User Personalization with PHP: The Admin Section [con't]
Deleting Bookmarks
When a user clicks on the link to delete a bookmark, the
user is sent to a script called delete.php
.
Also included in this link is the bookmark ID called $b_id
. The aim of the script is of
course to remove the selected bookmark from the system. The delete script has
the following code:
So, how does the code work? First, it connects to the database, and
second it checks what it is actually suppose to do. The script contains enough
intelligence to decide what to do based on the information that is supplied
from the two feeder scripts. Two ID's are sent from the two feeder scripts, one
is called b_id
and the other
u_id
. You probably guessed
by now that b_id
refers to
the bookmark ID and the u_id
refers to the user ID. In our case, we are dealing with the bookmark ID. The script
checks which of the two it is suppose to deal with, based on the kind of ID
that is sent. The if
condition does the job of making the decision:
if(isset($_GET['b_id'])){ ..statements here.. }elseif(isset($_GET['u_id'])){
Once it has determined which of the ID's it needs to work with, the script then
validates the data type. This is very important since our application is
vulnerable at this stage. Any attacker that wants to crash our application can
simple change the ID into a letter or any other character to crash the
application, so we need to take the appropriate measures to try and minimize or
avoid this. Since we know that the ID of both the bookmark and user are
numbers, we use the is_numeric()
function to check if the ID value is actually a number or not:
if(is_numeric($_GET['b_id'])){
$del = "DELETE * FROM bmarks WHERE bid = '".$bid."'";
After running the query, we redirect the user back to the page that they where on before. The code also makes provision for any errors that may occur during the execution of the query:
User Management
The user management section deals with managing users of the
system. Unlike the bookmarks script, this script carries out an additional
function, which is to give a user admin privileges. Like the bookmarks script,
the user.php
script provides
a list of all of the users in the system. The reason for this is that it makes
it easy for the administrator to either upgrade or remove a user from the
system. Below is the code that retrieves the user details from the database:
You will note that the data retrieval code for the users is exactly the same as the one used for the bookmarks, except in this case the users database table is used instead of the bookmarks one. Therefore, I will not be going through every bit of the code, but only those that I think need to be emphasized. As with the all of the scripts in this section, the script checks to see if the user has the right to be on this page. Then it runs a query to attempt to extract a list of all the users of the system. The query actually only retrieves a count of the number of users in the system.
Then the code uses a variable created in the main PHP code to extract and list
the names of the users in dynamic table rows. One of the columns also lists an
action called 'Make Admin' that enables an administrator to create a new
administrator from the list of user names. Below is a screen shot of the user.php
script followed by its code
listing:
The HTML code for the page:
As you can see, the HTML code for this page is almost exactly the same as that for the bookmarks page, except for the fact that it is specific to users of the system.
When the user clicks on the 'Make Admin' link, the code takes the user to a
script called update.php
.
This script is responsible for upgrading a user to admin status. It has the
following code:
The code first checks if the ID that it received has a value:
if(isset($_GET['u_id'])){
If so, then it checks to see if that value is a number:
if(is_numeric($_GET['u_id'])){
Once it is satisfied that the value is a number, the code continues to run an update query and reset the level column of the table to 'admin':
$uid=mysql_real_escape_string($_GET['u_id']); $update = "UPDATE users SET level = 'admin' WHERE uid = '".$uid."'";
That's it for the user personalization series. Please feel free to add more functionality to suit your needs. The application is of a generic nature and is able to adapt to any changes that you may want to make. Also, feel free to email me with any questions that you may have.
Download the files for this article.
Original: June 3, 2009