Object Oriented Programming- The Banking Application - Login / Page 2

Object Oriented Programming- The Banking Application - Login [con't]

In the last section, we started to look at the code that makes up the login part of the application. In the following sections, we will continue to do so and also look at what other methods are used to authenticate a customer.

<?php session_start(); include "class.acc.php"; include "class.cust.php"; $obj=new customer; if(isset($_POST['Submit'])){ $err=false; $errmsg=""; //clean vars if(empty($_POST['name'])){ $err=true; $errmsg="Please enter a username"; } if(empty($_POST['pin'])){ $err=true; $errmsg="Please enter a pin"; } if(is_numeric($_POST['name'])){ $err=true; $errmsg="Please enter a valid username"; } if(!is_numeric($_POST['pin'])){ $err=true; $errmsg="Please enter a valid pin"; } /* if(strlen($_POST['pin'] < 4)){ $err=true; $errmsg="Please enter a valid pin"; } */ if(!$err){ //clean for database entry $cleanpin=mysql_real_escape_string($_POST['pin']); $cleanname=mysql_real_escape_string($_POST['name']); $authed = $obj->auth($cleanpin,$cleanname); if($authed){ //trsnsfer vars //grab the users details $id = $obj->getcustID(); $name = $obj->getname(); $_SESSION['custid']=$id; $_SESSION['name']=$name; header("location:home.php"); }else{ $errmsg = "Your details did not match"; } } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Untitled Document</title> <link href="Templates/bank.css" rel="stylesheet" type="text/css" /> </head> <body> <?php if(isset($errmsg)){ echo $errmsg; }else{ $obj->login(); } ?>

When we looked at the code in the previous article, we already explained some of the validation code. An extra validation method that we can use in the application is to check if the entered pin number has four digits. You can do this in one of two ways; first you simply count the number of characters and set an error message if it does not meet the requirements:

if(strlen($_POST['pin'] < 4)){ $err=true; $errmsg="Please enter a valid pin"; }

Or you can use the eregi() function to ensure that not only are the digits four but that they are numbers. All of this validation just makes it that much more difficult for your application to be broken into. Once we've done the code validation, we check to see if any errors were detected:

if(!$err){

If no errors were detected, we clean the variables that we received from the customers using the mysql_real_escape_string() function which is specially created to clean variables that are going to be used in MySQL queries:

//clean for database entry $cleanpin=mysql_real_escape_string($_POST['pin']); $cleanname=mysql_real_escape_string($_POST['name']);

Now we are ready to run the query. We use the customer class to do the job. The class contains a method called auth(). This method takes two parameters, the pin number and customer name. It does the job of running a query to check if a customer exists in the database and then returns an appropriate result. It has the following code:

function auth($pin,$name){ global $custID,$custname,$custaddress; if(isset($this->dbcon)){ $sql = "SELECT * FROM customer WHERE pin='".$pin."' AND name='".$name."'"; $res=mysql_query($sql) or die(mysql_error()); if($res){ $row = mysql_fetch_assoc($res); $this->custID=$row['cusid']; $this->custname=$row['name']; $this->custaddress=$row['address']; return true; }else{ return FALSE; } } }

The method itself is not complicated, first we declare some global variables that we will need in other parts of the class:

function auth($pin,$name){
global $custID,$custname,$custaddress;

Then it checks to see if the database connection is set:

if(isset($this->dbcon)){

Then we build the SQL statement, testing to see if the pin number and customer name that is given to us by the user exists in the database:

$sql = "SELECT * FROM customer WHERE
pin='".$pin."' AND name='".$name."'";

We then run the query, using the mysql_query() function:

$res=mysql_query($sql) or die(mysql_error());

If the name and pin match any of the pin numbers and names that are stored in the database, then the $res variable will contain that record. To see if this is the case, we simply test the $res variable as below:

if($res){

Now we store the returned results in a array called $row:

$row = mysql_fetch_assoc($res);

Finally we transfer the returned table values to the global variables that we declared at the start of the method:

$this->custID=$row['cusid']; $this->custname=$row['name']; $this->custaddress=$row['address'];

And then return TRUE:

return true;

If the customer details do not match, then we simply return the function execution as FALSE:

}else{ return FALSE; } } }

Now we return to the main script. After calling the auth() method, we store the result in the $authed variable:

$authed = $obj->auth($cleanpin,$cleanname);

Now we test the $authed variable to see if it returned true or false:

if($authed){

If it returned true, then we need to get two pieces of information, the user ID and name, both of which will be used in subsequent scripts of the application. We do this by using two methods that are declared in the customer class:

//trsnsfer vars //grab the users details $id = $obj->getcustID(); $name = $obj->getname();

The methods have the following code:

function getname(){ return $this->custname; } function getcustid(){ return $this->custID; }

Basically the methods above have self descriptive names; the first one retrieves the customers name and is called getname(). It returns the customer name, which was stored in a global variable earlier:

return $this->custname;

The second method returns the customer ID. Again it uses the information that was stored in a global variable earlier:

return $this->custID;

Back to the main script. Once we've set the customer ID and name, we transfer them to the session variables as shown below. This is because we want to keep state on all the scripts in the application and we will also need this information to run queries in some of the scripts. We could of course use the class methods to keep track but sessions are just so much easier to handle:

$_SESSION['custid']=$id; 
$_SESSION['name']=$name; 

Once the two variables have been transferred, we redirect the customer to the home page of the web site:

header("location:home.php");

If the auth() method did not return true, then it means that the pin and name of the customer was not found in the database, in which case we set an error message to state that:

}else{ $errmsg = "Your details did not match"; } } } ?>

The final part of the login script that we are going to look at is the HTML portion of the page. We have already seen what the page looks like; now let's take a look at the code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Untitled Document</title> <link href="Templates/bank.css" rel="stylesheet" type="text/css" /> </head> <body> <?php if(isset($errmsg)){ echo $errmsg; }else{ $obj->login(); } ?> </body> </html>

There really is not much to this part of the page. It starts by building the HTML headers:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Untitled Document</title> <link href="Templates/bank.css" rel="stylesheet" type="text/css" /> </head>

Then in the body section of the page, we set up the PHP code section. The first line of which checks to see if any errors have been detected in the validation process, if so, the errors are shown:

<body> <?php if(isset($errmsg)){ echo $errmsg;

Otherwise, the login form is shown. Obviously, the error message won't be set when the user first loads the page. The customer will immediately see the login form:

}else{
$obj->login();
}

Logout Script

This script is responsible for logging a user out of the application. In programming terms, the script ends a user session, which is started when the session_start() function is used. In our case, the session of a customer is started in the login page. Once a user is successfully logged in, his or her session is started. Below is the code that makes up the script:

<?php session_start(); if(isset($_SESSION['name'])) { session_unset(); session_destroy(); header("location:login.php" ); exit(); } else{ if(!isset($_SESSION['name'])) { //the session variable isn't registered, the user shouldn't even be on this page header("location:login.php" ); exit(); } } ?>

First a session is started by the calling of the session_start() function:

<?php
session_start();

Then we test to see if the customer name is set. Remember that we stored this information during customer login. If the user is authenticated, then the user will of course have this value set. In addition, at this point it would be a good idea to have some code on each script of the application to stop unauthorized access:

if(isset($_SESSION['name'])) {

We then destroy the session and then delete it from the server, using the session_destroy and session_unset() functions:

session_unset();
session_destroy();

Then we direct the customer to the login page:

header("location:login.php" );
exit();
} 

If the customer name is not set, then it means that the person was not logged in, in the first place, this customer is then directed to the login page as well:

else{ if(!isset($_SESSION['name'])) { //the session variable isn't registered, the user shouldn't even be on this page header("location:login.php" ); exit(); } }

The Home page(Code listing)

Though we will not focus on the code for the home page as yet, below is a listing of the code that makes up the home page:

<?php session_start(); include "class.acc.php"; include "class.cust.php"; ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/bnk.dwt.php" codeOutsideHTMLIsLocked="false" --> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <!-- InstanceBeginEditable name="doctitle" --> <title>Untitled Document</title> <!-- InstanceEndEditable --> <!-- InstanceBeginEditable name="head" --><!-- InstanceEndEditable --> <link href="Templates/bank.css" rel="stylesheet" type="text/css" /> </head> <body> <table width="100%" border="0" class="brdr"> <tr class="bord"> <td colspan="2" class="bord"><p class="hdr">MAMAS //UIS BANK INC</p> </td> </tr> <tr> <td width="23%" valign="top"><!-- InstanceBeginEditable name="EditRegion4" --> <table width="100%" border="1"> <tr> <td><a href="logout.php">Logout-><?php echo strtoupper($_SESSION['name']);?></a></td> </tr> <tr> <td>View Accounts </td> </tr> <tr> <td><a href="newacc.php">Create Account </a></td> </tr> </table> <!-- InstanceEndEditable --></td> <td width="77%" valign="top"><!-- InstanceBeginEditable name="EditRegion3" --> <?php $cust = new customer; $cust->getaccounts($_SESSION['custid']); ?> <!-- InstanceEndEditable --></td> </tr> <tr> <td colspan="2"> </td> </tr> </table> </body> <!-- InstanceEnd --></html>

Below is the page that the code produces:

Figure 2

In the next article we will look at the code that makes up the home page in detail.

Original: October 26, 2009

Find a programming school near you

Zip Code:

Subject: - Select All Subjects - Computer Applications Computer Engineering Computer Science Computer Prog. - Software Dev. Computer Game Programming Web Design Web Development Internet Systems Internet Certification Database Design and Development Information Systems Management Information Technology Project Management Network Design - Development Systems Analyst

Degree: - Select All Degrees - Associate's Bachelor's Master's Doctoral Certificates Diplomas Coursework MBA

Online Campus Both