User Personalization with PHP: The Final Scripts / Page 2

User Personalization with PHP:
The Final Scripts[con't]

The User Profile

The profile script is responsible for allowing a user to change some of their personal settings, more specifically their:

• Email address
• Background Color
• Picture

The other information such as the password can be changed on the authentication pages. The user access level can only be changed by someone with administration privileges; this will be discussed later on in the administration article that is to follow. Below is a screenshot of the profile page:

See Figure 2

The script consists of both HTML and PHP sections, each playing their own important roles. The basic purpose of the script is to display the user's current settings and then to update the user information as is required by the user. Below is the processing code of the script:

&lt?php include "../connect.php"; //retrieve the user's info $q = "SELECT * FROM users WHERE uid = '".$_SESSION['id']."'"; $res_q = mysql_query($q); if(!$res_q){ echo mysql_error(); }else{ $row = mysql_fetch_assoc($res_q); } //check if the form has been submitted if(isset($_POST['prof'])){ $msg = ""; //Next we check if the email address has a valid format if(!checkEmail($_POST['email'])){ $msg.="Please enter a valid email address.<br/>"; } //check if the user uploaded a image if(isset($_FILES['fn'])){ $fn = $_FILES['fn']['name']; //now try to upload the filem if(!move_uploaded_file($_FILES['fn']['tmp_name'],'../images/'.$_FILES['fn']['name'].'')){ switch($_FILES['fn']['error']){ case 1: $msg .= "The file exceeds the upload max file size setting"; break; case 2: $msg .="The file exceeds the max file size setting"; break; case 3: $msg .="The file was only partially uploaded"; break; case 4: $msg .="No file was uploaded"; break; }//end switch } } if(isset($fn)){ $img= $fn; }else{ $img= "No_img"; } //set the bckgrnd color $bgc = $_POST['select']; if(empty($msg)){ //clean $email_c = mysql_real_escape_string($_POST['email']); $bgc_c = mysql_real_escape_string($bgc); //update table $update = "UPDATE users SET email = '".$email_c."',bgc ='".$bgc_c."',img='".$img."' WHERE uid = '".$_SESSION['id']."'"; if(!mysql_query($update)){ $msg .= mysql_error(); }else{ $msg .= "Record updated."; } } } ?>

Since the purpose of the script is to first, retrieve and second, to display the information of the currently logged-in user, the code starts by connecting to the database server and then running a query to retrieve all information relating to the current user:

$q = "SELECT * FROM users WHERE uid = '".$_SESSION['id']."'";

Note, that we use a session variable that contains a user ID created at the authentication stage, to make sure that we only retrieve information stored about the current user. Then we execute the query and make provision for any errors that may occur. If no errors are detected during query execution, we simply retrieve the information of the user and store it in an array called $row:

$res_q = mysql_query($q); if(!$res_q){ echo mysql_error(); }else{ $row = mysql_fetch_assoc($res_q); }

Next up we check to see if the form has been submitted. This refers to the form that displays and collects the user's information. Then we validate the form information. Now, this form has only one field, the field that takes the email address, which we have to validate. The reason why we don't validate the other fields is because they do not contain any user input but rather user choice in the sense that the application provides the choices that the user must make. There is one dropdown box where the user must make a selection from the available options rather than inserting information and then there is another text field that allows the user to select an image to upload. Both of these options are very safe since the information originates from within the application and not from outside of the application so validation of the data is not necessary. To validate the email address we use the checkemail() function:

if(!checkEmail($_POST['email'])){ $msg.="Please enter a valid email address.<br/>"; }

The checkemail() function has the following code:

function checkEmail($email){ if(eregi('^[[:alnum:]][a-z0-9_\.\-]*@[a-z0-9\.\-]+\.[a-z]{2,8}$',$email)){ return TRUE; }else{ return FALSE; } }

For a fuller explanation of the function, please see one of the earlier articles in the series. Once the email address is validated, we move on to check if the user has uploaded a new picture. To determine if the user has uploaded a picture we check if the $_FILES[''] array contains any information:

if(isset($_FILES['fn'])){

The idea here is to store a link to the image in the database rather than storing the image to the database. So we need the name of the file, which we get like this:

