Part six of this series looks at the last scripts that make up the main section of the application. We will look at how to add, remove and change bookmark information, in particular.
The AddBookmarks Script
The add bookmark script is responsible for enabling users to add new bookmarks information to the system. Each user will only be able to add new bookmarks to their own part of the system and will not be able to add bookmarks for other users. The script consists of two sections, one part is made up of PHP code and the other includes an HTML form. Below is a screenshot of the script in action:
The PHP portion of the script deals with the information that is sent by the HTML form that we will look at shortly. It starts by including the database connection script. This script contains code that starts a new session and also some other functions that we will be using:
include "connect.php";
By including this script we make all of its contents available to the addbookmarks script. Next, we run a check to make sure that no user accidentally accesses this page and ends up with ugly error messages that my crash our application. We essentially check to see if a session variable called uname
is set. We could basically use any of the session variables that are created during that authentication process:
if(!isset($_SESSION['uname'])){
If the variable is not set, then we simply send the user to the login page since it indicates that the user either tried to access the application by running this script directly without going through the authentication process or that the user is trying to break our application. Either way, we stop this illegal entry into the application by redirecting the user like so:
//redirect to login page header("location:login/login.php"); }
We continue the processing of the form information by testing to see if the form has been submitted, by checking if the submit button on the form has been pressed. While this is the standard way of determining form submission, it is not always the best. A more effective way of checking if a form has been submitted would be to include a hidden form value and then check if it is available in the form array. For example, if we had included a hidden form variable called $_POST['formcheck']
we'd simply do this:
if(isset($_POST['formcheck'])){ $errmsg = "";
...instead of the submit
post variable that we've used here:
if(isset($_POST['submit'])){ $errmsg = "";
The reason for this alternative way of checking is because, sometimes users simply press the return key after filling in a form, if our form is then checking for a submit
variable, the form will not be processed, since the variable will not be found. By including the $_POST['formcheck']
variable we cater for both scenarios, whether the user clicks on the form button or on the return key, the form will be process.
After checking if the form has been submitted, we then need to validate the data sent by the form. This is done on two levels, first we check if the form information has been filled in at the browser level using Javascript. The JavaScript code below does the job:
Basically the code has a function called checkform()
, it tests the form fields that we want checked to determine if the field has been filled in or not. For example to check if the URL field is empty it runs the following code:
if(pform1.url.value==""){
If the field value is left empty, a error message is shown:
alert("Please enter a URL")
...after which the focus is placed on the empty form field:
pform1.url.focus()
If a field is found to be empty, the function returns the user to the form. No information is passed on to the processing code. This process is repeated for all of the fields that we want to check. The function is triggered when the form is submitted.
The second level of form validation is done by PHP itself. This two-way testing ensures that by the time the form information is sent to the PHP code, no form fields will be empty. Nevertheless, we still check to see if any required fields have been left empty. This is because the JavaScript checks can easily be by passed by any attacker with even a basic knowledge of HTML and JavaScript, so we play it safe and do validation on both sides. The PHP validation code is as follows:
The validation code first checks to see if the required form fields are filled in. If there is an error, it is put in a error message variable:
if(empty($_POST['url'])){ $errmsg = "Please enter a url."; }
This code is repeated for all the required fields. Then we use the checkurl()
function to check the validity of the user submitted URL:
if(!checkurl($_POST['url'])){ $errmsg .= "Please enter a valid URL."; }
The checkurl()
function has the following code:
Please see previous articles in the series for a full description of the function above. Once the validation process is completed, we have to add the information to the database. The first thing we do is to ready the variables that we are going to use in the insert query:
$url_c = mysql_real_escape_string($_POST['url']); $desc_c = mysql_real_escape_string($_POST['desc']);
We do this by using the mysql_real_escape_string()
function to clean the variables as shown above. Then we run a query to add the information to the database:
$ins ="INSERT INTO bmarks SET bid=9,uid='".$_SESSION['id']."',url='".$url_c."',descr='".$desc_c."'";>
We then run the query and set an error message if any errors are encountered:
The HTML
The HTML portion of the script is fairly easy to understand. It contains only a form that host two form fields and some JavaScript that we've discussed before. Below is the code for that section of the page: