It makes sense to start writing code for the project with the file responsible for creating forums. It's important the script be only shown to users who are logged in and have permissions to create new forums. Ensuring the script is made available only to users who have logged in is done by including the 401.php file from Chapter 1. You can then decide whether to offer, show or process the form by checking the if the appropriate permission bit is set in $user->permission. If it isn't, the script terminates with a suitable error message.
include '401.php'; $user = User::getById($_SESSION['userId']); if (~$user->permission & User::CREATE_FORUM) { die('<p>Sorry, you do not have sufficient privileges to create new ' . 'forums.</p>'), }
The script then goes on to collect the name and brief description from the user through a form and creates the forum record in the database.
<form action="<?php htmlspecialchars($_SERVER['PHP_SELF']); ?>" method="post"> <div> <label for="forum_name">Forum Name:</label> <input type="input" id="forum_name" name="forum_name"/><br/> <label for="forum_desc">Description:</label> <input type="input" id="forum_desc" name="forum_desc"/> <br/> <input type="hidden" name="submitted" value="true"/> <input type="submit" value="Create"/> </div> </form>
When the form is submitted, the information is validated and added to the database. If it isn't, then a message can be displayed back to the user stating the values should be corrected and resubmitted. The form can be modified to repopulate the files in this case, even if the data is invalid, so the user doesn't have to type it all again, making it easier to correct the entries.
Here is the complete code for public_files/add_forum.php:
<?php // include shared code include '../lib/common.php'; include '../lib/db.php'; include '../lib/functions.php'; include '../lib/User.php'; // 401 file included because user should be logged in to access this page include '401.php';
// user must have appropriate permissions to use this page $user = User::getById($_SESSION['userId']); if (~$user->permission & User::CREATE_FORUM) { die('<p>Sorry, you do not have sufficient privileges to create new ' . 'forums.</p>'), } // validate incoming values $forum_name = (isset($_POST['forum_name'])) ? trim($_POST['forum_name']) : ''; $forum_desc = (isset($_POST['forum_desc'])) ? trim($_POST['forum_desc']) : ''; // add entry to the database if the form was submitted and the necessary // values were supplied in the form if (isset($_POST['submitted']) && $forum_name && $forum_desc) { $query = sprintf('INSERT INTO %sFORUM (FORUM_NAME, DESCRIPTION) ' . 'VALUES ("%s", "%s")', DB_TBL_PREFIX, mysql_real_escape_string($forum_name, $GLOBALS['DB']), mysql_real_escape_string($forum_desc, $GLOBALS['DB'])); mysql_query($query, $GLOBALS['DB']); // redirect user to list of forums after new record has been stored header('Location: view.php'), } // form was submitted but not all the information was correctly filled in else if (isset($_POST['submitted'])) { $message = '<p>Not all information was provided. Please correct ' . 'and resubmit.</p>'; } // generate the form ob_start(); if (isset($message)) { echo $message; } ?> <form action="<?php htmlspecialchars($_SERVER['PHP_SELF']); ?>" method="post"> <div> <label for="forum_name">Forum Name:</label> <input type="input" id="forum_name" name="forum_name" value="<?php echo htmlspecialchars($forum_name); ?>"/><br/> <label for="forum_desc">Description:</label> <input type="input" id="forum_desc" name="forum_desc" value="<?php echo htmlspecialchars($forum_desc); ?>"/> <br/>
<input type="hidden" name="submitted" value="true"/> <input type="submit" value="Create"/> </div> </form> <?php $GLOBALS['TEMPLATE']['content'] = ob_get_clean(); // display the page include '../templates/template-page.php'; ?>
Figure 2-1 shows the adding of a new forum through the form.
18.225.117.56