This is a multipart assignment in which you will develop a secure login mechanism for your web site.
css for the
stylesheet(s) for the project, and create an index page that will contain
the login form for the project.
You will need to decide whether the PHP code for processing the form data will be in a separate file or embedded in the index page. Either approach is all right, and you do not have to make that decision just yet.
display_form_data.php in the project
directory. Use the POST method. Include a text input element for the user’s
name and a password input element for the user’s password. Include a
fieldset with legend, labels for the two inputs, and a submit button that
says “Login.” Use the tabindex attribute on the input and
button elements so that the tab key takes users first to the password, then
to the username, and then to the submit button.
This is an academic exercise: the tab sequence is strange, and there are questions about using legends and fieldsets, which can be mimicked using CSS. The idea is to give you some experience with these features so you can decide what role they will (or will not) play in your later career.
display_form_data.php page.$_POST array is not
available, display a page title saying there is no form data instead.
For example, the first statement below replaces all double quote
characters that are at the beginning of a string (^) or
preceded by whitespace (\s) with left curly quotes. The
parentheses around ^|\s captures that part of the matched
string so that it can be re=inserted before the “ by using
$1 in the replacement string. The second statement simply
replaces any remaining double quotes with right curly quotes. Just change
the double quotes to single quotes for this part of the assignment.
$returnVal = preg_replace('/(^|\s)"/', '$1“', $returnVal);
$returnVal = str_replace('"', '”', $returnVal);
To paraphrase an old joke:
Prevent cross-site scripting attacks by converting all ampersand (&),
less-than (<), and greater-than (>) characters to XML character
entities (&, <, and
>, respectively).
While you’re at it, convert double apostrophes (") to curly quotes as well (“ or ”).
Use your sanitize() function to convert all form data into “safe” strings which, except for the conversion to curly quotes and substitution of em dashes for double dashes, look just like what the user typed into the form.
display_form_data.php page.
You can’t completely test this code for correctness until you set up a database
to save user names and passwords.
I have written a mini-tutorial on using SQLite3 with PHP to help you get started.
I have set up an empty SQLite3 database that your code can read and write in
your home directory: it’s called cs903.db. Since your project
directory is two levels below your home directory, use
../../cs903.db to open it.
display_form_data.phpIf the user is already in the database, check that the password the user supplied is correct. If it is, display a message greeting the user by name before displaying the table with the form data. If not, display a statement saying that the login failed before displaying the form data.
This is a somewhat open-ended part of the assignment, with a required portion plus some ideas for extra features you may add to your project for extra credit—if you have time.
If you have not done so already, this step will require you to put
the code for checking the form data at the top of the display form data
page, before the HTTP headers get sent, because the headers()
function cannot be called once any part of the response message has been
output. [Actually, PHP provides a mechanism called “output buffering” that
could be used, but it’s not worth the trouble in this case.]
Code to save an error message in a session variable and redirect the user to the index page:
$_SESSION['error_msg'] = "This is a meaningful error message";
header('Location: index.php');
exit;
As discussed in class, you will have to call the session_start() function at the start of both the index page and the display form data page in order to establish communication between them.
And you will need to modify the index page to display the error message if
there is one. Once an error message has been displayed, it should be
deleted: unset($_SESSION['error_msg']), for example.
Instead of just one password field, provide three: one for the current password (to be used by current users), and two for a new password and a repeated new password. New users have to enter the same password in both the new and repeat-new boxes in order to register successfully. Existing users have to enter their current password correctly in order to log in successfully.
UPDATE SQL statement with
a WHERE clause to limit the update to just the one user.
Provide a form on the display form data page that users can use to manage their profile information.
Provide administrators with a table showing all the users and the information about them. Allow administrators to delete users and/or to edit any user’s profile.
To receive credit for any optional parts of the assignment that you complete, you must include a message in your email telling me what to look for.
Note: May 21 is the absolute cutoff date for all assignments in this course. Absolutely no credit will be given for work submitted after that date.