Chapter 16: Creating a Bulletin Board System 601 value=” < ?php echo htmlspecialchars($useremail); ? > ”/ > < /p > < ?php if ($mode == ‘Modify’) { echo ‘ < div > < fieldset > ’; echo ‘ < legend > Access Level < /legend > ’; $sql = ‘SELECT access_lvl, access_name FROM frm_access_levels ORDER BY access_lvl DESC’; $result = mysql_query($sql, $db) or die(mysql_error($db)); while ($row = mysql_fetch_array($result)) { echo ‘ < input type=”radio” id=”acl_’ . $row[‘access_lvl’] . ‘” name=”accesslvl” value=”’ . $row[‘access_lvl’] . ‘” ‘; if ($row[‘access_lvl’] == $accesslvl) { echo ‘checked=”checked”’; } echo ‘/ > ’ . $row[‘access_name’] . ‘ < br/ > ’; } echo ‘ < /fieldset > < /div > ’; } if ($mode != ‘Modify’) { echo ‘ < div id=”passwords” > ’; } if ($mode == ‘Edit’) { if (isset($_GET[‘error’]) & & $_GET[‘error’] == ‘nopassedit’) { echo ‘ < strong > Could not modify passwords. Please try again . < /strong > < br/ > ’; } ? > < p > Old Password: < br/ > < input type=”password” id=”oldpasswd” name=”oldpasswd” maxlength=”50” / > < /p > < ?php } if ($mode != ‘Modify’) { ? > < p > New Password: < br/ > < input type=”password” id=”passwd” name=”passwd” maxlength=”50” / > < /p > < p > Password Verification: < br/ > < input type=”password” id=”passwd2” name=”passwd2” maxlength=”50”/ > < /p > < ?php } if ($mode != ‘Modify’) { echo ‘ < /div > ’; } if ($mode != ‘Create’) { ? > < p > Signature: < br/ > < textarea name=”signature” id=”signature” cols=”60” rows=”5” > < ?php echo $signature; ? > < /textarea > < /p > c16.indd 601c16.indd 601 12/10/08 6:06:14 PM12/10/08 6:06:14 PM 602 Part II: Comic Book Fan Site < ?php } ? > < p > < input type=”submit” name=”action” value=” < ?php echo $mode; ? > Account” > < /p > < ?php if ($mode == ‘Edit’) { ? > < input type=”hidden” name=”accesslvl” value=” < ?php echo $accesslvl; ? > ” / > < ?php } ? > < input type=”hidden” name=”userid” value=” < ?php echo $userid; ? > ”/ > < /form > < ?php require_once ‘frm_footer.inc.php’; ? > 3. You are going to create a couple of new user identities to demonstrate the difference between the various roles. Log out, and click Register. You should see a screen similar to the one shown in Figure 16 - 3 . Figure 16-3 c16.indd 602c16.indd 602 12/10/08 6:06:14 PM12/10/08 6:06:14 PM Chapter 16: Creating a Bulletin Board System 603 4. Enter a name. This name will be used for display purposes. 5. Enter your e - mail address. 6. Enter your password twice for verification. 7. Click the Create Account button. Your account will be created, and you will be automatically logged in with your new account. 8. Repeat steps 3 through 7 to create one more account. 9. Log out, and then log back in with your original admin account. 10. Now that you are logged in as the site administrator, you should see a menu item called Admin. Click it. 11. Click Users in the Administration menu. This displays the User Administration screen; from here, you can select a user from the drop - down menu and edit user details. 12. Choose one of the user profiles you created in step 7, and click Modify User. You should see a page similar to Figure 16 - 4 . From this page, you can modify a user ’ s name, access level, and signature. Figure 16-4 c16.indd 603c16.indd 603 12/10/08 6:06:15 PM12/10/08 6:06:15 PM 604 Part II: Comic Book Fan Site 13. Change the user ’ s access level to Moderator, and click Modify Account. How It Works Let ’ s begin by looking at frm_useraccount.php . At the beginning of the file, you check the user ’ s credentials stored in your session variables. If the user is an admin, then the form is set up to allow the admin to change his or her access level. $mode = ‘Create’; if (isset($_SESSION[‘user_id’])) { $userid = $_SESSION[‘user_id’]; $mode = ‘Edit’; if (isset($_GET[‘user’])) { if ($_SESSION[‘user_id’] == $_GET[‘user’] || $_SESSION[ ‘access_lvl’] > 2) { $userid = $_GET[‘user’]; $mode = ‘Modify’; } } $sql = ‘SELECT name, email, access_lvl, signature FROM frm_users WHERE id = ‘ . $userid; $result = mysql_query($sql, $db) or die(mysql_error($db)); $row = mysql_fetch_array($result); $username = $row[‘name’]; $useremail = $row[‘email’]; $accesslvl = $row[‘access_lvl’]; $signature = $row[‘signature’]; } Later down in the page, the determined mode toggles whether or not the Access Level controls will be displayed. if ($mode == ‘Modify’) { echo ‘ < div > < fieldset > ’; echo ‘ < legend > Access Level < /legend > ’; $sql = ‘SELECT access_lvl, access_name FROM frm_access_levels ORDER BY access_lvl DESC’; $result = mysql_query($sql, $db) or die(mysql_error($db)); while ($row = mysql_fetch_array($result)) { echo ‘ < input type=”radio” id=”acl_’ . $row[‘access_lvl’] . c16.indd 604c16.indd 604 12/10/08 6:06:15 PM12/10/08 6:06:15 PM Chapter 16: Creating a Bulletin Board System 605 ‘” name=”accesslvl” value=”’ . $row[‘access_lvl’] . ‘” ‘; if ($row[‘access_lvl’] == $accesslvl) { echo ‘checked=”checked”’; } echo ‘/ > ’ . $row[‘access_name’] . ‘ < br/ > ’; } echo ‘ < /fieldset > < /div > ’; } The rest of the page simply finishes out the form. Let ’ s move on to frm_admin.php . You may have noticed sections of code in frm_admin.php that involve forum settings, BBcode settings, and more. We ’ re going to ignore those for now to talk about the User Administration portion of the admin area, instead. We promise that we ’ ll touch back on those other functions later in this chapter. User Administration On the User Administration page, the first thing you need to do is gather up all of the access levels, along with their names. That is done with the following code in frm_admin.php , which results in a numerical array of access levels: $sql = ‘SELECT access_lvl, access_name FROM frm_access_levels ORDER BY access_lvl DESC’; $result = mysql_query($sql, $db) or die(mysql_error($db)); while ($row = mysql_fetch_array($result)) { $a_users[$row[‘access_lvl’]] = $row[‘access_name’]; } Next, under the edituser case of your switch() , you create an HTML select field, dynamically building up the options. By looping through the access level array you just created, you can also use the optgroup tag to categorize the select list by access level. < select id=”userlist” name=”userlist[]” > < ?php foreach ($a_users as $key = > $value) { echo ‘ < optgroup label=”’ . $value . ‘” > ’ . user_option_list ($db, $key) . ‘ < /optgroup > ’; } ? > < /select > Note that you create the list of users by calling the user_option_list() function. This function resides in frm_output_functions.inc.php and is called once for each access level. A list of option tags is output, each containing the appropriate user information. c16.indd 605c16.indd 605 12/10/08 6:06:15 PM12/10/08 6:06:15 PM 606 Part II: Comic Book Fan Site function user_option_list($db, $level) { $sql = ‘SELECT id, name, access_lvl FROM frm_users WHERE access_lvl = ‘ . $level . ‘ ORDER BY name’; $result = mysql_query($sql) or die(mysql_error($db)); while ($row = mysql_fetch_array($result)) { echo ‘ < option value=”’ . $row[‘id’] . ‘” > ’ . htmlspecialchars($row[‘name’]) . ‘ < /option > ’; } mysql_free_result($result); } That ’ s really all there is to it. When the appropriate user is chosen, his or her ID is passed on to the frm_transact_admin.php transaction page, where the admin user is redirected to the frm_useraccount.php page for that user. Forum Functionality The last section of this application covers the actual forum - specific functionality. Up until now, everything — with the exception of some functions and transaction pages — has been pretty generic, and could really be used for almost any type of member - driven Web site. Now, we ’ re getting to the fun stuff, the reason for this chapter. Try It Out Editing Board Settings The first thing you need to do is customize your bulletin board to your liking. 