1. Trang chủ
  2. » Công Nghệ Thông Tin

Secure PHP Development- P40 ppt

5 151 0

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 5
Dung lượng 101,81 KB

Nội dung

Listing 6-1 (Continued) return implode(‘, ‘, $setValues); } function updateUser($data = null) { $this->setUserID(); $fieldList = $this->user_tbl_fields; $keyVal = $this->makeUpdateKeyValuePairs($this->user_tbl_fields, $data); $stmt = “UPDATE $this->user_tbl SET $keyVal WHERE USER_ID = $this- >USER_ID”; $result = $this->dbi->query($stmt); return $this->getReturnValue($result); } function addUser($data = null) { $fieldList = $this->user_tbl_fields; $valueList = array(); while(list($k, $v) = each($fieldList)) { if (!strcmp($v, ‘text’)) { $valueList[] = $this->dbi->quote(addslashes($data[$k])); } else { $valueList[] = $data[$k]; } } $fields = implode(‘,’, array_keys($fieldList)); $values = implode(‘,’, $valueList); $stmt = “INSERT INTO $this->user_tbl ($fields) VALUES($values)”; //echo $stmt; $result = $this->dbi->query($stmt); 166 Part II: Developing Intranet Solutions 09 549669 ch06.qxd 4/4/03 9:24 AM Page 166 return $this->getReturnValue($result); } function deleteUser($uid = null) { $this->setUserID($uid); $stmt = “DELETE from $this->user_tbl “ . “WHERE USER_ID = $this->USER_ID”; $result = $this->dbi->query($stmt); return $this->getReturnValue($result); } function getReturnValue($r = null) { return ($r == DB_OK) ? TRUE : FALSE; } function logActivity($action = null) { $now = time(); $stmt = “INSERT INTO $this->user_activity_log SET “ . “USER_ID = $this->USER_ID, “. “ACTION_TYPE = $action, “ . “ACTION_TS = $now”; // echo “$stmt <P>”; $result = $this->dbi->query($stmt); return $this->getReturnValue($result); } } ?> Chapter 6: Central User Management System 167 09 549669 ch06.qxd 4/4/03 9:24 AM Page 167 User Interface Templates Throughout the user management system, many user interface templates are needed to allow users and administrators to interact with the system. These tem- plates are simple HTML forms with embedded tags, which are dynamically replaced to create the desired look and feel of the applications. These templates are supplied with the CD-ROM and are very simple in nature. These templates are: ◆ usermngr_menu.html - this template displays the user manager menu ◆ usermngr_user_form.html - this template is the user add/modify form ◆ usermngr_status.html - this template shows status of add/modify/delete etc. ◆ usermngr_pwd_change.html - this template is used for password changes ◆ usermngr_pwd_reset.html - this template is used to reset passwords ◆ usermngr_forgotten_pwd.html - this template is used as forgotten pass- word request form. ◆ usermngr_forgotten_pwd_email.html - this template is used in e-mailing password reset request for those who have forgotten passwords Creating a User Administration Application The primary application in the central user management system is the user admin- istration application. It enables the user administrator to do the following tasks: ◆ Add new user accounts ◆ Modify user accounts ◆ Toggle user account active flags ◆ Change user passwords ◆ Upgrade or downgrade users ◆ Delete user accounts user_mngr.php is a user manager application that implements these features. Let’s look at some of its main methods: ◆ run(): This method is used to run the application. It acts as a driver and performs the following tasks: ■ It checks to see if the user is authorized to run the application. 168 Part II: Developing Intranet Solutions 09 549669 ch06.qxd 4/4/03 9:24 AM Page 168 ■ If the application is called with $cmd set to add, run() calls addDriver() to handle user add operation. If the application is called with $cmd set to modify, run() calls modifyDriver() to handle user modification operation. If the application is called with $cmd set to delete, run() calls deleteUser() to handle user delete operation. If the $cmd variable is not set, run() calls showScreen() to show the user management menu. ◆ addUser(): This method adds a user as follows: 1. It calls checkInput() to check user input supplied in add user inter- face. 2. It adds the default domain to the user’s e-mail address if the username entered by the user does not include a domain name. For example, if the user enters carol as the username, addUser() sets the username to carol@evoknow.com assuming $DEFAULT_DOMAIN is set to evoknow.com. 3. It generates a two-character random string to be used as a salt for the crypt() function used to encrypt the user-supplied password. 4. It lowercases the username and creates a User object. An associative array is defined to hold the user-supplied data in a key=value manner. The keys are database field names for respective user data. 5. It uses the User object, $userObj, to call addUser(), which in turn adds the user in the database. 6. It displays a success or failure status message accordingly. ◆ modifyUser(): This method modifies a user account as follows: 1. It uses checkInput() to check user-supplied input. 2. If the user is trying to modify the root user account (identified by the $ROOT_USER variable loaded from the user_mngr.conf file), then the user is not allowed to deactivate the root user. Also, the root user account cannot be lowered to a standard account. This check is also performed and an appropriate alert message is displayed when such attempts are made by the administrator user. 3. It enters the user-supplied user type (TYPE), active flag (ACTIVE), and user ID (USER_ID) into an associative array called $hash. 4. If the user-supplied password does not match the dummy password (identified by the $DUMMY_PASSWD variable loaded from the user_mngr.conf file), modifyUser() encrypts the password using a random two-character-based salt string. Chapter 6: Central User Management System 169 09 549669 ch06.qxd 4/4/03 9:24 AM Page 169 5. It uses $userObj to call getUserInfo() to load current user data into the object. 6. It stores modified username (EMAIL) in the $hash variable. 7. It uses the $uesrObj object’s updateUser() method to update the user in the database. 8. It displays a success or failure status message as appropriate. ◆ deleteUser(): This method, used to delete the chosen user, works as follows: 1. It displays an error message if the user ID is not supplied from the user interface. 2. It creates a User object, $userObj, and uses getUserInfo() to load the current user data. 3. It compares the chosen user’s username (EMAIL) with the $ROOT_USER specified user’s name to avoid deleting the root user account. 4. It uses $userObj’s deleteUser() to perform the actual delete opera- tion, removing the user from the database. 5. It displays a success or failure status message accordingly. The following are the other functions/methods used in the user manager application: Function Description modifyDriver() This is the modify driver. It uses the form variable $step to control how the modify operation is implemented. When $step is not set, showScreen() is used to display the modify user interface. The user modify interface sets $step to 2, which is used to call modifyUser(). modifyUser() uses the User object’s updateUser() method to modify the user account. addDriver() This is the add driver. It uses the form variable $step to control how an add operation is implemented. When $step is not set, showScreen() is used to display the add user interface. The user add interface sets $step to 2, which is used to call modifyUser(). modifyUser() uses the User object’s addUser() method to add the user account. menu() Called by showScreen() to display the user management menu. It uses a User object called $userObj to get a list of existing users using the getUserList() function. The user list is displayed in the user interface for modification and deletion operation. 170 Part II: Developing Intranet Solutions 09 549669 ch06.qxd 4/4/03 9:24 AM Page 170 . active flags ◆ Change user passwords ◆ Upgrade or downgrade users ◆ Delete user accounts user_mngr .php is a user manager application that implements these features. Let’s look at some of its main

Ngày đăng: 07/07/2014, 07:20

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN