Developing a CMS

Hi Guru’s

Will the help of SP forums & valuable suggestion that I got from the experts of SP I have successfully developed my first CMS in php. thanks a lot Guru’s
Now I want to re-code this CMS with improved code quality. So I again need your help

Here is the database structure




CREATE TABLE IF NOT EXISTS `city` (
  `id` int(5) NOT NULL AUTO_INCREMENT,
  `city` varchar(50) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `city` (`city`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;

CREATE TABLE IF NOT EXISTS `inspections` (
  `id` int(6) unsigned zerofill NOT NULL AUTO_INCREMENT,
  `insurers` int(3) NOT NULL,
  `issuing_office` varchar(150) NOT NULL,
  `city` int(3) NOT NULL,
  `insured_name` varchar(150) NOT NULL,
  `insured_add` varchar(255) NOT NULL,
  `insured_mob` varchar(30) NOT NULL,
  `insured_cont` varchar(30) NOT NULL,
  `vehicle_type` varchar(20) NOT NULL,
  `manufactrur` int(3) NOT NULL,
  `vehicle_make` varchar(50) NOT NULL,
  `vehicle_year` varchar(4) NOT NULL,
  `vehicle_no` varchar(30) NOT NULL,
  `engine_no` int(10) NOT NULL,
  `chassis_no` int(10) NOT NULL,
  `ins_type` varchar(20) NOT NULL,
  `available_at` varchar(200) NOT NULL,
  `agent_name` varchar(50) NOT NULL,
  `agent_mob` varchar(30) NOT NULL,
  `date_time` datetime NOT NULL,
  `surveyor_name` varchar(50) NOT NULL,
  `surveyor_mob` varchar(30) NOT NULL,
  `status_ins` varchar(30) NOT NULL,
  `status_report` varchar(15) NOT NULL,
  `recommendation` varchar(20) NOT NULL,
  `remarks` text NOT NULL,
  `inspection_date` date NOT NULL,
  `inspection_time` time NOT NULL,
  `created_by` varchar(20) NOT NULL,
  `uploaded_by` varchar(20) NOT NULL,
  `url` varchar(200) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;


CREATE TABLE IF NOT EXISTS `insurers` (
  `id` int(5) NOT NULL AUTO_INCREMENT,
  `insurers` varchar(150) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `insurers` (`insurers`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;


CREATE TABLE IF NOT EXISTS `issuing_office` (
  `id` int(3) NOT NULL AUTO_INCREMENT,
  `issuing_office` varchar(255) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `issuing_office` (`issuing_office`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

CREATE TABLE IF NOT EXISTS `manufactrur` (
  `id` int(5) NOT NULL AUTO_INCREMENT,
  `manufactrur` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `manufactrur` (`manufactrur`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;


CREATE TABLE IF NOT EXISTS `recommendation` (
  `id` int(5) NOT NULL AUTO_INCREMENT,
  `recommendation` varchar(50) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `city` (`recommendation`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;


CREATE TABLE IF NOT EXISTS `status_ins` (
  `id` int(5) NOT NULL AUTO_INCREMENT,
  `status_ins` varchar(50) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `city` (`status_ins`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;


CREATE TABLE IF NOT EXISTS `users` (
  `user_id` int(3) NOT NULL AUTO_INCREMENT,
  `user_name` varchar(20) NOT NULL,
  `user_password` varchar(50) NOT NULL,
  `user_email` varchar(50) NOT NULL,
  `user_rank` varchar(30) NOT NULL,
  `regdate` datetime NOT NULL,
  `last_login` datetime NOT NULL,
  PRIMARY KEY (`user_id`),
  UNIQUE KEY `user_name` (`user_name`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;

Below is the code of loginB.php which checks the login detail submitted by the user


<?php
//start session
session_start();
//include config file
require_once("includes/config.php");

//validate forms
$user_name = mysql_real_escape_string(trim($_POST['user_name']));
$user_password = mysql_real_escape_string(trim($_POST['user_password']));


//Query
$query = "SELECT * FROM users WHERE user_name = '$user_name' AND user_password = SHA1('$user_password')";
$result = mysql_query($query) or die ("Could not verify user because : " . mysql_error());
if (mysql_num_rows($result) == 1) {
// The log-in is OK so set the user ID and user_name session vars in session

$row = mysql_fetch_array($result);
$_SESSION['user_id']   =  $row['user_id'];
$_SESSION['user_name'] =  $row['user_name'];
$_SESSION['user_email'] =  $row['user_email'];
$_SESSION['user_rank'] =  $row['user_rank'];
$_SESSION['regdate'] =  $row['regdate'];
$_SESSION['last_login'] =  $row['last_login'];
		header('Location: index1.php' );
		}
else 
{
$err = 'Incorrect Username or Password';
}
echo "$err";

echo '<a href="login.php" >Click here to login </a><br />';
?>

At this point I have two queries

  1. Is the above code secure enough from sql injections/hackers ?
  2. How can I update Last Login Details each time user Login ?

You seem not to do any filtering on username or password, can you really login with a single letter? Surely you have a minimum length for a username?

I don’t like the or die() part. You should not give anything away about why a bad query caused a problem. Throw that into an error log instead.

On $err, relocate to a login page with a message, eg ?msg=1 which then maps to the written message.

Overall, I’d just learn to use PDO and forget all the escaping.

That’s just me though.

HTH

  • escaping strings is a bit old. Since php 5.2, filter_var is used to do something like this.

PHP: Sanitization - Manual

If you are building a new project, I recommend you to use filter_var & PDO like Cups said. It’s not very hard to learn PDO.

@Cups & @ngduc
thanks a lot friends for your valuable suggestions. I will surely set minimum length in username & password. Now I trying to learn PDO

http://php.net/manual/en/book.pdo.php

But it will more easy for me to learn if you can please edit my login script code & rewrite with PDO.

aman,

Not using https for login will prevent your script from being secure (in transit), too.

Additionally, I’d recommend that you “suggest” that the user’s password be strong (Strong Password Generator).

Regards,

DK

Sure, I will try to use https instead of http for secure login. Thanks Sir.
More suggestions required :slight_smile:

[PHP-DEV] deprecating ext/mysql - another reason to use PDO or Mysqli