SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Member
    Join Date
    Mar 2007
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Please help with new features in my login php script - Suggestions Welcome

    Hello. I have made a simple php script but would like to add some nice features to it such as a way of monitoring the sessions and timing out users after a specific time. Also, I would like the customer interface to be the default. Any other suggestions of improving the script is welcome. Currently, the script is not secure in terms of the admin logging in and editing stock. Of course, I would like a secure way of the admin logging in with the admin name and password. Thanks in advance.

    Code:
    <?php
    
       //Connect with current sesssion;
       session_start();
       session_register("status");
       session_register("owner_confirmed");
       session_register("totalitems");
       session_register("cart");
    
       //Default status: customer
       if (!isset($status)) $status="customer";
    
       //Extract user instructions
       extract($_POST);
    
       //Determine user status
       if (isset($changestatus))
       {
          if ($status=="owner") $status="customer";
          else $status="owner";
       }
    
       //Continue shopping after purchase
       if (isset($continue))
       {
          foreach($cart as $idx=>$num) unset($cart[$idx]);
          unset($cart);
       }
    
       //create stock table
       create_stock_table();
    
       if ($status=="owner")
       {
          if (!isset($owner_confirmed))
          {
             //Owner Functionality
             if (!isset($passwordenter))
             {
                //Check Password
                ?>
                <html>
                <head><title>Owner Verification</title></head>
                <body>
                   <form action="<?=$SERVER["PHP_SELF"]?>" method="post">
                      <p>Enter Password:<input type="password" name="password"/>
                      <input type="submit" name="passwordenter" value="Enter"/</p>
                   </form>
                </body>
                <?php die();
             }
             else
             {
                if ($password!="Hello")
                { ?>
                   <head><title>Verification Failed</title></head>
                   <body><p>Verification Failure</p></body>
                   <?php die();
                }
                else $owner_confirmed="true";
             }
          }
    
          //Add new item to database
          if ($newitem) new_stock_item($author,$title,$price,$number);
       }
       else
       {
          //Customer Functionality
    
          //Obtain database entry for selected item index
          $item=get_stock_item($itemindex);
    
          //Edit cart contents
          if ($additem)
          {
             //Add item to cart
             if (!isset($cart[$itemindex])) $cart[$itemindex]=1;
             else $cart[$itemindex]++;
             $totalitems++;
          }
          if ($delitem)
          {
             //Remove item from cart
             if (isset($cart[$itemindex]))
             {
                if ($cart[$itemindex]>1) $cart[$itemindex]--;
                else unset($cart[$itemindex]);
                $totalitems--;
                if ($totalitems==0) unset($cart);
             }
          }
       }
    ?>
    
    <html>
       <head><title>Bookshop</title></head>
       <body>
          <form action="<?=$SERVER["PHP_SELF"]?>" method="post">
             <?php if ($status=="customer")
             { ?>
                <h2>Customer Interface</h2>
                <?php if ($checkout)
                { ?>
                   <h3>Checkout:</h3>
                   <?php generate_order($cart); ?>
                   <p><input type="submit" name="continue" value="Continue shopping"/></p>
                <?php }
                else
                { ?>
                   <h3>Items Currently In Stock:</h3>
                   <?php list_stock();?>
                   <p>
                      Index Number:<input type="text" name="itemindex"/>
                      <input type="submit" name="additem" value="Add"/>
                      <input type="submit" name="delitem" value="Remove"/>
                   </p>
                   <h3>Items In Shopping Cart:</h3>
                   <?php list_cart($cart); ?>
                   <p>
                      <input type="submit" name="checkout" value="Proceed to checkout"/>
                      <input type="submit" name="changestatus" value="Log in as owner"/>
                   </p>
                <?php }
             }
             else
             { ?>
                <h2>Owner Interface</h2>
                <h3>Add New Item:</h3>
                <p>
                   Author:<input type="text" name="author"/>
                   Title:<input type="text" name="title"/>
                   Price:<input type="text" name="price"/>
                   Number:<input type="text" name="number"/>
                </p>
                <p><input type="submit" name="newitem" value="Add item to database"/></p>
                <p><input type="submit" name="changestatus" value="Log in as customer"/></p>
             <?php } ?>
          </form>
       </body>
    </html>
    