1. Enter frm_edit_forum.php , which is used to edit forum details: < ?php if (isset($_GET[‘forum’])) { $action = ‘Edit’; } else { $action = ‘Add’; } $pageTitle = $action . ‘Forum’; require_once ‘frm_header.inc.php’; $forum = 0; $fname = ‘’; $fdesc = ‘’; $fmod = ‘’; $userid = 0; c16.indd 606c16.indd 606 12/10/08 6:06:16 PM12/10/08 6:06:16 PM Chapter 16: Creating a Bulletin Board System 607 if (isset($_GET[‘forum’])) { $forum = $_GET[‘forum’]; $sql = ‘SELECT forum_name, forum_desc, u.name, u.id FROM frm_forum f LEFT JOIN frm_users u ON f.forum_moderator = u.id WHERE f.id = ‘ . $forum; $result = mysql_query($sql, $db) or die(mysql_error($db)); if ($row = mysql_fetch_array($result)) { $fname = $row[‘forum_name’]; $fdesc = $row[‘forum_desc’]; $fmod = $row[‘name’]; $userid = $row[‘id’]; } } echo ‘ < h2 > ’ . $action . ‘forum < /h2 > ’; ? > < form action=”frm_transact_admin.php” method=”post” > < table > < tr > < th colspan=”2” > General Forum Settings < /th > < /tr > < tr > < td > Forum Name < /td > < td > < input type=”text” name=”forumname” value=” < ?php echo $fname; ? > ”/ > < /td > < /tr > < tr > < td > Forum Description < /td > < td > < input type=”text” name=”forumdesc” size=”75” value=” < ?php echo $fdesc; ? > ”/ > < /td > < /tr > < tr > < td > Forum Moderator < /td > < td > < select id=”moderator” name=”forummod[]” > < option value=”0” > unmoderated < /option > < ?php $sql = ‘SELECT id, name FROM frm_users WHERE access_lvl > 1’; $result = mysql_query($sql, $db) or die(mysql_error($db)); while ($row = mysql_fetch_array($result)) { echo ‘ < option value=”’ . $row[‘id’] . ‘”’; if ($userid == $row[‘id’]) { echo ‘ selected=”selected”’; } echo ‘ > ’ . $row[‘name’] . ‘ < /option > ’; } ? > < /select > < /td > < /tr > < tr > c16.indd 607c16.indd 607 12/10/08 6:06:16 PM12/10/08 6:06:16 PM 608 Part II: Comic Book Fan Site < td colspan=”2” > < input type=”hidden” name=”forum_id” value=” < ?php echo $forum; ? > ” / > < input type=”submit” name=”action” value=” < ?php echo $action; ? > Forum” / > < /td > < /tr > < /table > < /form > < ?php require_once ‘frm_footer.inc.php’; ? > 2. Click the Admin link from the navigation menu. This brings you to the administration page, as shown in Figure 16 - 5 . The values in the fields you now see are used in the application. For instance, the first field, Board Title, is “ Comic Book Appreciation Forums. ” Figure 16-5 3. Edit the Board Title field to read “ Comic Book Appreciation Bulletin Board, ” and click Update. The title at the top of the page should change accordingly. c16.indd 608c16.indd 608 12/10/08 6:06:16 PM12/10/08 6:06:16 PM Chapter 16: Creating a Bulletin Board System 609 4. Complete the other fields in the administration page: ❑ Board Description ❑ Admin Email ❑ Copyright ❑ Board Titlebar Most of those should be fairly self - explanatory. The last two fields control how many posts you see on one page and how many pages you have access to at one time. 5 . Change Pagination Limit to 3, and click the Update button. 6. Now, click Forums in the Administration menu. You should see a list of the forums available for your board. If this is your initial installation, you will have only one forum — called New Forum. You can edit this forum, delete it, or create a new forum. Feel free to create as many forums as you want. Note that when creating or editing a forum, you can choose a moderator. The user ’ s account you edited earlier is now available as a choice in the Moderator field. 7. Click BBcodes in the Administration menu. You will see a form where you can enter a “ template ” and “ replacement. ” This allows you to designate words or phrases that will be replaced by different words or phrases. For instance, you can enter the phrase “ very hard ” in the template field, and “ cats and dogs ” in the replacement field. Once you click the Add New button, these will be added to the database. Note that the real power of this page is in the use of regular expressions. If you are not familiar with regular expressions, we explain how they work in the “ How It Works ” section. 8. Enter the following template and replacement values exactly as they are shown. Remember to click Add New after entering each one: Template Replacement \[url\]([^[]+?)