LISTING 28.2 Continued $buttons[0] = ‘change-password’; $buttons[1] = ‘account-settings’; $buttons[2] = ‘show-my-lists’; $buttons[3] = ‘show-other-lists’; $buttons[4] = ‘log-out’; } else if(check_admin_user()) { // if an administrator $buttons[0] = ‘change-password’; $buttons[1] = ‘create-list’; $buttons[2] = ‘create-mail’; $buttons[3] = ‘view-mail’; $buttons[4] = ‘log-out’; $buttons[5] = ‘show-all-lists’; $buttons[6] = ‘show-my-lists’; $buttons[7] = ‘show-other-lists’; } else { // if not logged in at all $buttons[0] = ‘new-account’; $buttons[1] = ‘show-all-lists’; $buttons[4] = ‘log-in’; } if($action) { // display header with application name and description of page or action do_html_header(“Pyramid-MLM - “. format_action($action)); } else { // display header with just application name do_html_header(“Pyramid-MLM”); } display_toolbar($buttons); //display any text generated by functions called before header echo $status; /********************************************************************** * Section 3: perform action *********************************************************************/ Building a Mailing List Manager C HAPTER 28 28 BUILDING A MAILING LIST MANAGER 665 34 7842 CH28 3/6/01 3:46 PM Page 665 LISTING 28.2 Continued // only these actions can be done if not logged in switch ( $action ) { case ‘new-account’ : { unset($normal_user); unset($admin_user); display_account_form($normal_user, $admin_user); break; } case ‘store-account’ : { if (store_account($normal_user, $admin_user, $HTTP_POST_VARS)) $action = ‘’; if(!check_logged_in()) display_login_form($action); break; } case ‘log-in’ : case ‘’: { if(!check_logged_in()) display_login_form($action); break; } case ‘show-all-lists’ : { display_items(“All Lists”, get_all_lists(), ‘information’, ‘show-archive’,’’); break; } case ‘show-archive’ : { display_items(“Archive For “.get_list_name($id), get_archive($id), ‘view-html’, ‘view-text’, ‘’); break; } case ‘information’ : { display_information($id); break; } Building Practical PHP and MySQL Projects P ART V 666 34 7842 CH28 3/6/01 3:46 PM Page 666 LISTING 28.2 Continued } //all other actions require user to be logged in if(check_logged_in()) { switch ( $action ) { case ‘account-settings’ : { display_account_form($normal_user, $admin_user, get_email(), get_real_name(get_email()), get_mimetype(get_email())); break; } case ‘show-other-lists’ : { display_items(“Unsubscribed Lists”, get_unsubscribed_lists(get_email()), ‘information’, ‘show-archive’, ‘subscribe’); break; } case ‘subscribe’ : { subscribe(get_email(), $id); display_items(“Subscribed Lists”, get_subscribed_lists(get_email()), ‘information’, ‘show-archive’, ‘unsubscribe’); break; } case ‘unsubscribe’ : { unsubscribe(get_email(), $id); display_items(“Subscribed Lists”, get_subscribed_lists(get_email()), ‘information’, ‘show-archive’, ‘unsubscribe’); break; } case ‘’: case ‘show-my-lists’ : { display_items(“Subscribed Lists”, get_subscribed_lists(get_email()), ‘information’, ‘show-archive’, ‘unsubscribe’); break; } case ‘change-password’ : { display_password_form(); break; } Building a Mailing List Manager C HAPTER 28 28 BUILDING A MAILING LIST MANAGER 667 34 7842 CH28 3/6/01 3:46 PM Page 667 LISTING 28.2 Continued case ‘store-change-password’ : { if(change_password(get_email(), $old_passwd, $new_passwd, $new_passwd2)) { echo “<p>OK: Password changed.<br><br><br><br><br><br>”; } else { echo “<p>Sorry, your password could not be changed.”; display_password_form(); } break; } } } // The following actions may only be performed by an admin user if(check_admin_user()) { switch ( $action ) { case ‘create-mail’ : { display_mail_form(get_email()); break; } case ‘create-list’ : { display_list_form(get_email()); break; } case ‘store-list’ : { if(store_list($admin_user, $HTTP_POST_VARS)) { echo “<p>New list added<br>”; display_items(“All Lists”, get_all_lists(), ‘information’, ‘show-archive’,’’); } else echo “<p>List could not be stored, please try “ .”again.<br><br><br><br><br>”; break; } Building Practical PHP and MySQL Projects P ART V 668 34 7842 CH28 3/6/01 3:46 PM Page 668 LISTING 28.2 Continued case ‘send’ : { send($id, $admin_user); break; } case ‘view-mail’ : { display_items(“Unsent Mail”, get_unsent_mail(get_email()), ‘preview-html’, ‘preview-text’, ‘send’); break; } } } /********************************************************************** * Section 4: display footer *********************************************************************/ do_html_footer(); ?> You can see the four segments of the code clearly marked in this listing. In the preprocessing stage, we set up the session and process any actions that need to be done before headers can be sent. In this case, this includes logging in and out. In the header stage, we set up the menu buttons that the user will see, and display the appropri- ate headers using the do_html_header() function from output_fns.php. This function just dis- plays the header bar and menus, so we won’t go into it here. In the main section of the script, we respond to the action the user has chosen. These actions are divided into three subsets: actions that can be taken if not logged in, actions that can be taken by normal users, and actions that can be taken by administrative users. We check to see whether access to the latter two sets of actions is allowed using the check_logged_in() and check_admin_user() functions. These functions are located in the user_auth_fns.php function library. The code for the functions, and for the check_normal_user() function are shown in Listing 28.3. LISTING 28.3 Functions from user_auth_fns.php—These Functions Check Whether or Not a User Is Logged In, and at What Level function check_normal_user() // see if somebody is logged in and notify them if not { global $normal_user; Building a Mailing List Manager C HAPTER 28 28 BUILDING A MAILING LIST MANAGER 669 34 7842 CH28 3/6/01 3:46 PM Page 669 LISTING 28.3 Continued if (session_is_registered(“normal_user”)) return true; else return false; } function check_admin_user() // see if somebody is logged in and notify them if not { global $admin_user; if (session_is_registered(“admin_user”)) return true; else return false; } function check_logged_in() { return ( check_normal_user() || check_admin_user() ); } As