    <?php
    
       function create_stock_table()
       {
          //Creates a new stock table (if one does not already exist)
          $conn=connect();
          mysql_query("CREATE TABLE Stock (indx INT(3) NOT NULL PRIMARY KEY AUTO_INCREMENT,
                                           author VARCHAR(30),
                                           title VARCHAR(30),
                                           price VARCHAR(5),
                                           number VARCHAR(5))");
          disconnect($conn);
       }
    
       function new_stock_item($author,$title,$price,$number)
       {
          //Add new item to stock table
          $conn=connect();
          mysql_query("INSERT INTO Stock (author,title,price,number)
                       VALUES ('$author','$title','$price','$number')");
          disconnect($conn);
       }
    
       function list_stock()
       {
          //Display stock table
          $conn=connect();
          $res_table=mysql_query("SELECT * FROM Stock");
          if ($res_table)
          {
             print("<table border='1'><thead><th>Index</th><th>Author</th><th>Title</th><th>Price</th><th>Number</th></thead><tbody>");
             while ($item_array=mysql_fetch_array($res_table))
             {
                extract($item_array);
                print("<tr><td>$indx</td><td>$author</td><td>$title</td><td>$price</td><td>$number</td><tr>");
             }
             print("</tbody></table>");
          }
          disconnect($conn);
       }
    
       function list_cart($cart)
       {
          if (isset($cart))
          {
             print("<table border='1'><thead><th>Index</th><th>Title</th><th>Price</th><th>Number</th></thead><tbody>");
             foreach ($cart as $idx=>$num)
             {
                $item=get_stock_item($idx);
                extract($item);
                print("<tr><td>$indx</td><td>$title</td><td>$price</td><td>$num</td></tr>");
             }
             print("</tbody></table>");
          }
          else print("<p>The cart is currently empty</p>");
       }
    
       function generate_order($cart)
       {
          if (isset($cart))
          {
             print("<table border='1'><thead><th>Index</th><th>Title</th><th>Price</th><th>Number</th></thead><tbody>");
             $total=0;
             foreach ($cart as $idx=>$num)
             {
                //Obtain details of cart item
                $item=get_stock_item($idx);
                extract($item);
    
                //Check that enough are in stock
                if ($number>=$num)
                {
                   $newnumber=$number-$num;
                   update($idx,$newnumber);
                }
                else
                {
                   $num=$number;
                   update($idx,0);
                   $notenough="true";
                }
                $total+=$num*$price;
                print("<tr><td>$indx</td><td>$title</td><td>$price</td><td>$num</td></tr>");
             }
             print("<tr><td colspan='3'>Total Price ():</td><td>$total</td></tr></tbody></table>");
             if (isset($notenough)) print("<p>We regret there is insufficient stock to cover all of your order</p>");
          }
          else print("<p>The cart is currently empty</p>");
       }
    
       function get_stock_item($index)
       {
          //Obtain the details of a specified stock item
          $conn=connect();
          $res_table=mysql_query("SELECT * FROM Stock WHERE indx=$index");
          if ($res_table) $item_array=mysql_fetch_array($res_table);
          disconnect($conn);
          return $item_array;
       }
    
       function update($index,$number)
       {
          //Update quantity of an item in stock
          $conn=connect();
          mysql_query("UPDATE Stock SET number='$number' WHERE indx='$index'");
          disconnect($conn);
       }
    
       function connect()
       {
          //Connect to database
          $connection=mysql_connect("ftemysql","ku12881","carstairs");
          mysql_select_db("ku12881",$connection);
          return $connection;
       }
    
       function disconnect($connection)
       {
          //Disconnect from database
          mysql_close($connection);
       }
    ?>

  2. #2
    SitePoint Zealot
    Join Date
    May 2006
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am having trouble understanding your code, it might be easier to read if you did not use extract, because I am unsure of what each variable is suppost to be (e.g sessions or url variables).

    Plus I do not recommend you use extract as it makes your system VERY unsecure - I can set any variables I want.

    I also recommend you don't use a function to connect, just connect at the start of your code and disconnect/free results at the end.

    Plus to make your code more readable it might be a idea to seperate the code from the static HTML and move the functions into another file.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •