Lab 11

To make progress on Project 3 and to understand...

1. PHP Sessions and their role in implementing user authentication
2. How to implement a login and logout
3. Techniques for changing menus and content depending on which user is logged in

1. Join is the insert_user.php script. Click on the link and view the source. While you can copy and paste all the HTML code for the form, please be sure that method="post" and action="insert_user.php"
   • Using the post method is important because the user is typing a password that you'll want to hide and the biography could be too long to pass via the URL.
   • The action calls insert_user.php, so the script can generate the form and also process the form.
2. You should only process the form if all the form elements are present. Since, you are using method="post", the names and values of these form elements will be stored in the $_POST variable. Since there are 11 form elements that could me mispelled (email, pwd, first, last, col, major, fyear, gyear, cred, bio, and grad), it would be good to create this string and check each value via a loop.
   • set valid to false
   • use a foreach loop to iterate over the $_POST array ($_POST as $field=>$value)
   • if $value != '' then set valid to true and concatenate $field, and '$value', to seperate strings ($fields and $values
   • if value is ever blank or null then valid is false and you can break out of the loop.
   • After the loop your can use rtrim to remove the last comma of the $fields and $values strings
   • only process the query if valid is true
3. The query is INSERT INTO $table_name ($fields) VALUES ($values) where $table_name is your user table name and $fields and $values are the string you created via your loop.
4. While it is OK to hard-code the insert user form, it would be a better idea to generate it so that previously submitted values can be saved. The input element has an optional value attribute that can be set to the previously posted value:
   <input name="email" value="'.$_POST['email'].'">

1. The logout.php script is an example of a script that does work on the server, but never produces any output.
2. The script simply calls the built-in function session_destroy(), which deletes all the session variables and sends an HTTP response to the web browser to delete the corresponding cookie.
3. Interesting, you must start a session before you can destroy it. Remember that session_start() will actually restore a previously started session, so PHP knows which session to destroy.
4. This script can then redirect user to the login page.
5. While the built-in PHP function header("Location: login.php") can be used to redirect to the login, a most common mistake is to have a typo in "Location:". The captial L and colon matter. To make each redirect less error prone, I defined a redirect function that can be used as follows: redirect("login.php")

1. Edit is very similar to the insert_user.php script, but it uses a different query:
   Example: UPDATE users SET email='new value',pwd='new value',first='new value',last='new value',col='new value',major='new value ',fyear='new value',gyear='new value',cred='new value',bio='new value',grad='new value' WHERE uid='current logged in user'
2. Remember that the uid of the current logged in user is stored in the $_SESSION['uid'] variable.
3. If you name your script update_user.php, be sure to change the action to "update_user.php"
4. Remember that insert_user inserted previously submitted values into the form elements so that you did not need to retype them.
   • Specifically, we set each value as follows: <input name="email" value="'.$_POST['email'].'">.
   • The update_user can fetch all the stored values with the following query:
     $result = run_query("SELECT * FROM $table_name WHERE uid='current logged in user'");
   • Then, you can fetch all the values as an associative array: $row = $result->fetch_assoc();
   • Finally, you can insert the previously stored values as follows: <input name="pwd" value="'.$row['pwd'].'">
5. Thus, unless you change a value, the previous values will be used as the new value to update a user.

1. This is exactly like insert user except you will use your courses table and the courses fields.
2. Also, the query must specify the user.
   Example: INSERT INTO courses (sub,num,title,descr,year,sem, uid) VALUES ('CSIS','499','Independent Study','Advanced Robotics','2018','Fall', 1)
   In the example above 1 is the uid of the current logged in user, which you can get from the session, i.e., $_SESSION['uid']
3. To test insert course, note that the updated functions_database.php has a function called show_table that you can use to show all the courses. You can creat a simple script that calls this function and passes the name of your courses table.

1. Again, note that the updated functions_database.php has a function called show_table that you can copy and modify to display courses for a specific user or for a specific year and semester.
2. Here is a function for displaying courses for a specific year and semeser:
   SELECT sub, num, descr, title FROM $table_name WHERE year='$year' AND sem='$sem' AND uid='$uid'
3. Here is a function for displaying courses for an academic year:
   $next_year = $year + 1;
SELECT sub, num, descr, title FROM $table_name WHERE (year='$year' AND sem='Fall' OR year='$next_year' AND sem='Spring') AND uid='$uid'

1. This will not produce any output unless the $uid is properly set via the session variable.
2. Notice that is simply displays all the courses for the logged in user, with two buttons next to each course.
3. These buttons then call scripts to delete or edit courses.
4. The course ID (cid) is passed via the URL to the delete and edit scripts.
5. The edit course script is almost identical to the update user script, but it uses the courses table and the cid instead of the uid
6. The delete course script will be discussed in class extensively