Chapter 3
[
49
]
Secure.php
The main purpose of this le is to clean up the data to prevent SQL injections, data
validations, and so on.
It is important to clean the data before entering or manipulating with the server.
<?php
/*
Class: Secure.php
*/
class Secure {
function clean_data($value, $handle) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value, $handle) . "'";
}
return $value;
}
} // class ends here
?>
Hands-on examples: Common scripts
In the following examples, we will see how to script some modules that are
commonly used while creating web applications. We will also be making use
of these modules in our examples throughout the book.
User login management system
Now that we are ready with our powerful open-source artillery, let's get to the
serious business of having fun with raw code.

userID
as an
auto_increment
along
with
Username
and
Password
. In this,
userID
acts as the
PRIMARY

KEY
for the table.
Username
would be
varchar
.
Password
would also be
varchar
, and in order
to protect our passwords we would also apply Message Digest 5 (MD5) or
Secure Hash Algorithm (SHA) encryption techniques. In our application, we are
using MD5.
Let's move on to the
Signup
page details.
Signup.php

<td><INPUT TYPE = 'TEXT' Name ='password' value="<?PHP print
$pword;?>" maxlength="16">
</td>
</tr>
</table>
<P>
<INPUT TYPE = "Submit" Name = "Submit1" VALUE = "Register">
</FORM>
<P>
<?PHP print $errorMessage;?>
</body>
</html>
Now let's add the PHP power to our
signup.php
script with the following code:
<?PHP
$uname = "";
$pword = "";
$errorMessage = "";
$num_rows = 0;
require_once 'DBConfig.php';
require_once 'Secure.php';
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
$uname = $_POST['username'];
$pword = $_POST['password'];
$uname = htmlspecialchars($uname);
$pword = htmlspecialchars($pword);
if ($errorMessage == "") {
$settings = DBConfig::getSettings();
// Get the main settings from the array we just loaded

}
}
else {
$errorMessage = "Database Not Found";
}
}
}
?>
Let's break down the code into functionality, as this helps us to understand it better.
Include the common scripts such as
DBConfig.php and

Secure.php
.
require_once 'DBConfig.php';
require_once 'Secure.php';
Check if the data has been posted.
if ($_SERVER['REQUEST_METHOD'] == 'POST')
Read the
DB
settings to get
dbhost
,
dbname
,
dbuser
, and
dbpassword
.
$settings = DBConfig::getSettings();

login.php
page details. We have added the user
successfully to our user's table. It's probably a good idea to cross-check. Fire up
the web browser, open phpMyAdmin, and navigate to the
user
table under the
books
database.
Alternatively, we can also check through the
login.php
page.
Login.php
Again, we are creating a simple user interface using HTML to show the user a simple
form where he or she will be required to enter a username and password.
<html>
<head>
<title>Login Here!!!</title>
<link rel="stylesheet" href="style.css" >
•
•
•
This material is copyright and is licensed for the sole use by Richard Ostheimer on 18th June 2009
2205 hilda ave., , missoula, , 59801Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Server-side Techniques with PHP and MySQL
[
54
]
</head>
<body>
<h4>Already Registered? Sign-in!!!</h4>

<?PHP
$uname = "";
$pword = "";
$errorMessage = "";
require_once 'DBConfig.php';
require_once 'Secure.php';
// Check if the user has submittied with POST on the form
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
$uname = $_POST['username'];
This material is copyright and is licensed for the sole use by Richard Ostheimer on 18th June 2009
2205 hilda ave., , missoula, , 59801Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 3
[
55
]
$pword = $_POST['password'];
$uname = htmlspecialchars($uname);
$pword = htmlspecialchars($pword);
//Can also use a DBclass instead of the code below.
$settings = DBConfig::getSettings();
// Get the main settings from the array we just loaded
$server = $settings['dbhost'];
$database = $settings['dbname'];
$user_name = $settings['dbusername'];
$pass_word = $settings['dbpassword'];
$db_handle = mysql_connect($server, $user_name, $pass_word);
$db_found = mysql_select_db($database, $db_handle);
if ($db_found) {
$secure = new Secure();
$uname = $secure->clean_data($uname, $db_handle);

[
56
]
Let's break down the code into functionality once again:
Include the common scripts such as
DBConfig.php
and
Secure.php
.
require_once 'DBConfig.php';
require_once 'Secure.php';
Check if the data has been posted.
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
Read the database settings to getdatabase settings to getsettings to get
dbhost
,
dbname
,
dbusername
, and
dbpassword
.
$settings = DBConfig::getSettings();
Clean the user input.
$uname = $secure->clean_data($uname, $db_handle);
$pword = $secure->clean_data($pword, $db_handle);
Run the
SELECT
query to check if the username and password entered by the
user matches to the ones present in the database table, and get the results.

le. This is pretty much a straightforward approach.
Only users who are logged in will be able to see this data. Using
SESSION
, we check
if the user is logged in or not.
<?PHP
session_start();
if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) {
header ("Location: login.php");
}
?>
<html>
<head>
<title>Home Page</title>
</head>
<body>
<p>
Thank God.You logged In, system admin was rude...with me!!!!
<p>
This is where all the protected contents come into picture
<p>
<A HREF = logout.php>Log out</A>
</body>
</html>
Breaking this code down as per functionality, we do the following:
Check if the
SESSION
variable
login
is set.

<head>
<title>Logout</title>
</head>
<body>
Okay, destroyed the sessions of the user. Now try hitting the
back button. You should be able to see the login page :)
<p>
User Logged Out
<p>
Want to Login again? <a href="login.php">Login Here</a>
</body>
</html>
The logout interface is shown in the following screenshot:
This material is copyright and is licensed for the sole use by Richard Ostheimer on 18th June 2009
2205 hilda ave., , missoula, , 59801Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 3
[
59
]
Adding a username availability script to the
login management system
In the previous chapter, we saw how to add a username availability script using
AJAX. But in those scripts we were using an array to supply our data, not the real
database values. So, let's combine the scripts and make something more powerful,
beautiful, and agile.
We need to add the
CheckUsername.php
script to our login management system in
the
signup.php

]
Just add the following code to the above form inside the table in
signup.php
. This
will make it more interactive.
<tr>
<td></td>
<td>
<a href="JavaScript:CheckUsername();">Check Availability
</a>
<div class="result" name="result" id="result"></div>
</td>
</tr>
The resulting code is shown here:
<FORM NAME ="form1" METHOD ="POST" ACTION ="signup.php"
class="signup-form">
<table class="signup-table">
<tr>
<td>Username: </td>
<td><INPUT TYPE = 'TEXT' Name ='username' id="username"
value="<?PHP print $uname;?>" maxlength="20">
</td>
</tr>
<tr>
<td></td>
<td>
<a href="JavaScript:CheckUsername();">Check Availability
</a>
<div class="result" name="result" id="result"></div>
</td>