<hr> <form action = “editTable.php” method = “post”> <table border = 1> <tr> <td colspan = 2><center> <h2>Edit / Delete table data</h2> </center></td> </tr> <tr> <td>Password:</td> <td> <input type = “password” name = “pwd” value = “absolute”><br> </td> </tr> <tr> <td colspan = 2><center> <select name = “tableName” size = 5> <option value = “agent”>agents</option> <option value = “specialty”>specialties</option> <option value = “operation”>operations</option> <option value = “agent_specialty”>agent_specialty</option> <option value = “storedQuery”>storedQuery</option> </select> </center></td> </tr> <tr> <td colspan = 2><center> <input type = “submit” value = “edit table”> </center></td> </tr> </table> 398 P H P 5 /M y S Q L P r o g r a m m i n g f o r t h e A b s o l u t e B e g i n n e r </form> </body> </html> To make debugging easier, I preloaded the password field with the appropriate password. In a production environment, you should, of course, leave the password field blank so the user cannot get into the system without the password. Building the viewQuery.php Program When the user chooses a query, program control is sent to the viewQuery.php program. This program does surprisingly little on its own: <html> <head> <title>View Query</title> </head> <body> <center> <h2>Query Results</h2> </center> <? include “spyLib.php”; $dbConn = connectToSpy(); //take out escape characters $theQuery = str_replace(“\’”, “‘“, $theQuery); print qToTable($theQuery); print mainButton(); ?> </body> </html> TRICK 399 C h a p t e r 1 2B u i l d i n g a T h r e e -T i e r e d D a t a A p p l i c a t i o n Once viewQuery.php connects to the library, it uses functions in the library to con- nect to the database and print desired results. The qToTable() function does most of the actual work, taking whatever query is passed to it and generating a table with add, delete, and edit buttons. The str_replace() function is necessary because SQL queries contain single quo- tation mark ( ‘) characters. When I store a query as a VARCHAR entity, the single quo- tation marks embedded in the query cause problems. The normal solution to this problem is to use a backslash, which indicates that the mark should not be imme- diately interpreted, but should be considered a part of the data. The problem with this is the backslash is still in the string when I try to execute the query. The str_replace() function replaces all instances of \’ with a simple single quote (‘). Note that the qToTable() function doesn’t actually print anything to the screen. All it does is build a complex string of HTML code. The viewQuery.php program prints the code to the screen. If you are using a library, it’s best if the library code does not print anything directly to the screen. Instead, it should return a value to whatever program called it. This allows multiple uses for the data. For example, if the qToTable() function printed directly to the screen, you could not use it to generate a file. Since the library code returns a value but doesn’t actually do anything with that value, the code that calls the function has the freedom to use the results in multiple ways. TRICK 400 P H P 5 /M y S Q L P r o g r a m m i n g f o r t h e A b s o l u t e B e g i n n e r WHY STORE QUERIES IN THE DATABASE? You might wonder why I chose to store queries in the database. After all, I could have let the user type in a query directly or provided some form that allows the user to search for certain values. Either of these approaches has advantages, but they also pose some risks. It’s very dangerous to allow direct access to your data from a Web form. Malicious users can introduce Trojan horse commands that snoop on your data, change data, or even delete information from the database. I sometimes build a form that has enough information to create an SQL query and then build that query in a client-side form. (Sounds like a good end-of-chapter exercise, right?) In this case, I stored queries in another table. People with administrative access can add new queries to the database, but ordinary users do not. I preloaded the storedQuery database with a number of useful queries, then added the capacity to add new queries whenever the situation demands it. Drawbacks remain (primarily that ordinary users cannot build custom queries), but it is far more secure than a system that builds a query based on user input. The mainButton() function produces a simple HTML form that directs the user back to the spyMaster.php page. Even though the code for this is relatively simple, it is repeated so often that it makes sense to store it in a function rather than copying and pasting it in every page of the system. Viewing the editTable.php Program The editTable.php follows a familiar pattern. It has a small amount of PHP code, but most of the real work is sent off to a library function. This module’s main job is to check for an administrative password. If the user does not have the appro- priate password, further access to the system is blocked. If the user does have the correct password, the very powerful tToEdit() function provides access to the add, edit, and delete functions. <html> <head> <title>Edit table</title> </head> <body> <h2>Edit Table</h2> <? include “spyLib.php”; //check password if ($pwd == $adminPassword){ $dbConn = connectToSpy(); print tToEdit(“$tableName”); } else { print “<h3>You must have administrative access to proceed</h3>\n”; } // end if print mainButton(); ?> </body> </html> The $pwd value comes from a field in the spyMaster.php page. The $adminPassword value is stored in spyLibrary.php. (The default admin password is absolute, but you can change it to whatever you want by editing spyLib.php.) 401 C h a p t e r 1 2B u i l d i n g a T h r e e -T i e r e d D a t a A p p l i c a t i o n Viewing the editRecord.php Program The editRecord.php program is called from a form generated by editTable.php. (Actually, the tToEdit() function generates the form, but tToEdit() is called from editTable.php.) This program expects variables called $tableName, $keyName, and $keyVal. These variables, automatically provided by tToEdit(), help editRecord build a query that returns whatever record the user selects. (You can read ahead to the description of tToEdit() for details on how this works.) <html> <head> <title>Edit Record</title> </head> <body> <h1>Edit Record</h1> <? // expects $tableName, $keyName, $keyVal include “spyLib.php”; $dbConn = connectToSpy(); $query = “SELECT * FROM $tableName WHERE $keyName = $keyVal”; print smartRToEdit($query); print mainButton(); ?> </body> </html> The editRecord.php program prints the results of the smartRToEdit() library func- tion. This function takes the single-record query and prints HTML code that lets the user appropriately update the record. Viewing the updateRecord.php Program The smartRToEdit() function calls another PHP program called updateRecord.php. This program calls a library function that actually commits the user’s changes to the database. 402 P H P 5 /M y S Q L P r o g r a m m i n g f o r t h e A b s o l u t e B e g i n n e r . editRecord .php Program The editRecord .php program is called from a form generated by editTable .php. (Actually, the tToEdit() function generates the form, but tToEdit() is called from editTable .php. ). the spyMaster .php page. The $adminPassword value is stored in spyLibrary .php. (The default admin password is absolute, but you can change it to whatever you want by editing spyLib .php. ) 401 C h a p t e r. it in every page of the system. Viewing the editTable .php Program The editTable .php follows a familiar pattern. It has a small amount of PHP code, but most of the real work is sent off to a library