how to create webapp in php

8/7/2019 how to create Webapp in Php

1/34

Creating A PHP Web Application (a blog in PHP)

Abstract

In this introductory tutorial the process of building a complete php applicationis explored. The application is a simple blog and uses a MySQL database to store all the data. The blog application contains a user system for the adminstrator

to post new blog entries. The final approval for each blog entry is handle by the administor. Assumed knowledge is basic use of HTML and CSS to render the display.

This tutorial will suit those looking to begin with PHP and have never written an entire application. No external resources will be used in the building of theapplication and all code will be generated here. This tutorial does not make useof Object Oriented code which may be more efficient.

Each section of the tutorial introduces new concepts from the PHP language thatare used frequently in many PHP applications and websites. Many functions are used and explanations given for each as they are introduced.

The Database

As mentioned above, the blog data will be stored and retrieved from a MySQL database. PHP provides many simple to use MySQL functions for this purpose, but first, the database needs to be created. The command line below shows how to createthe database from the command line.mysqladmin create blog -u root -p

Following this the system will prompt the user for the root password and when given the new database, named blog, will be created. From there a username and password will need to be set for the blog application, after all, using root to interface to the database would be poor form.

mysql blog -u root -p

Once again, a password is required, and when given, the mysql prompt is ready totake commands. Here is the command to create a user for the database named blog.GRANT ALL ON blog.* TO blog_master@localhost IDENTIFIED BY 'blog_password';

With the database successfully created, and a username and password in place exit the database and login again using the new username and password.mysql blog -u blog_master -p

When prompted, type in the password for the blog_master.

The database tables are themselves quite basic. A table of blog categories, anda table of blog_content. The blog_category table need only contain the blog category id, and the blog category name.

The blog content table has a little extra. This table will contain the blog id,the blog category id, the blog headline, the blog text, and the blog date. The blog id will be an auto incremented value to avoid duplication and provide a primary key to ensure fast indexed lockup's. The blog category id will be a foreignkey which references the blog category id in the blog category table. To this end, the tables must make use of the InnoDB table type.

The tables will look like this:

CREATE TABLE blog_users (blog_user_id int(11) NOT NULL auto_increment,


2/34

blog_user_name varchar(20) NOT NULL,blog_user_password char(40) NOT NULL,blog_user_email varchar(254) NOT NULL,blog_user_access_level int(1) NOT NULL default 0,PRIMARY KEY (blog_user_id),UNIQUE KEY blog_username (blog_user_name)

) ENGINE=InnoDB DEFAULT CHARSET=latin1;

CREATE TABLE blog_categories (blog_category_id int(11) NOT NULL AUTO_INCREMENT,blog_category_name varchar(50) NOT NULL,PRIMARY KEY (blog_category_id)

) ENGINE=InnoDB DEFAULT CHARSET=latin1;

CREATE TABLE blog_content (blog_content_id int(11) NOT NULL AUTO_INCREMENT,blog_category_id int(11) NOT NULL,blog_user_id int(11) NOT NULL,blog_content_headline varchar(50) NOT NULL,

blog_content_text text NOT NULL,blog_content_date timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,blog_publish int(1) NOT NULL default 0,PRIMARY KEY (blog_content_id),FOREIGN KEY (blog_user_id) REFERENCES blog_users(blog_user_id) ON DELETE CASCA

DE,FOREIGN KEY (blog_category_id) REFERENCES blog_categories(blog_category_id) ONDELETE CASCADE) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Note in the blog_content table that the blog_category_id, and the blog_user_id fields are set as a foreign key and that they are set to ON DELETE CASCADE. This

means if a blog category is deleted, all blog content that is related to it willalso be deleted from the blog_content table, also, if a blog user is deleted, all blog entries by that user will be deleted. Be careful.

Copy and paste the database schema above into the command line to create the tables. Be careful if using a third party application such as phpmyadmin to talk toMySQL as many of these applications have poor support for foreign keys.

With the database set up complete, the first steps can be made to start blogging.User CRUD

Before any blog entries can be added by users, the users must first be added tothe system. An admin user will also be required to oversee, or moderate, the blog entries. The method of creating, retrieving, updating and deleting database entries is commonly referred to as CRUD

* Create* Retrieve* Update* Delete

These a are the basic tasks needed to build the blog most PHP applications. Indeed, they are possibly the most commonly used tasks of all database driven applications and web sites, and hence, get their own acronym. But before any data can

go into the database, a database connection needs to be made. This will be the first file and will be included in all files where a database connection is required.


