637 Implementing Login Here the form is blank, ready for new account details. Because this function only out- puts HTML, we will not go through it here. Figure 28.5 The new account creation form enables users to enter their details. The submit button on this form invokes the store-account action.The code for this action is as follows: case 'store-account' : { if (store_account($HTTP_SESSION_VARS['normal_user'], $HTTP_SESSION_VARS['admin_user'], $HTTP_POST_VARS)) $action = ''; if(!check_logged_in()) display_login_form($action); break; } The store_account() function writes the account details to the database.The code for this function is shown in Listing 28.4. 34 525x ch28 1/24/03 2:55 PM Page 637 638 Chapter 28 Building a Mailing List Manager Listing 28.4 store_account() Function from mlm_fns.php—These Functions Add a New User or Modify an Existing User in the Database. // add a new subscriber to the database, or let a user modify their data function store_account($normal_user, $admin_user, $details) { if(!filled_out($details)) { echo 'All fields must be filled in. Try again.<br /><br />'; return false; } else { if(subscriber_exists($details['email'])) { //check logged in as the user they are trying to change if(get_email()==$details['email']) { $query = "update subscribers set realname = '$details[realname]', mimetype = '$details[mimetype]' where email = '" . $details[email] . "'"; if(db_connect() && mysql_query($query)) { return true; } else { echo 'could not store changes.<br /><br /><br /><br /><br /><br />'; return false; } } else { echo '<p>Sorry, that email address is already registered here.</p>'; echo '<p>You will need to log in with that address to change ' .' its settings.</p>'; return false; } } else // new account { $query = "insert into subscribers values ('$details[email]', '$details[realname]', '$details[mimetype]', password('$details[new_password]'), 0)"; 34 525x ch28 1/24/03 2:55 PM Page 638 639 Implementing Login if(db_connect() && mysql_query($query)) { return true; } else { echo 'Could not store new account.<br /><br /><br /><br /><br /><br />'; return false; } } } } This function first checks that the user has filled in the required details. If this is okay, the function will then either create a new user, or update the account details if the user already exists.A user can only update the account details of the user he is logged in as. This is checked using the get_email() function, which retrieves the email address of the user who is currently logged in.We’ll return to this later, as it uses session variables that are set up when the user logs in. Logging In If a user fills in the login form we saw back in Figure 28.4 and clicks on the Log In but- ton, she will enter the index.php script with the email and password variables set.This will activate the login code, which is in the pre-processing stage of the script, as follows: // need to process log in or out requests before anything else if($HTTP_POST_VARS['email']&&$HTTP_POST_VARS['password']) { $login = login($HTTP_POST_VARS['email'], $HTTP_POST_VARS['password']); if($login == 'admin') { $status .= '<p><b>'.get_real_name($HTTP_POST_VARS['email']).'</b> logged in'. ' successfully as <b>Administrator</b></p> '<br /><br /><br /><br /><br />'; $HTTP_SESSION_VARS['admin_user'] = $HTTP_POST_VARS['email']; } else if($login == 'normal') { $status .= "<p><b>".get_real_name($HTTP_POST_VARS['email'])."</b> logged in" ." successfully.</p><br /><br />"; $HTTP_SESSION_VARS['normal_user'] = $HTTP_POST_VARS['email']; Listing 28.4 Continued 34 525x ch28 1/24/03 2:55 PM Page 639 640 Chapter 28 Building a Mailing List Manager } else { $status .= "<p>Sorry, we could not log you in with that email address and password.</p><br />"; } } As you can see, we first try to log them in using the login() function from the user_auth_fns.php library.This is slightly different from the login functions we have used elsewhere, so we’ll take a look at it.The code for this function is shown in Listing 28.5. Listing 28.5 login() Function from user_auth_fns.php—Checking a User’s Login Details function login($email, $password) // check username and password with db // if yes, return login type // else return false { // connect to db $conn = db_connect(); if (!$conn) return 0; $query = "select admin from subscribers where email='$email' and password = password('$password')"; //echo $query; $result = mysql_query($query); if (!$result) return false; if (mysql_num_rows($result)<1) return false; if(mysql_result($result, 0, 0) == 1) return 'admin'; else return 'normal'; } Previously with login functions, we have returned true if the login was successful and false if it was not. In this case, we still return false if the login failed, but if it was suc- cessful we return the user type, either 'admin' or 'normal'.We check the user type by retrieving the value stored in the admin column in the subscribers’ table, for a particular combination of email address and password. If no results are returned, we return false. If a user is an administrator, this value will be 1 (true), and we return 'admin'. Otherwise, we return 'normal'. 34 525x ch28 1/24/03 2:55 PM Page 640 641 Implementing Login Returning to the main line of execution, we register a session variable to keep track of who our user is.This will either be admin_user if she is an administrator, or normal_user if she is a regular user.Whichever one of these variables we set will contain the email address of the user.To simplify checking for the email address of a user, we use the get_email() function mentioned earlier. This function is shown in Listing 28.6. Listing 28.6 get_email() function from user_auth_fns.php—Returns the Email Address of the Logged In User function get_email() { global $HTTP_SESSION_VARS; if (isset($HTTP_SESSION_VARS['normal_user'])) return $HTTP_SESSION_VARS['normal_user']; if (isset($HTTP_SESSION_VARS['admin_user'])) return $HTTP_SESSION_VARS['admin_user']; return false; } Back in our main program, we report to the user whether she was logged in or not, and at what level. The output from one login attempt is shown in Figure 28.6. Figure 28.6 The system reports to the user that login was successful. 34 525x ch28 1/24/03 2:55 PM Page 641 . Figure 28.4 and clicks on the Log In but- ton, she will enter the index .php script with the email and password variables set.This will activate the login code, which is in the pre-processing. email='$email' and password = password('$password')"; //echo $query; $result = mysql_ query($query); if (!$result) return false; if (mysql_ num_rows($result)<1) return false; if (mysql_ result($result,. with that email address and password.</p><br />"; } } As you can see, we first try to log them in using the login() function from the user_auth_fns .php library.This is slightly