\[\/url\] < a href= “ $1 ” target= “ _blank “ > $1 < /a > \[img\]([^[]+?)\[\/img\] < img src= “ $1 “ > \[i\]([^[]+?)\[\/i\] < i > $1 < /i > \[b\]([^[]+?)\[\/b\] < b > $1 < /b > \[u\]([^[]+?)\[\/u\] < u > $1 < /u > \[url=([^]]+?)\] < a href= “ $1 ” target= “ _blank “ > \[\/url\] < /a > very hard cats and dogs That ’ s it for the administration functions. There are not too many, but we are sure you will think of many things to add, down the road. c16.indd 609c16.indd 609 12/10/08 6:06:16 PM12/10/08 6:06:16 PM 610 Part II: Comic Book Fan Site How It Works That brings you back to the frm_admin.php page. You were able to get here by clicking the Admin link, which is available only if you are logged in as the administrator. So far, so good. What if the user attempts to access the frm_admin.php page directly? Try it yourself. Load frm_index.php in your browser, and then make sure you are logged out. Once you are logged out, load frm_admin.php by typing it directly in the address bar of your browser. It should load with no problem. Now, edit one of the fields on the main admin page. Again, nothing is stopping you. Indeed, when you click the Update button, the data will be saved. But wait … you are not logged in! How is this possible? Simple. You have not checked the user ’ s credentials once he or she got into the page. Just as you are responsible for checking IDs in your bar in case underage patrons slip in, you are responsible for the users ’ access to your entire site. If you don ’ t want certain people to access a page, you not only have to bar access to any link loading the page, but kick them off the page if they are successful in loading it. Fortunately, this is easy to do. At the top of your page, simply check their credentials (those are up to you — do they need a certain access level? do they just need to be logged in?), and then redirect them to another page if they don ’ t pass ( shameonyou.php or simply back to frm_index.php ). You can do other things to make your site more secure. Most are way beyond the scope of this book. A look at the W3C security FAQ link we gave you earlier should help you, if you are interested in learning more about security. Just don ’ t ever think you are “ secure enough ” if you haven ’ t considered the risk of unauthorized access. While you are still visiting frm_admin.php , let ’ s take a closer look at it. The file frm_admin.php is set up in four different areas: Board Administration, User Administration, Forum Admininistration, and BBcode Administration. A lot is going on in this page. You ’ ve already seen User Administration, so we ’ ll tackle the other three areas one at a time. First let ’ s look at Board Administration. Board Administration Looking at the code, you will see that you simply build your table of fields by looping through the array called $admin that has the board configuration values. foreach ($admin as $key = > $value) { echo ‘ < tr > ’; echo ‘ < td > ’ . $value[‘title’] . ‘ < /td > ’; echo ‘ < td > < input type=”text” name=”’ . $key . ‘” value=”’ . $value[‘value’] . ‘” size=”60” / > < /td > ’; echo ‘ < td > ’ . $key . ‘ < /td > ’; echo ‘ < /tr > ’; } c16.indd 610c16.indd 610 12/10/08 6:06:17 PM12/10/08 6:06:17 PM [...]... )’; mysql_ query($sql, $db) or die (mysql_ error($db)); $sql = ‘LOCK TABLES frm_users READ, frm_posts READ’; mysql_ query($sql, $db) or die (mysql_ error($db)); $sql = ‘INSERT INTO tmp SELECT topic_id, MAX(date_posted) FROM frm_posts WHERE forum_id = ‘ $forumid ‘ AND topic_id > 0 GROUP BY topic_id’; mysql_ query($sql, $db) or die (mysql_ error($db)); $sql = ‘UNLOCK TABLES’; mysql_ query($sql, $db) or die (mysql_ error($db));... $result = mysql_ query($sql, $db) or die (mysql_ error($db)); if (mysql_ num_rows($result) > 0) { $row = mysql_ fetch_array($result); $re = preg_replace(‘/(re: )/i’, ‘’, $row[‘subject’]); } } $sql = ‘SELECT subject FROM frm_posts WHERE id = ‘ $topicid ‘ AND topic_id = 