3/34

Create a directory called includes in which to keep all the php scripts that arecreated for the blog. This will keep things tidy and easy for maintenance purposes. In the includes directory create a file called conn.php which will look like this:

In the beginning of the above script, several variables are set which can then be used with the mysql_connect() function to connect to the datbase. Once the database connection is established, the database can be selected with the mysql_select_db() function. The resource returned by the mysql_select_db() function is checked later in the script to see if a valid connection has been made and that the database is available.

If this file were to be accessed on its own, no data would be shown, not even ifthere was an error. The use of the @ symbol before mysql_connect() is used to suppress errors. This is rarely required and should be used only where appropriate. It is used in this instance to suppress the error as a check will soon be made on the validity of the $db link that follows.Create A User

Now that a database connection can be made, users can be added to the system. Each user will have a user name, and password, and an access level. The access level will detirmine what files they have access to. Having regular users access the administration files would be disasterous, so care must be taken to ensure that users recieve only the amount of access they require.

Initially, the users will be confronted with a form which prompts for user nameand password. When complete an email will be sent to the specified email addressand the user will have 24 hours in which to verify the sign up or the entry will be deleted.

The process of verifying a user is quite simple. In the email that is sent to the user, the user id is sent in a link along with a randomly generated verification code. The user must access the link provided, and enter the verification code. Upon success, the user is logged in and can submit blog entries.

To avoid repitition of commonly used HTML components, a simple template can be made of the components and included with the PHP include language construct. As a

language construct, include is not really a function, but is often thought of as a function to avoid confustion. Here, a header.php and footer.php file will becreated with elements common to all HTML files in the system, such as the DOCTY


4/34

PE, title, body etc.

Create a directory called includes and in the includes directory, create a template called header.php and in it put the following HTML.

PHPRO.ORG BLOG

The footer file contains even less and has only the closing body and html tags.Create a file in the includes directory named footer.php an it put the followingHTML.

With these two files in place, the form to add users can be created. As the form

is part of a CRUD system, it will server two purposes. To add users and then toedit users. This means saves duplication and saves coding time. It is a simpleHTML form and will accept a user name and password.

The form itself is included in the adduser.php file which will be created next.The form introduces the PHP isset() function and the PHP ternary operator. The isset() function, as the name suggests, is used to check if a variable is set. The ternary operator is like a PHP if/else. So the following two snippets are thesame.


5/34

Confirm Password

Email Address


6/34

?>

When accessed with the browser the form is displayed with the relevant variablesvalues filled in, such as the form action, the submit button value, and the form token. The form will post to a PHP script named adduser_submit.php. This script will check the values posted from the form, and if they are valid, put them into a database and then email the user with a verification code which will be use

d later to activate the account. Sounds easy right?

The adduser_submit.php script will look like this.


7/34

{$errors[] = 'Email Invalid';

}else{

/*** escape all vars for database use ***/$blog_user_name = mysql_real_escape_string($_POST['blog_user_name']);

/*** encrypt the password ***/$blog_user_password = sha1($_POST['blog_user_password']);$blog_user_password = mysql_real_escape_string($blog_user_password);/*** strip injection chars from email ***/$blog_user_email = preg_replace( '((?:\n\r\t%0A%0D%08%09)+)i' , '', $

_POST['blog_user_email'] );$blog_user_email = mysql_real_escape_string($blog_user_email);

/*** if we are here, include the db connection ***/include 'includes/conn.php';

/*** test for db connection ***/

if($db){/*** check for existing username and email ***/$sql = "SELECT

blog_user_name,blog_user_emailFROMblog_usersWHEREblog_user_name = '{$blog_user_name}'ORblog_user_email = '{$blog_user_email}'";

$result = mysql_query($sql);

$row = mysql_fetch_row($result);if($row[0] == $blog_user_name){

$errors[] = 'User name is already in use';}elseif($row[1] == $blog_user_email){

$errors[] = 'Email address already subscribed';}else{

/*** create a verification code ***/$verification_code = uniqid();

/*** the sql query ***/$sql = "INSERT

INTOblog_users(blog_user_name,blog_user_password,blog_user_email,blog_user_access_level,blog_user_status)VALUES (

'{$blog_user_name}','{$blog_user_password}','{$blog_user_email}',


8/34

1,'{$verification_code}')";