$fn = $_FILES['fn']['name'];

The $_FILES[''] array contains all of the information about an uploaded file, including its name, which we store in the $fn variable. With the file name now safely stored, we have to upload the file. We do this by using the move_uploaded_file() function like so:

if(!move_uploaded_file($_FILES['fn']['tmp_name'],'../images/'.$_FILES['fn']['name'].'')){

The above code line tries to move the file to the images directory folder, but also makes provision for errors that may occur such as the image directory folder not existing on the server. To see which error occurred we use a switch condition:

switch($_FILES['fn']['error']){ case 1: $msg .= "The file exceeds the upload max file size setting"; break; case 2: $msg .="The file exceeds the max file size setting"; break; case 3: $msg .="The file was only partially uploaded"; break; case 4: $msg .="No file was uploaded"; break; }//end switch

If any errors are encountered while uploading the file, it will be stored in the $msg variable and shown in the form. The next piece of code simply checks if the image file name is set and then creates a new variable that will eventually be used during the update process:

if(isset($fn)){ $img= $fn; }else{ $img= "No_img"; }

We then store the background color selection that the user selected in a variable called $bgc:

$bgc = $_POST['select'];

Now all that remains is for us to update the user information. Before updating the users' information, we clean the variables that we are going to use in the query. To do this we use the mysql_real_escape_string() function:

$email_c = mysql_real_escape_string($_POST['email']);
$bgc_c = mysql_real_escape_string($bgc); 

Finally we use a query to update the user data:

$update = "UPDATE users SET email = '".$email_c."',bgc ='".$bgc_c."',img='".$img."' 
	WHERE uid = '".$_SESSION['id']."'";

Then we make provision for any errors that may occur during the update process:

if(!mysql_query($update)){ $msg .= mysql_error(); }else{ $msg .= "Record updated."; } }

Delete Bookmarks Script

The delete bookmarks script is activated when the user clicks on the delete option in the main page. It has the following code:

&lt?php include "connect.php"; if(!isset($_SESSION['uname'])){ //redirect to login page header("location:login/login.php"); } //check if recieved ID is valid if(isset($_GET['bmID'])){ if(is_numeric($_GET['bmID'])){ //validate $id=mysql_real_escape_string($_GET['bmID']); $del = "DELETE * FROM bmarks WHERE uid = '".$id."'"; if(mysql_query($del)){ header("location:main.php"); }else{ echo mysql_error(); } } } ?>

The code starts off by connecting to the database and opening a session and then continues to check if an ID has been received and validates it:

if(isset($_GET['bmID'])){
if(is_numeric($_GET['bmID'])){

To make sure that the ID that we received is valid, we check if it is numeric. This is a relatively simple way of avoiding an attack. Any user can enter a letter in the browser, which would crash our application and provide the attacker with information about our application. We run the script only if the ID is of the right type. If the ID is valid, we clean it for use with MYSQL, using the mysql_real_escape_string() function:

$id=mysql_real_escape_string($_GET['bmID']);

Then we delete the bookmark from the database. An additional check that you can make is to run a query with the given ID and see if it exists before running the delete query:

$del = "DELETE * FROM bmarks WHERE uid = '".$id."'"; if(mysql_query($del)){ header("location:main.php"); }else{ echo mysql_error(); } }

Conclusion

While testing the application I've noticed that the database field called desc in the bookmarks table causes an error when data is inserted or updated, so I've changed the field name from desc to descr. Please do accordingly if you are going to use the database schema as per the series. This change and any others are reflected in the accompanying source code.

The final article in the series will deal with administering the application. The administration of the application can basically be described as house keeping and involves maintaining both components of the application.

Download the source code.

Original: May 09, 2009

Find a programming school near you

Zip Code:

Subject: - Select All Subjects - Computer Applications Computer Engineering Computer Science Computer Prog. - Software Dev. Computer Game Programming Web Design Web Development Internet Systems Internet Certification Database Design and Development Information Systems Management Information Technology Project Management Network Design - Development Systems Analyst

Degree: - Select All Degrees - Associate's Bachelor's Master's Doctoral Certificates Diplomas Coursework MBA

Online Campus Both