Online Book Reader

Home Category

HTML, XHTML and CSS All-In-One for Dummies - Andy Harris [362]

By Root 1645 0

name = “title” />

This code is a reasonably standard HTML form. Here are the highlights:

♦ Add CSS for consistency: It’s important that the user understands she is still in a part of the system, so I include the same CSS used to display the output. I also add local CSS to improve the form display.

♦ Build a form that calls buildBlock.php: The purpose of this form is to generate the information needed to build an SQL INSERT statement. The buildBlock.php program provides this vital service.

♦ Ask for a password: You don’t want just anybody modifying your forms. Include a password to make sure only those who are authorized add data.

♦ Get other data needed to build a block: Think about the INSERT query you’ll be building. You’ll need to get all the data necessary to add a new record to the cmsBlock table.

Honestly, this page is a bit sloppy. I hard-coded the block types and page IDs. In a real system, this data would be pulled from the database (ideally through AJAX). However, I decided to go with this expedient to save space.


Adding a new block

When the page owner submits the buildBlock.html form, control is passed to buildBlock.php. This program reads the data from the form, checks the password, creates an INSERT statement, and passes the query to the database.

Here’s the code and then the details:

BuildBlock.php

//retrieve data from form

$password = filter_input(INPUT_POST, ”password”);

$blockType = filter_input(INPUT_POST, ”blockType”);

$title = filter_input(INPUT_POST, ”title”);

$content = filter_input(INPUT_POST, ”content”);

$pageID = filter_input(INPUT_POST, ”pageID”);

//clean input for sql use

$blockType = mysql_real_escape_string($blockType);

$title = mysql_real_escape_string($title);

$content = mysql_real_escape_string($content);

$pageID = mysql_real_escape_string($pageID);

//check password

if ($password == ”allInOne”){

manageResults();

} else {

print ”

Unauthorized access...

”;

} // end if

function manageResults(){

global $blockType, $title, $content, $pageID;

//return output

print <<

Page input:

blockType: $blockType

title: $title

content: $content

pageID: $pageID

HERE;

//connect to db

$con = mysql_connect(”localhost”, ”xfd”, ”xfdaio”);

mysql_select_db(”xfd”);

//build and submit query

$query = <<

INSERT INTO cmsBlock VALUES(

null, $blockType, ’$title’, ’$content’, $pageID);

HERE;

print ”

$query
”;

$result = mysql_query($query);

if ($result == -1){

print mysql_error();

} else {

print ”system updated”;

} // end if

} // end function

?>

return to the CMS

Here’s how you use the PHP code with the HTML form to update the database:

1. Retrieve data from the form.

Use the filter_input or $_REQUEST mechanism to extract all data from the previous form.

2. Filter all input that’s used in the query.

All form variables except the password are used in an SQL query, so pass each variable through the mysql_filter_input() function to prevent SQL injection attacks. (See Book V, Chapter 7 for information about SQL injection attacks and how to prevent them.)

3. Check the password.

You obviously don’t want just anybody to change your system.

Return Main Page Previous Page Next Page

®Online Book Reader