Introduction
This is an open-ended assignment in which you are to use extend the login project to add as many “interesting” features as you have time and/or the inclination for. Four ideas are presented below: only the first one is required.
Description
-
Allow existing users to change their password.
Once a user is logged in, display a “new password” field; when it is filled in, send an object to the server with the user’s old password, new password, and user ID. The PHP code verifies that the old password matches the existing password for that user, and then updates that user’s password with the new one. The query strings would look like this:
SELECT password from users WHERE id = '123' [ verify that the passwords match, then ] UPDATE users SET password = 'secret' WHERE id = '123'You must prevent SQL injection attacks!
If get_magic_quotes_gpc() returns true, strip all slashes from the characters typed by the user. Then, whether magic quotes was set or not, use htmlentities() to substitute HTML character entities wherever possible into the user’s input. Be sure the second parameter is ENT_QUOTES and the third parameter is "UTF-8".
Note that you need the user’s id to send from the client to your PHP code: when the user logged in, the PHP code has to have sent this datum along with the user’s name during the login exchange, and the JavaScript code has to have saved it for use in this exchange.
Although the exchange is to be done using AJAX, it is all right to add a button to the form for the user to click on when s/he wants to change his/her password instead of triggering the update just because the user changed the contents of the new password field. But the button is not required if you decide you don’t want to add it.
Test your code carefully: I have to be able to test it! Be sure to let me have a list of valid user names and passwords for your database when you submit the assignment.
-
Provide a mechanism for adding new users to the database.
Add a "Register Me" button and a place for the user to enter his/her name to the form. If the button is clicked and the name, email, and password fields are all non-blank, create an object containing all three values, and send it as a JSON-encoded string to the server to add the user to the database. The PHP code checks that the email address is valid and does not already exist in the database, and adds the user if it is unique. Be sure to sanitize all user input to prevent SQL injection attacks as described above.
INSERT INTO users (name, email, password) VALUES ('Mr. Scott', 'scotty@beammeup.com', 'prosper')As mentioned in class, you can have the database provide the uniqueness test by adding a “unique” constraint to the email column of the users table. The a call to pg_affected_rows() will tell you whether the IMSERT query was successful or not.
You should validate the email address on the JavaScript side. It is critical that you validate it on the PHP side to prevent illegal email addresses from getting into the database.
-
Create a table containing a list of comments; let users add comments.
Use pgAdmin3 to add a table named “comments” to your database with the following columns: id (type serial, not null, no default value); user_id (type integer, not null, no default value); comment_date (type date, not null, default value of now() ); and comment_text (type text, not null, no default value).
Add the following constraints to the table: make id the primary key, and add a foreign key constraint so that user_id references the id column of the “users” table.
Add a textarea element to the form once the user has logged in. Create an object with the user’s id and the value of the textarea and send it to your PHP server, which sanitizes the text of the comment_text and inserts it into the database using a query like:
INSERT INTO comments VALUES ( DEFAULT, 8, DEFAULT, 'This is my very first comment!' )In this example, I omitted the column names, and used the special value, DEFAULT for the id (which is generated automatically by the serial data type) and comment_date (which is generated automatically by the now() specification for the default value.
Your PHP code should impose a reasonable limit on how long a comment can be.
Verify that the program works by browsing your tables using pgAdmin3.
-
Add the ability to browse existing comments.
When the user selects this option from your newly expanded user interface, your PHP server returns an array of objects, each of which contains the name of the person who made the comment, the date, and the comment itself. The JavaScript code generates a table with a row showing the information for all the elements of the array. Use CSS to format the table nicely.
Submit the Assignment
When you have built and tested your web page, send me an email message to me saying your assignment is ready; I will get a copy from your account on the server and check it out. Send your email to:
Christopher.VickeryATqc.cuny.eduBe sure the Subject Line of your email says CS-90.3 Assignment 4, just like that, to be sure your message does not get trapped by my spam filters.
Be sure to sign your email so I can tell who sent it!