/*** run the query ***/if(mysql_query($sql)){

/*** unset the session token ***/

unset($_SESSION[\form_token']);

/*** email subject ***/$subject = 'Verification code';

/*** email from ***/$from = '[email protected]';

/*** the message ***/$path = dirname($_SERVER['REQUEST_URI']);$message = "Click the link below to verify your subscription\n\n

";

$message .= 'http://'.$_SERVER['HTTP_HOST'].$path.'/verify.php?vc='.$verification_code;

/*** set some headers ***/$headers = 'From: [email protected]' . "\r\n" .'Reply-To: [email protected]' . "\r\n" .'X-Mailer: PHPRO MAIL';

/*** send the email ***/if(!mail($blog_user_email, $subject, $message, $headers)){

$errors = 'Unable to send verification';}

/*** unset the form token ***/unset($_SESSION['form_token']);

}else{

$errors[] = 'User Not Added';}

}}else{

$errors[] = 'Unable to process form';}

}

/*** check if there are any errors in the errors array ***/if(sizeof($errors) > 0){

foreach($errors as $err){

echo $err,'
';}

}else

{echo 'Sign up complete
';echo 'A verification email has been sent to '.$blog_user_email;


9/34

}

/*** include the footer file ***/include 'includes/footer.php';

?>

The structure of the above script takes the form of an if/elseif/else ladder. This allows the code execution to step through a variety of checks before the operational part of the script is executed. The checks are many and provide the minimum security checking needed to secure a PHP application.

Stepping down the ladder, the first uses isset() to check that the form token has been sent, this ensures the form that POSTed the data is not a hackup on a third party machine. The second check also uses the isset() function, but this timechecks four variables in one swoop. This feature of the isset() function makesthe if/elseif/else ladder much shorter and saves time on coding mulitple isset()'s for each POST variable.

A check is then performed on the form token to be sure that the token POSTed matches the token stored in the SESSION. If the tokens do not match and error is generated. From there variables are checked for length. This is important as a malicious user may try to inject variables with lengths shorter or longer than thelength expected, or the length permitted by the database. This would cause an error that may give away internal information about your system.

A check is made on the validity of the email as well as on the length. There isno regular expression known to man that will successfully match all valid emailsper the RFC. This one will catch all sane email address.

If success, the script then prepares for use with the datbase. It is imperativethat any variables that are to be used in an SQL statement are proplerly escaped

to prevent SQL injection. It is at this time, the users email address is sanitized also, not only for SQL injection, but for email header injection also. All variables that are to be used in emails should be proplerly sanitized to preventheader injection, which is a leading cause of SPAM. A further check is made to ensure the username, or the email address is not already is not already in use. If it is already in use, an error is generated. If all is well, the new user datais added to the database and and email is sent to the user with a verificationcode.Verify User

When a new user is created as above, an email is sent to the users email addresswith a verification code. The URL in the link contains a section like this:verify.php?vc=48ba88c9efeefThis means the file verify.php will have access to the verification code via PHPsuper global named $_GET['vc'].


10/34

{/*** escape the code ***/$blog_verification_code = mysql_real_escape_string($_GET['vc']);

/*** include the database connection ***/include 'includes/conn.php';

/*** check for a valid connection ***/if($db){

/*** the update SQL ***/$sql = "UPDATE

blog_usersSETblog_user_status=1WHEREblog_user_status='{$blog_verification_code}'";

/*** run the query ***/

$result = mysql_query($sql);

/*** check for affected rows ***/if(mysql_affected_rows($link) != 1){

$message = 'Unable to verify';}else{

$message = 'Verification Complete, please log in to submit blog';

}}

}?>Verification

The verify.php file itself is quite simple in comparison to the previous file. Once again the isset() function is used, this time to check that the verificationcode is present in $_GET['vc']. Then the length of the string is check and if all is well, the verification code is prepared for use in the database using mysql_real_escape_string().

The SQL query is run and updates the user status of the user with the matching verification code. By using the mysql_affected_rows() function it is possible tocheck if the SQL query was successful.Login

Now that a user can be created and register with the system, it is possible forthe user to log into the system. But first, a method of navigation is required.The navigation menu will be common to all pages, so can be part of the header. This means only a single copy is every needed and saves code duplication.

The new includes/header.php file will look like this.


