes’: $article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’] : ‘’; $user_id = (isset($_POST[‘user_id’])) ? $_POST[‘user_id’] : ‘’; $title = (isset($_POST[‘title’])) ? $_POST[‘title’] : ‘’; $article_text = (isset($_POST[‘article_text’])) ? $_POST[‘article_text’] : ‘’; if (!empty($article_id) & & !empty($title) & & !empty($article_text)) { $sql = ‘UPDATE cms_articles SET title = “’ . mysql_real_escape_string($title, $db) . ‘”, article_text = “’ . mysql_real_escape_string($article _text, $db) . ‘”, submit_date = “’ . date(‘Y-m-d H:i:s’) . ‘” WHERE article_id = ‘ . $article_id; if (!empty($user_id)) { $sql .= ‘ AND user_id = ‘ . $user_id; } mysql_query($sql, $db) or die(mysql_error($db)); } if (empty($user_id)) { redirect(‘cms_pending.php’); } else { redirect(‘cms_cpanel.php’); } break; case ‘Publish’: $article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’] : ‘’; if (!empty($article_id)) { $sql = ‘UPDATE cms_articles SET is_published = TRUE, publish_date = “’ . date(‘Y-m-d H:i:s’) . ‘” WHERE article_id = ‘ . $article_id; mysql_query($sql, $db) or die(mysql_error($db)); } c13.indd 427c13.indd 427 12/10/08 6:04:33 PM12/10/08 6:04:33 PM 428 Part II: Comic Book Fan Site redirect(‘cms_pending.php’); break; case ‘Retract’: $article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’] : ‘’; if (!empty($article_id)) { $sql = ‘UPDATE cms_articles SET is_published = FALSE, publish_date = “0000-00-00 00:00:00” WHERE article_id = ‘ . $article_id; mysql_query($sql, $db) or die(mysql_error($db)); } redirect(‘cms_pending.php’); break; case ‘Delete’: $article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’] : ‘’; if (!empty($article_id)) { $sql = ‘DELETE a, c FROM cms_articles a LEFT JOIN cms_comments c ON a.article_id = c.article_id WHERE a.article_id = ‘ . $article_id . ‘ AND is_published = FALSE’; mysql_query($sql, $db) or die(mysql_error($db)); } redirect(‘cms_pending.php’); break; case ‘Submit Comment’: $article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’] : ‘’; $comment_text = (isset($_POST[‘comment_text’])) ? $_POST[‘comment_text’] : ‘’; if (isset($_SESSION[‘user_id’]) & & !empty($article_id) & & !empty($comment_text)) { $sql = ‘INSERT INTO cms_comments (article_id, user_id, comment_date, comment_text) VALUES (‘ . $article_id . ‘, ‘ . $_SESSION[‘user_id’] . ‘, “’ . date(‘Y-m-d H:i:s’) . ‘”, “’ . mysql_real_escape_string($comment_text, $db) . ‘”)’; mysql_query($sql, $db) or die(mysql_error($db)); } c13.indd 428c13.indd 428 12/10/08 6:04:33 PM12/10/08 6:04:33 PM Chapter 13: Building a Content Management System 429 redirect(‘cms_view_article.php?article_id=’ . $article_id); break; default: redirect(‘cms_index.php’); } } else { redirect(‘cms_index.php’); } ? > How It Works As with cms_transact_user.php , you check the $_REQUEST[‘action’] value in cms_transact_ article.php to see if a button was pressed or an action was specified in the URL, and if so, then you act on it accordingly with the appropriate branch of a switch statement. The user is redirected to the main index page if no action was passed or if the action was not recognized by cms_transact_ article.php . if (isset($_REQUEST[‘action’])) { switch ($_REQUEST[‘action’]) { default: redirect(‘cms_index.php’); } } else { redirect(‘cms_index.php’); } Your first case handles the adding of a new article in the database. You first ensure that the title and article ’ s body were both passed to the script and that the user is logged in (tested by the presence of the $_SESSION[‘user_id’] ). Then, you insert the article into the database, including the user ’ s ID for the article ’ s author and the date for its submission date. case ‘Submit New Article’: $title = (isset($_POST[‘title’])) ? $_POST[‘title’] : ‘’; $article_text = (isset($_POST[‘article_text’])) ? $_POST[‘article_text’] : ‘’; if (isset($_SESSION[‘user_id’]) & & !empty($title) & & !empty($article_text)) { $sql = ‘INSERT INTO cms_articles (user_id, submit_date, title, article_text) VALUES (‘ . $_SESSION[‘user_id’] . ‘, “’ . date(‘Y-m-d