487 Implementing User Authentication // check if username is unique $result = mysql_query("select * from user where username='$username'"); if (!$result) return 'Could not execute query'; if (mysql_num_rows($result)>0) return 'That username is taken - go back and choose another one.'; // if ok, put in db $result = mysql_query("insert into user values ('$username', password('$password'), '$email')"); if (!$result) return 'Could not register you in database - please try again later.'; return true; } There is nothing particularly new in this function—it connects to the database we set up earlier. If the username selected is taken, or the database cannot be updated, it will return false. Otherwise, it will update the database and return true. One thing to note is that we are performing the actual database connection with a function we have written, called db_connect().This function simply provides a single location that contains the username and password to connect to the database.That way, if we change the database password, we only need to change one file in our application. The function is shown in Listing 24.10. Listing 24.10 db_connect() Function from db_fns.php—This Function Connects to the MySQL Database function db_connect() { $result = mysql_pconnect('localhost', 'bm_user', 'password'); if (!$result) return false; if (!mysql_select_db('bookmarks')) return false; return $result; } When users are registered, they can log in and out using the regular login and logout pages.We’ll build these next. Logging In If users type their details into the form at login.php (see Figure 24.3) and submit it, they will be taken to the script called member.php.This script will log them in if they have Listing 24.9 Continued 30 525x ch24 1/24/03 3:36 PM Page 487 488 Chapter 24 Building User Authentication and Personalization come from this form. It will also display any relevant bookmarks to users who are logged in. It is the center of the rest of the application.This script is shown in Listing 24.11. Listing 24.11 member.php—This Script is the Main Hub of the Application <?php // include function files for this application require_once('bookmark_fns.php'); session_start(); //create short variable names $username = $HTTP_POST_VARS['username']; $passwd = $HTTP_POST_VARS['passwd']; if ($username && $passwd) // they have just tried logging in { if (login($username, $passwd)) { // if they are in the database register the user id $HTTP_SESSION_VARS['valid_user'] = $username; } else { // unsuccessful login do_html_header('Problem:'); echo 'You could not be logged in. You must be logged in to view this page.'; do_html_url('login.php', 'Login'); do_html_footer(); exit; } } do_html_header('Home'); check_valid_user(); // get the bookmarks this user has saved if ($url_array = get_user_urls($HTTP_SESSION_VARS['valid_user'])); display_user_urls($url_array); // give menu of options display_user_menu(); do_html_footer(); ?> 30 525x ch24 1/24/03 3:36 PM Page 488 489 Implementing User Authentication You might recognize the logic in this script: we are re-using some of the ideas from Chapter 20. First, we check whether the user has come from the front page—that is, whether he has just filled in the login form—and try to log him in as follows: if ($username && $passwd) // they have just tried logging in { if (login($username, $passwd)) { // if they are in the database register the user id $HTTP_SESSION_VARS['valid_user'] = $username; } You can see that we are trying to log him in using a function called login().We have defined this in the user_auth_fns.php library, and we’ll look at the code for it in a minute. If he is logged in successfully, we register his session as we did before, storing the username in the session variable valid_user. If all went well, we then show the user the members page: do_html_header('Home'); check_valid_user(); // get the bookmarks this user has saved if ($url_array = get_user_urls($HTTP_SESSION_VARS['valid_user'])); display_user_urls($url_array); // give menu of options display_user_menu(); do_html_footer(); This page is again formed using the output functions.You will notice that we are using several other new functions.These are check_valid_user(),from user_auth_fns.php; get_user_urls(),from url_fns.php;and display_user_urls(),from output_fns.php.The check_valid_user() function checks that the current user has a registered session.This is aimed at users who have not just logged in, but are mid-session. The get_user_urls() function gets a user’s bookmarks from the database, and dis- play_user_urls() outputs the bookmarks to the browser in a table.We will look at check_valid_user() in a moment and at the other two in the section on bookmark storage and retrieval. The member.php script ends the page by displaying a menu with the display_user_menu() function. Some sample output as displayed by member.php is shown in Figure 24.6. 30 525x ch24 1/24/03 3:36 PM Page 489 490 Chapter 24 Building User Authentication and Personalization Figure 24.6 The member.php script checks that a user is logged in, retrieves and displays his bookmarks, and gives him a menu of options. We will now look at the login() and check_valid_user() functions a little more closely.The login() function is shown in Listing 24.12. Listing 24.12 The login() Function from user_auth_fns.php—This Function Checks a User’s Details Against the Database function login($username, $password) // check username and password with db // if yes, return true // else return false { // connect to db $conn = db_connect(); if (!$conn) return false; // check if username is unique $result = mysql_query("select * from user where username='$username' and passwd = password('$password')"); if (!$result) return false; 30 525x ch24 1/24/03 3:36 PM Page 490 491 Implementing User Authentication if (mysql_num_rows($result)>0) return true; else return false; } As you can see, this function connects to the database and checks that there is a user with the username and password combination supplied. It will return true if there is, or false if there is not or if the user’s credentials could not be checked. The check_valid_user() function does not connect to the database again, but instead just checks that the user has a registered session, that is, that he has already logged in.This function is shown in Listing 24.13. Listing 24.13 The check_valid_user() Function from user_auth_fns.php—This Function Checks That the User Has a Valid Session function check_valid_user() // see if somebody is logged in and notify them if not { global $HTTP_SESSION_VARS; if (isset($HTTP_SESSION_VARS['valid_user'])) { echo 'Logged in as '.$HTTP_SESSION_VARS['valid_user'].'.'; echo '<br / >'; } else { // they are not logged in do_html_heading('Problem:'); echo 'You are not logged in.<br />'; do_html_url('login.php', 'Login'); do_html_footer(); exit; } } If the user is not logged in, the function will tell him he has to be logged in to see this page, and give him a link to the login page. Logging Out You might have noticed that there is a link marked “Logout” on the menu in Figure 24.6.This is a link to the logout.php script.The code for this script is shown in Listing 24.14. Listing 24.12 Continued 30 525x ch24 1/24/03 3:36 PM Page 491 . functions.These are check_valid_user(),from user_auth_fns .php; get_user_urls(),from url_fns .php; and display_user_urls(),from output_fns .php. The check_valid_user() function checks that the current. 24.10. Listing 24.10 db_connect() Function from db_fns .php This Function Connects to the MySQL Database function db_connect() { $result = mysql_ pconnect('localhost', 'bm_user',. (!$result) return false; if ( !mysql_ select_db('bookmarks')) return false; return $result; } When users are registered, they can log in and out using the regular login and logout pages.We’ll