you can see, these functions use the session variables $normal_user and $admin_user to check whether a user has logged in. We’ll talk about setting these session variables up in a minute. In the final section of the script, we send an HTML footer using the do_html_footer() function from output_fns.php. Let’s look briefly at an overview of the possible actions in the system. These actions are shown in Table 28.2 TABLE 28.2 Possible Actions in the Mailing List Manager Application Action Usable By Description log-in Anyone Gives a user a login form log-out Anyone Ends a session new-account Anyone Creates a new account for a user store-account Anyone Stores account details Building Practical PHP and MySQL Projects P ART V 670 34 7842 CH28 3/6/01 3:46 PM Page 670 Action Usable By Description show-all-lists Anyone Shows a list of available mailing lists show-archive Anyone Displays archived news- letters for a particular list information Anyone Shows basic information about a particular list account-settings Logged-in users Displays user account settings show-other-lists Logged-in users Displays mailing lists to which the user is not subscribed show-my-lists Logged-in users Displays mailing lists to which the user is sub- scribed subscribe Logged-in users Subscribes a user to a particular list unsubscribe Logged-in users Unsubscribes a user from a particular list change-password Logged-in users Displays the change of password form store-change- Logged-in users Updates user’s password password in password the database create-mail Administrators Displays form to allow upload of newsletters create-list Administrators Displays form to allow new mailing lists to be created store-list Administrators Stores mailing list details in the database view-mail Administrators Display newsletters that have been uploaded but not yet sent send Administrators Sends newsletters to subscribers Building a Mailing List Manager C HAPTER 28 28 BUILDING A MAILING LIST MANAGER 671 34 7842 CH28 3/6/01 3:46 PM Page 671 One noticeable omission from this table is an option along the lines of store-mail, that is, an action that actually uploads the newsletters entered via create-mail by administrators. This sin- gle piece of functionality is actually in a different file, upload.php. We put this in a separate file because it makes it a little easier on us, the programmers, to keep track of security issues. We will discuss the implementation of these actions in the three groups listed in the Table 28.2, that is, actions for people who are not logged in; actions for logged-in users; and actions for administrators. Implementing Login When a brand new user comes to our site, there are three things we would like them to do. First, look at what we have to offer; second, sign up with us; and third, log in. We will look at each of these in turn. In Figure 28.4, you can see the screen we present to users when they first come to our site. Building Practical PHP and MySQL Projects P ART V 672 F IGURE 28.4 On arrival, users can create a new account, view available lists, or just log in. We’ll look at creating a new account and logging in now, and return to viewing list details in the “Implementing User Functions” and “Implementing Administrative Functions” sections later on. 34 7842 CH28 3/6/01 3:46 PM Page 672 Creating a New Account If a user selects the New Account menu option, this activates the new-account action. This activates the following code in index.php: case ‘new-account’ : { unset($normal_user); unset($admin_user); display_account_form($normal_user, $admin_user); break; } This code effectively logs out a user if they are currently logged in, and displays the account details form as shown in Figure 28.5. Building a Mailing List Manager C HAPTER 28 28 BUILDING A MAILING LIST MANAGER 673 FIGURE 28.5 The new account creation form enables users to enter their details. This form is generated by the display_account_form() function from the output_fns.php library. This function is used both here and in the account-settings action to display a form to enable the user to set up an account. If the function is invoked from the account-settings action, the form will be filled with the user’s existing account data. Here the form is blank, ready for new account details. Because this function only outputs HTML, we will not go through it here. 34 7842 CH28 3/6/01 3:46 PM Page 673 The submit button on this form invokes the store-account action. The code for this action is as follows: case ‘store-account’ : { if (store_account($normal_user, $admin_user, $HTTP_POST_VARS)) $action = ‘’; if(!check_logged_in()) display_login_form($action); break; } The store_account() function writes the account details to the database. The code for this function is shown in Listing 28.4. LISTING 28.3 store_account() Function from mlm_fns.php—These Functions Check Whether or Not a User Is Logged In, and at What Level // add a new subscriber to the database, or let a user modify their data function store_account($normal_user, $admin_user, $details) { if(!filled_out($details)) { echo “All fields must be filled in. Try again.<br><br>”; return false; } else { if(subscriber_exists($details[‘email’])) { //check logged in as the user they are trying to change if(get_email()==$details[‘email’]) { $query = “update subscribers set realname = ‘$details[realname]’, mimetype = ‘$details[mimetype]’ where email = ‘“ . $details[email] . “‘“; if(db_connect() && mysql_query($query)) { return true; } else { echo “could not store changes.<br><br><br><br><br><br>”; return false; } } Building Practical PHP and MySQL Projects P ART V 674 34 7842 CH28 3/6/01 3:46 PM Page 674 . a user store-account Anyone Stores account details Building Practical PHP and MySQL Projects P ART V 670 34 7842 CH28 3/6/01 3:46 PM Page 670 Action Usable By Description show-all-lists Anyone. stage, we set up the menu buttons that the user will see, and display the appropri- ate headers using the do_html_header() function from output_fns .php. This function just dis- plays the header. form store-change- Logged-in users Updates user’s password password in password the database create-mail Administrators Displays form to allow upload of newsletters create-list Administrators Displays