11/34

$log_link = 'logout.php';$log_link_name = 'Log Out';

}else{

$log_link = 'login.php';$log_link_name = 'Log In';

}?>PHPRO.ORG BLOG.menu ul{

color: green;list-style: none;

}

.menu ul li{padding:display: inline;float: left;padding: 2px 8px;

}

hr{clear: both;

}

Home


12/34

?>

Blog Login

Please supply your username and password.

No surprises in the login form. It contains the obligatory session_start() function that must be used any time an interaction with session variables is required. The form token is set and the header file is included. The form is simple andcontains the form token and inputs for username and password, followed by the inclusion of the footer.php file.

When the form is submitted, something different happens. The form token is checked, the username and passwords are validated and sanitized, but instead of displaying a message, the script will redirect the user to the index.php page, whichwill be created now.

The index.php file will look like this.

PHPRO.ORG Blog

Welcome to the PHPRO.ORG Blog...

The index file will grow quite substantially further on as blog entries need tobe retrieved, but for now, this is all that is required.

The login_submit.php file will look like this.


13/34

/*** check all fields have been posted ***/elseif(!isset($_POST['form_token'], $_POST['blog_user_name'], $_POST['blog_u

ser_password'])){

$location = 'login.php';}/*** check the form token is valid ***/

elseif($_SESSION['form_token'] != $_POST['form_token']){

$location = 'login.php';}/*** check the length of the user name ***/elseif(strlen($_POST['blog_user_name']) < 2 strlen($_POST['blog_user_name

']) > 25){

$location = 'login.php';}/*** check the length of the password ***/elseif(strlen($_POST['blog_user_password']) < 8 strlen($_POST['blog_user_

password']) > 25){$location = 'login.php';

}else{

/*** escape all vars for database use ***/$blog_user_name = mysql_real_escape_string($_POST['blog_user_name']);

/*** encrypt the password ***/$blog_user_password = sha1($_POST['blog_user_password']);$blog_user_password = mysql_real_escape_string($blog_user_password);


/*** test for db connection ***/if($db){

/*** check for existing username and password ***/$sql = "SELECTblog_user_name,blog_user_password,blog_user_access_levelFROMblog_usersWHEREblog_user_name = '{$blog_user_name}'ANDblog_user_password = '{$blog_user_password}'ANDblog_user_status=1";$result = mysql_query($sql);if(mysql_num_rows($result) != 1){

$location = 'login.php';}else

{/*** fetch result row ***/$row = mysql_fetch_row($result);


14/34

/*** set the access level ***/$_SESSION['access_level'] = $row[2];

/*** unset the form token ***/unset($_SESSION['form_token']);

/*** send user to index page ***/$location = 'index.php';

}}

}

/*** redirect ***/header("Location: $location");

/*** flush the buffer ***/ob_end_flush();

?>

This time, when the form is submitted, the user is redirected the index.php pageif the login is successful. If the login fails, the user is redirected back tothe login page to try again. The first line of code begins the output bufferingwhich allows PHP to no send any headers to the browser, which would cause an error as headers are sent when using session_start and again when using the header() function.

The structure maintains the if/elseif/else ladder and traverses through some ofthe checks used earlier to validate and sanitize the user inputs. At the end ofthe script, the header() function redirects and finally, the ob_end_flush() function sends the whole thing to the browser.

Note that the Login link in the menu changes to Log Out when a user logs in.Log Out

Now that a user can log in to the system, a method is required to log out. As the link for the log out is already in the menu, it is simply a matter of creatingthe logout.php file. This file only needs to check that the access_level SESSION variable is set, and if it is, unset() it, and then redirect the user back tothe index.php page.

The logout.php file will look like this.


15/34


?>

Blog CRUD

The blog CRUD, as the name suggest comprises four components.

* Create* Retrieve* Update* Delete

To Create or add a blog entry, there must first be some categories to add them to.

Create A Category

Before data can be retrieved from the database, it must first be put in. The most common way of user input into a database with PHP is with a HTML form. Becausea form is a client side interface, the door is left open to abuse as the content the end user puts into the form, may not be the type of content expected or, if a malicious users wants to get nasty, may to to compromise the system. It is the job of the PHP developer to close these security doors and the basic lesson is this:NEVER TRUST USER INPUTNEVER TRUST USER INPUTNEVER TRUST USER INPUT

As this blog is a multi-user system, precautions must be taken to avoid mistakesand mis-use. The form itself is quite simple and is simply HTML.

