Lesson 5: Wisher Logon 
Contributed by Barbara Mityashina
June 27, 2008
Contents
Application Source Code from the Previous Lesson
Click here to download the source code that reflects the project state after the previous lesson is completed.
Lesson Scope
In this lesson you will implement the logon functionality for a wisher. This will affect
the following files:
- index.php
- createNewWisher.php
- editWishlist.php
- db.php
Implementing the Logon functionality consists of the following steps:
Saving the Wisher's ID in the Session Upon Creation
A Session is a persistent storage for transferring information from one page to another without
using an HTML input form. This functionality is supported through a predefined PHP array $_SESSION.
For the sake of security, after a new wisher is created he should be logged on automatically without willing in any form.
Therefore you need to modify the createNewWisher.php file to implement the following functionality:
- Adding a new wisher is added to the database
- Opening a session
- Storing the wisher's name in the session.
- Transferring the wisher's name in the session when the wisher is redirected to the editWishList.php page.
In the createNewWisher.php file, locate the line:
CreateWisher($_POST["user"], $_POST["password"]);
and enter the following code block right below:
session_start();
$_SESSION["user"] = $_POST["user"];
The code block starts a session, which means opening the $_SESSION array for entering or retrieving data, and adds an element to the $_SESSION array. The added element contains a value and an identifier (key). The value is the name of the newly created wishers and the identifier is "user". Then the program redirects the wisher to the editWishLst.php page.
Validating User Logon
When a user reaches the editWishist.php page the application should confirm that the page is accessed by the same person who was just registered on the createNewWisher.php page.
Implementing this functionality consists of two steps:
Retrieving the wisher's name from the Session
Enter the following code into the editWishList.php file:
session_start();
if (array_key_exists("user", $_SESSION)) {
echo "Hello " . $_SESSION["user"];
}
The code block opens the $_SESSION array for retrieving data and verifies that the array $_SESSION contains an element with the identifier "user". If the check is successful, prints a welcome message.
To check that the session is implemented correctly:
- Run the createNewWisher.php file and create a new wisher, for example Jack.
The editWishList.php opens with Hello Jack.
- Run editWishList.php file from the NetBeans.
The editWishList.php opens with Hello because no user has been transferred through a session.
This is not correct because it enables someone who is not logged in and not registered to create or edit a wish list. In order to avoid this, the user needs to be redirected to the index.php page.
Redirecting a User Who Is Not Logged In
Add the following code block to the editWishList.php file:
else {
header('Location: index.php');
exit;
}
The code redirects the user to the index.php page and cancels PHP code execution.
To check that the functionality is implemented correctly, run the editWishList.php file.
The expected result is that the index.php page opens.
Logging In from the index.php Page
The logon from the index.php page consists of two steps:
HTML Form for Logon on index.php
In the index.php file, enter the following code:
<form name="logon" action="index.php" method="POST" >
Username: <input type="text" name="user"/>
Password <input type="password" name="userpassword"/>
<input type="submit" value="Edit My Wish List"/>
</form>
The code presents an
HTML form that enables entering the name and password of the user in the text fields. When the user clicks Edit My Wish List, the data is transferred to the same page, index.php.
Logon Validation
Logon validation involves:
Source of Redirection
A user may access the index.php page on application start, from the editWishList.php page, or when
redirected from the index.php page after entering name and password.
Because only in the last case
is the HTML request method POST used you can always learn
where the user was located when they accessed the index.php.
In the index.php file, enter the following code inside the <?php ?> block:
require_once("Includes/db.php");
$db = new WishDB;
$logonSuccess = true;
if ($_SERVER["REQUEST_METHOD"] == "POST"){
// verify user's credentials
} else {
$logonSuccess = false;
}
}
The code block enables using the db.php file, creates a $db object of the WishDB class, and initializes the $logonSuccess variable, which will be used later to display error messages. If the request method is POST, which means that the user was redirected from the index.php page, then
verifying the user's credentials starts. Else the value of the $logonSuccess variable is changed to false. The value of the variable will be used in
displaying an error message.
Verifying the User's Credentials
Replace the comment
// verify user's credentials with the following code block:
if ($db->verify_wisher_credentials($_POST["user"], $_POST["userpassword"]) == 1) {
session_start();
$_SESSION["user"] = $_POST["user"];
header('Location: editWishList.php');
}
The code block calls the verify_wisher_credentials function with the name and password entered during the logon as the input parameters.
If the verify_wisher_credentials function returns 1, which means that a wisher with the specified combination of name and password is registered in the database, the $_SESSION array is opened for entering data. Then a new element is added to the $_SESSION array. The element contains a value and an identifier (key). The value is the name of the newly created wishers and the identifier is "user". Then the user is redirected to the editWishList.php page for editing the wish list.
Function verify_wisher_credentials
In order to implement verification of the wisher's credentials, you need to add a new function to the db.php file. The function requires a name and a password as the input parameters and returns 0 or 1.
Enter the following code block:
function verify_wisher_credentials ($name, $password){
return mysql_num_rows(mysql_query("SELECT * FROM wishers
WHERE name = '" . $name . "' AND password = '" . $password . "'"));
}
The code block executes the query
"SELECT * FROM wishers WHERE Name = '" . $name . "' AND Password = '" . $password . "'" and returns the number of records that meet the specified query. 1 is returned if such record is found and 0 is returned if there is no such record in the database.
Displaying Error Messages
In order to enable the application to display error messages, enter
the following <? php ?> code block into the input form - below the input fields but above the button:
<?php
if (!$logonSuccess)
echo "Invalid name and/or password";
?>
The code block checks the value of the $logonSuccess variable and if it is false, displays an error message.
Testing the Logon from the index.php Page
To check that the logon functionality works correctly on the front index.php page:
- Run the application.
- On the index.php page, enter Tom in the Username edit box and Tim in the Password edit box.
- Press Edit My Wish list An error message is displayed:
- Enter Tom in the Username edit box and tomcat in the Password edit box.
- Press Edit My Wish list The editWishList.php page is displayed:
Application Source Code after the Current Lesson Is Completed
Click here to download the source code that reflects the project state after the lesson is completed
<< Previous lesson
Next lesson >>
Back to the Tutorial main page
Back to the PHP Learning Trail