0 AND forum_id = ‘ $forumid; $result = mysql_ query($sql, $db) or die (mysql_ error($db)); if (mysql_ num_rows($result) > 0) { $row = mysql_ fetch_array($result);... ‘SELECT * FROM frm_admin’; $result = mysql_ query($sql, $db) or die (mysql_ error($db)); while ($row = mysql_ fetch_array($result)) { $admin[$row[‘constant’]][‘title’] = $row[‘title’]; $admin[$row[‘constant’]][‘value’] = $row[‘value’]; } mysql_ free_result($result); $sql = ‘SELECT * FROM frm_bbcode’; $result = mysql_ query($sql, $db) or die (mysql_ error($db)); while ($row = mysql_ fetch_array($result)) { $bbcode[$row[‘id’]][‘template’]... 12/10/08 6:06:18 PM Chapter 16: Creating a Bulletin Board System function bbcode($db, $data) { $sql = ‘SELECT template, replacement FROM frm_bbcode’; $result = mysql_ query($sql, $db) or die (mysql_ error($db)); if (mysql_ num_rows($result) > 0) { while($row = mysql_ fetch_array($result)) { $bbcode[‘tpl’][] = ‘/’ html_entity_decode($row[‘template’], ENT_QUOTES) ‘/i’; $bbcode[‘rep’][] = html_entity_decode($row[‘replacement’],... MATCH (subject, body) AGAINST (“’ $_GET[‘keywords’] ‘”) ORDER BY score DESC’; $result = mysql_ query($sql, $db) or die (mysql_ error($db)); if (mysql_ num_rows($result) == 0) { echo ‘No articles found that match the search term(s) ’ $_GET[‘keywords’] ‘’; } else { echo ‘’; while ($row = mysql_ fetch_array($result)) { $topicid = ($row[‘topic_id’] == 0) ? $row[‘id’] : $row[‘topic_id’];... any errors in your code MySQL As if that’s not enough, MySQL also logs queries and errors that pertain to database transactions By default, the error log is stored as hostname.err in the data directory (this is true under both Windows and UNIX) You can specify where the error log is saved by issuing the following command from the command prompt when starting the MySQL server: mysqld log-error[=filename]... Bulletin Board System $topicid = 0; } } } if ($forumid == ‘’ || $forumid == 0) { $forumid = 1; } $sql = ‘SELECT forum_name FROM frm_forum WHERE id = ‘ $forumid; $result = mysql_ query($sql, $db) or die (mysql_ error($db)); $row = mysql_ fetch_array($result); $forumname = $row[‘forum_name’]; ?> ... if ($edit_mode) { $sql = ‘SELECT topic_id, forum_id, author_id, subject, body FROM frm_posts p JOIN frm_forum f ON p.forum_id = f.id WHERE p.id = ‘ $_GET[‘post’]; $result = mysql_ query($sql, $db) or die (mysql_ error($db)); $row = mysql_ fetch_array($result); $post = $_GET[‘post’]; $topicid = $row[‘topic_id’]; $forumid = $row[‘forum_id’]; $authorid = $row[‘author_id’]; $subject = $row[‘subject’]; $body... a very cool, integrated web site up and running in no time! Congratulations on making it this far This chapter was long, with a lot of code Most of it was not overly difficult; indeed, most of the code was stuff you did in other chapters But we hope that by the time you have finished this chapter, you will feel comfortable creating a web site from the ground up, using PHP and MySQL installed on an Apache... t.id WHERE t.forum_id = ‘ $forumid ‘ AND t.topic_id = 0 GROUP BY t.id ORDER BY re_posted DESC LIMIT ‘ $start ‘, ‘ $limit; $result = mysql_ query($sql, $db) or die (mysql_ error($db)); 615 c16.indd 615 12/10/08 6:06:18 PM Part II: Comic Book Fan Site $numrows = mysql_ num_rows($result); if ($numrows == 0) { $msg = ‘There are currently no posts Would you like to be the first ‘ ‘person to create a thread?’; . $admin[$row[‘constant’]][‘value’] = $row[‘value’]; } mysql_ free_result($result); $sql = ‘SELECT * FROM frm_bbcode’; $result = mysql_ query($sql, $db) or die (mysql_ error($db)); while ($row = mysql_ fetch_array($result)). template, replacement FROM frm_bbcode’; $result = mysql_ query($sql, $db) or die (mysql_ error($db)); if (mysql_ num_rows($result) > 0) { while($row = mysql_ fetch_array($result)) { $bbcode[‘tpl’][]. postdate DATETIME NOT NULL )’; mysql_ query($sql, $db) or die (mysql_ error($db)); $sql = ‘LOCK TABLES frm_users READ, frm_posts READ’; mysql_ query($sql, $db) or die (mysql_ error($db)); $sql = ‘INSERT