Creating categories is a function of the administrator, and so the script to adda category must only be availble to the admin user. The user access level for the adminstrator is 5. This can be checked as the access level is stored in a session, so when the admin lands on the add_category.php page, access can be checked, and if the access level is not correct, the user will be redirected to the index.php page.Create a file named add_category.php in the main directory, as we are going to add a category to the blog. The add_category.php file in will look like this:


16/34

{/*** set a token ***/$form_token = uniqid();$_SESSION['form_token'] = $form_token;

}?>

Add Category

Category names must contain only alpha numeric characters and underscore, spaceor comma.

This file makes use of output buffering to manage the headers. Headers are sendfrom the included header.php file with session_start() and this would produce awarning. The script checks that the user who is accessing the page is an administrator by checking first that the access_level variable is set and that its value is 5. If this is not true, the user is forward off to the index page gracefully. I the access is from the administrator, then the form is shown in the page.

The file is a simple HTML form that contains the required input text field to add a category. Note that the name of the input matches the name in the database.

This is not strictly required but gives clarity when dealing with variables.

The form action is the add_category_submit.php file. This is the file that willprocess the form data, and if all is well, will add the category to the database. To achieve this several things need to happen.

* The form field must contain a valid name* The connection must be made to the database* The category must be added* A response is required

As the category name must be a string containing less than 50 characters, because the database field is defined as VARCHAR(50), it is simple to validate that this is what has been supplied by the form. The database connection is made by simply includeing the conn.php file. When a file is included with PHP, it is the same as if the code were written where the include occurs. Following this, the category is added to the database and a thank you message created. The add_category_submit.php file will look like this.


17/34

/*** check access level ***/if(!isset($_SESSION['access_level']) $_SESSION['access_level'] != 5){

header("Location: index.php");exit;

}else

{/*** check the form has been posted and the session variable is set ***/if(isset($_SESSION['form_token'], $_POST['form_token'], $_POST['blog_cat

egory_name']) && preg_match('/^[a-z][a-z\d_ ,]{2,49}$/i', $_POST['blog_category_name']) !== 0)

{/*** if we are here, include the db connection ***/include 'includes/conn.php';


/*** excape the string ***/$blog_category_name = mysql_real_escape_string($_POST['blog_category_name']);

/*** the sql query ***/$sql = "INSERT INTO blog_categories (blog_category_name) VALUES

('{$blog_category_name}')";


/*** unset the session token ***/unset($_SESSION['form_token']);

echo 'Category Added';}else{

echo 'Category Not Added';}

}else{

echo 'Unable to process form';}

}else{

echo 'Invalid Submission';}

}


?>

It is quite clear from the above code, that ninety percent of the code is dedicated to error checking. This is perhaps the most important part of dealing with i

nput from users. Note that once again, the blog_category_name variable matches the name in the database, and that the naming convention is maintained throughoutthe script.


18/34

The use of the preg_match() function contains several validation tasks rolled into a single function. Regular expressions are an excellent tool for validating user input to ensure what is posted from a form, is what expected when processingthe data. This regular expression allows the use of alpha numeric characters and underscore, space and comma. This permits a good variety of characters to usefor any sane category name.

The form and form submit now work as expected and categories can be added easily, A form token has been used to ensure teh validity of the form and to prevent page refresh. The form token can be stored in a session with the add_category.phpform, and then checked in the add_category_submit.php script, and if the POST is successful, the token is deleted, thus preventing further POSTings of the form.Delete A Category

The process of deleting a category is very similar to that of adding a category,with a few small changes the code is mostly the same. The form maintains the session token and the only difference is that the category names and id's are extr

acted from the database to be used in the form with a drop-down select.

The process of gathering the information for the form is kept at the top of thescript. This means all the application logic is separated from the display logic. This will be important as scripts, and indeed, applications, become larger. The form script itself looks like this.


19/34

$result = mysql_query($sql);if(!is_resource($result)){

echo 'Unable to get category listing';}else{

/*** create an empty array ***/$categories = array();

/*** loop over the results and add them to the array ***/while($row = mysql_fetch_array($result)){

$categories[$row['blog_category_id']] = $row['blog_category_name'];

}}

}else

{ echo 'Database connection failed';}

}?>

Delete Category

Note the delete button has a small javascript onclick added which pops up a confirm window asking the users to confirm the delete when the button is pressed.

Moving to the includes/del_category_submit.php file, once again there is many similarities with the add_category_submit.php file. The same process is involved with small changes to the error checking to validate that the blog_category_id is


20/34

indeed a number. The inclusion of the database connection class and connectionresource is same and only the SQL query changes. A small addition when the deletion is completed is the mysql_affected_rows() line which returns the number of affected rows from the previous mysql operation. This can be used to display thenumber of rows deleted which should be one.

The del_category_submit.php file looks like this.


21/34

{echo 'Unable to process form';

}}else{

echo 'Invalid Submission';

}}

?>

Once again the code shows mostly error checking, this is the life of the PHP programmer. The task is not one of how make things right, but of how to stop thingsgoing wrong. There are many aspects of simple scripts which need to be dealt with that are often overlooked. By attending to the smaller details, PHP scripts and applications are robust and easy to maintain.

Add several categories such as Computers, Programming and Cars. These will be the categories used as the tutorial progresses.

Create A Blog Entry

With the categories now available, the real work of CRUD can begin. Of course, the beginning is the creation of a blog entry. Once again a form will be used toenter the data but this form will not be as simple as the previous. A little forward thinking is needed as a blog entry may need to be edited to correct some aspect of the entry. The form fields will be identical, and it would be poor practice to duplicate the form and use separate forms for both add and editing a blogentry.

Like any other piece of reusable code, the form can be included in a php script.The main difference with a reusable piece of HTML code is that any PHP variables within the code must be available to it. Also, the form action will be directe

d to two different scripts, so this too must be a variable set in the parent script, that is, the script that includes the form.

The includes/blog_form.php file, which contains the form, will look like this


22/34

Blog


23/34

include 'includes/conn.php';

/*** check for database connection ***/if($db){

$sql = "SELECTblog_category_id,

blog_category_nameFROMblog_categories";

$result = mysql_query($sql);if(!is_resource($result)){

echo 'Unable to find any categories';}else{

/*** check for a result ***/if(mysql_num_rows($result) != 0)

{ /*** put the categories in an array ***/$categories = array();while($row = mysql_fetch_array($result)){


}

/*** set the form values ***/$blog_form_action = 'add_blog_submit.php';$blog_heading = "Add A Blog Entry";$blog_content_headline = '';

$blog_content_text = '';$blog_form_submit_value = 'Add Blog';

/*** include the blog form ***/include 'includes/blog_form.php';

}else{

echo 'No categories found';}

}}else{

/*** if we are here the database connection has failed ***/echo 'Unable to complete request';

}

/*** include the footer ***/include 'includes/footer.php';

}?>

The final part of adding a blog entry is to create the add_blog_submit.php file.Like the add_category_submit.php file, the task of INSERTing the data into the

database is quite simple. The same process is repeated with a new SQL query forthe blog table. The session token is destroyed in the same way to prevent multiple posting by hitting the refresh button.


24/34

The add_blog_submit.php file will look like this.


25/34

blog_content(blog_user_id,blog_category_id,blog_content_headline,blog_content_text)VALUES ('{$blog_user_id}',

'{$blog_category_id}','{$blog_content_headline}','{$blog_content_text}')";


/*** unset the session token ***/unset($_SESSION['form_token']);

echo 'Blog Entry Added';}

else{echo 'Blog Entry Not Added' .mysql_error();

}}else{


}}else{


}?>Retrieve Blog Entries

Now that blog entries can be created, they need to be retrieved in order to be displayed. This is achieved with the use of a single SELECT statement. The page to view the last 5 blog entries will be the main index.php page.

This file is far less complex than the previous examples as it requires only a single query to extract the data and then display it. The conn.php file is included and a check is made for a valid database connection. Further checks are thenmade to ensure a valid database resource is available and if all is well, the blog data is SELECTed from the database.

The data is put into an array of blog data for use further down the script in the display where a simple foreach loop echoes each record in a little box that can later be styled with CSS.The index.php file will look like this.