H:i:s’) . ‘”, “’ . mysql_real_escape_string($title, $db) . ‘”, “’ . mysql_real_escape_string($article_text, $db) . ‘”)’; mysql_query($sql, $db) or die(mysql_error($db)); } redirect(‘cms_index.php’); break; c13.indd 429c13.indd 429 12/10/08 6:04:34 PM12/10/08 6:04:34 PM 430 Part II: Comic Book Fan Site Handling the Edit case is simple. The cms_compose.php page will be set up to retrieve an article and preload it into the title and body fields, if the appropriate data is supplied in the URL. You simply need to append action=edit and article_id=nn to the address. case ‘Edit’: redirect(‘cms_compose.php?action=edit & article_id=’ . $_POST[‘article_ id’]); break; To save changes to an article, you take in and filter the article ’ s ID, author ’ s user ID, the article ’ s title, and the body text. If the $user_id has a value, then you know a user is editing her or his own document, and you must add a condition to match the ID to the SQL statement. You then redirect the user either to the control panel, if the user is editing his or her own article, or to the review page, if the user is a moderator editing someone else ’ s article. case ‘Save Changes’: $article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’] : ‘’; $user_id = (isset($_POST[‘user_id’])) ? $_POST[‘user_id’] : ‘’; $title = (isset($_POST[‘title’])) ? $_POST[‘title’] : ‘’; $article_text = (isset($_POST[‘article_text’])) ? $_POST[‘article_text’] : ‘’; if (!empty($article_id) & & !empty($title) & & !empty($article_text)) { $sql = ‘UPDATE cms_articles SET title = “’ . mysql_real_escape_string($title, $db) . ‘”, article_text = “’ . mysql_real_escape_string($article_text, $db) . ‘”, submit_date = “’ . date(‘Y-m-d H:i:s’) . ‘” WHERE article_id = ‘ . $article_id; if (!empty($user_id)) { $sql .= ‘ AND user_id = ‘ . $user_id; } mysql_query($sql, $db) or die(mysql_error($db)); } if (empty($user_id)) { redirect(‘cms_pending.php’); } else { redirect(‘cms_cpanel.php’); } break; In the Publish case, you accept in and filter the article ’ s ID, and then modify its record in the database to set the status and publication date. case ‘Publish’: $article_id = (isset($_POST[‘article_id’])) ? $_POST[‘article_id’] : ‘’; if (!empty($article_id)) { $sql = ‘UPDATE cms_articles SET is_published = TRUE, publish_date = “’ . date(‘Y-m-d H:i:s’) . ‘” WHERE article_id = ‘ . $article_id; c13.indd 430c13.indd 430 12/10/08 6:04:34 PM12/10/08 6:04:34 PM [...]... ‘cms_header.inc.php’; $db = mysql_ connect (MYSQL_ HOST, MYSQL_ USER, MYSQL_ PASSWORD) or die (‘Unable to connect Check your connection parameters.’); mysql_ select_db (MYSQL_ DB, $db) or die (mysql_ error($db)); $sql = ‘SELECT access_level, access_name FROM cms_access_levels ORDER BY access_name ASC’; $result = mysql_ query($sql, $db) or die (mysql_ error($db)); $privileges = array(); while ($row = mysql_ fetch_assoc($result))... ‘cms_output_functions.inc.php’; $db = mysql_ connect (MYSQL_ HOST, MYSQL_ USER, MYSQL_ PASSWORD) or die (‘Unable to connect Check your connection parameters.’); mysql_ select_db (MYSQL_ DB, $db) or die (mysql_ error($db)); include ‘cms_header.inc.php’; $sql = ‘SELECT article_id FROM cms_articles WHERE is_published = TRUE ORDER BY publish_date DESC’; $result = mysql_ query($sql, $db); if (mysql_ num_rows($result) == 0)... providing that functionality 1 Create this new file, and save it as cms_user_account.php: . ‘cms_http_functions.inc.php’; $db = mysql_ connect (MYSQL_ HOST, MYSQL_ USER, MYSQL_ PASSWORD) or die (‘Unable to connect. Check your connection parameters.’); mysql_ select_db (MYSQL_ DB, $db) or die (mysql_ error($db)); . ‘cms_output_functions.inc.php’; $db = mysql_ connect (MYSQL_ HOST, MYSQL_ USER, MYSQL_ PASSWORD) or die (‘Unable to connect. Check your connection parameters.’); mysql_ select_db (MYSQL_ DB, $db) or die (mysql_ error($db)); . ‘db.inc.php’; $db = mysql_ connect (MYSQL_ HOST, MYSQL_ USER, MYSQL_ PASSWORD) or die (‘Unable to connect. Check your connection parameters.’); mysql_ select_db (MYSQL_ DB, $db) or die (mysql_ error($db));