26/34

/*** check for valid database connection ***/if($db){

/*** the SQL query to select last 5 blogs ***/$sql = "SELECT

blog_content_headline,

blog_content_text,DATE_FORMAT(blog_content_date, '%b %d %Y') AS blog_content_date,blog_category_name,blog_user_nameFROMblog_contentJOINblog_usersUSING(blog_user_id)JOINblog_categoriesUSING(blog_category_id)

ORDER BY blog_content_id DESCLIMIT 5";

/*** run the query ***/$result = mysql_query($sql) or die(mysql_error());

/*** create the blog array ***/$blog_array = array();

/*** check for a valid resource ***/if(is_resource($result)){

/*** check there are results ***/

if(mysql_num_rows($result) != 0){

/*** stuff the blog entries into the blog array ***/while($row = mysql_fetch_array($result, MYSQL_ASSOC)){

$blog_array[] = $row;}

}}else{

echo 'Blog Unavailable';}

}else{

echo 'No Blog Entries Available';}

?>

PHPRO.ORG Blog

Welcome to the PHPRO.ORG Blog...


27/34

if(sizeof($blog_array) > 0){

/*** loop over the blog array and display blogs ***/foreach($blog_array as $blog){

echo '';echo '

'.$blog['blog_category_name'].': Added by '.$blog['blog_user_name'].' on '.$b

log['blog_content_date'].'
';echo ''.$blog['blog_content_headline'].'';echo '
'.$blog['blog_content_text'].'
';echo '';
}}else{

echo 'No Blogs Here';}

/*** include the footer file ***/include 'includes/footer.php';

?>Update A Blog Entry

Once a blog entry has been added, it will become the first item displayed on theindex page. It is about this time that a spelling error is noticed, so a methodto update or edit the entry is required. The form to do this has already been created, and is the same for that was used to add a blog entry, that is, the blog_form.php file in the includes directory.Like the add_blog.php file, the edit_blog.php will set a number of variables forthe blog form, and pre-populate the input fields with the data from the databas

e. This will allow the content to be edited directly. Before this can happen, amethod of choosing the blog entry to edit or update is required.

By creating a page with a table to select and list all the blog entries, a simple hypertext link can be used to forward to the edit blog page. The ID of the blog entry is sent along with the URL and is retrieved using GET.

Each blog entry should only be able to be editted by the user who posted it, orthe admin user, so it is important to check both the user id of the user, and the access level. Remember, and access level of 5 is the administrator.

The list_blogs.php file will look like this.


28/34


29/34

By now, the format of the list_blog.php file should be quite apparent. The header file is included along with the database connection file, conn.php. A simple SQL SELECT pulls the blog id and headline from the and an array is created whichis used in the creation of a HTML table to display each headline. The hypertextlink contains the blog_content_id which will be used by the edit_blog.php file to SELECT the data for that ID.

Note that if the user access level is equal to 1, the WHERE clause is added to t

he SQL query to ensure only the results for that users are displayed.

Like all data supplied from userland, the blog id, called "bid" for short, mustbe checked and escaped with the mysql_real_escape_string() function to protect against SQL injection. An abbreviated version of the variable named in this caseas it will be used in the URL and URL's should be kept as short as possible.

The edit_blog.php file will look like this.


30/34

/*** check the blog category id is set and is a number ***/if(isset($_GET['bid']) && is_numeric($_GET['bid'])){

/*** get the categories from the database ***/include 'includes/conn.php';

/*** check for database connection ***/

if($db){

/*** get the categories for the dropdown menu ***/$categories = array();$sql = "SELECT blog_category_id, blog_category_name FROM blog_ca

tegories";$result = mysql_query($sql);while($row = mysql_fetch_array($result)){


}

/*** escape the blog category id and assign to a variable ***/$blog_content_id = mysql_real_escape_string($_GET['bid']);$sql = "SELECT

blog_content_id,blog_content_headline,blog_content_text,blog_category_id,blog_category_nameFROMblog_contentJOINblog_categories

USING(blog_category_id)WHEREblog_content_id = $blog_content_id";

/*** check if user is admin ***/if($_SESSION['access_level'] == 1){

/*** allow only blogs for this user ***/$blog_user_id = mysql_real_escape_string($_SESSION['blog_use

r_id']);$sql .= " AND blog_user_id=$blog_user_id";

}

/*** run the query ***/$result = mysql_query($sql) or die(mysql_error());

/*** check for a valid resource ***/if(!is_resource($result)){

echo 'Unable to fetch blog record';}else{

/*** check there is a blog entry ***/if(mysql_num_rows($result) != 0)

{while($row = mysql_fetch_array($result)){


31/34

$heading = 'Edit Blog';$blog_form_action = 'edit_blog_submit.php';$selected = $row['blog_category_id'];$blog_content_id = $row['blog_content_id'];$blog_content_headline = $row['blog_content_headline

'];$blog_content_text = $row['blog_content_text'];

$blog_form_submit_value = 'Edit Blog';}/*** include the blog form ***/include 'includes/blog_form.php';

}else{

echo 'No blog found';}

}}

}

else{/*** if we are here the database connection has failed ***/echo 'Unable to complete request';

}

/*** include the footer ***/include 'includes/footer.php';

}?>

With the edit_blog.php file in place, and all the variables set, it is now simply a matter of creating the file to submit to that will perform the updates made

in the form. Note that the correct category for the blog entry is selected in the drop down menu and and can be changed.

Create a file in the includes directory called edit_blog_submit.php. This file will, as with previous scripts, collect all the information coming in, validate it to be sure it is what is expected, escape it to prevent SQL injection, and finally UPDATE the database record, saving the changes. If the process of continually checking and re-checking data seems laborious, think of the task of having the site and/or database compromised and having to rebuild it.

The edit_blog_submit.php file will look like this.


32/34

/*** check the form has been posted and the session variable is set ***/if(isset($_SESSION['form_token'], $_POST['blog_category_id'], $_POST['bl

og_content_id'], $_POST['blog_content_headline'], $_POST['blog_content_text'])){

/*** first check all POST variables for type and length ***/if(!is_numeric($_POST['blog_category_id']) $_POST['blog_category_

id']==0)

{echo 'Blog Category Name is Invalid';

}if(!is_numeric($_POST['blog_content_id']) $_POST['blog_content_id

']==0){

echo 'Invalid ID';}elseif(!is_string($_POST['blog_content_headline']) strlen($_POST[

'blog_content_headline'])50){

echo 'Blog Headline is invalid';

}elseif(!is_string($_POST['blog_content_text']) strlen($_POST['blog_content_text'])4096)

{echo 'Blog Text is Invalid';

}else{


/*** test for db connection ***/if($db)

{/*** escape the strings ***/$blog_content_id = mysql_real_escape_string($_POST['blog_con

tent_id']);$blog_category_id = mysql_real_escape_string($_POST['blog_ca

tegory_id']);$blog_content_headline = mysql_real_escape_string($_POST['bl

og_content_headline']);$blog_content_text = mysql_real_escape_string($_POST['blog_c

ontent_text']);

/*** the sql query ***/$sql = "UPDATE

blog_contentSETblog_category_id = {$blog_category_id},blog_content_headline = '{$blog_content_headline}',blog_content_text = '{$blog_content_text}'WHEREblog_content_id = $blog_content_id";


/*** unset the session token ***/

unset($_SESSION['form_token']);

echo 'Blog Updated Successfully';


33/34

}else{

echo 'Unable To Update Blog';}

}else

{echo 'Unable to process form';

}}

}else{


}?>Delete A Blog Entry

The final part of the CRUD is the Delete. This process is much the same as seenpreviously in this tutorial when deleting a category. Like the edit blog process, a method is needed to list all the blog entries so a selection can be made. Creating a new list identical to the one just created would be further, and unnecessary duplication. With a small change to the list_blogs.php file, a delete option can be provided next to the edit option.The delete link in the list_blogs.php file is already in place, saving the extratime of creating a second list.

Note also in the Delete link a small javascript onclick confirm has been provided so when the delete link is clicked, the user will be prompted with a confirmation box with a message. If javascript is disabled, the script will simply delete

the relevant blog entry without warning.

The del_blog_submit.php file is very much like the delete category page and performs the same function, it checks that a valid number has been submitted to thepage, and if all is will, the link is deleted, and a message appears to say thetask is done.

The delete_blog.php file will look like this.


34/34



/*** excape the string ***/

$blog_content_id = mysql_real_escape_string($_GET['bid']);

/*** the sql query ***/$sql = "DELETE

FROMblog_contentWHEREblog_content_id = $blog_content_id";

/*** check access level ***/if($_SESSION['access_level'] == 1){

$blog_user_id = mysql_real_escape_string($_SESSION['blog_user_id']);$sql .= " AND blog_user_id = $blog_user_id";

}


/*** affected rows ***/$affected = mysql_affected_rows($link);

header("Location: list_blogs.php");}

else{

echo 'Blog Entry Not Deleted';}

}else{


}else{


}?>

With this file in place, the blog is complete and ready for action.

how to create webapp in php

Documents