Your next steps are to modify update.inc.php to check whether the login credentials supplied via the login form are valid; if they are, you set $_SESSION['loggedin'] to 1, which causes all administrative links and actions to become available to the user.
In update.inc.php, you add an else if block that checks whether it was the POST method that submitted the login form. You do this by checking whether the value of $_POST['action'] is set to login and whether the values of the username and password fields were submitted with values.
If these criteria are met, you load the database credentials and open a connection. Next, you set up a SQL query that gets the number of matches found by comparing the submitted username and the SHA1() hash of the submitted password against the database.
NOTE
You must check the SHA1() hash of the password because that's what you saved in the database. There's no way to reverse a SHA1() hash, but the encryption algorithm always returns the same hash for a given string.
The user is authorized to view the blog if a match is returned, whereupon you can add $_SESSION['loggedin'] to the session and set its value to 1.
To accomplish this, you use session_start() at the top of update.inc.php, then add the else if block at the bottom, just above your block that checks whether you're creating a user.
Modify update.inc.php by adding the code in bold:
<?php // Start the session session_start(); // Include the functions so we can create a URL include_once 'functions.inc.php'; // Include the image handling class include_once 'images.inc.php'; if($_SERVER['REQUEST_METHOD']=='POST' && $_POST['submit']=='Save Entry' && !empty($_POST['page']) && !empty($_POST['title']) && !empty($_POST['entry'])) { // Create a URL to save in the database $url = makeUrl($_POST['title']); if(strlen($_FILES['image']['tmp_name']) > 0) { try { // Instantiate the class and set a save dir $image = new ImageHandler("/simple_blog/images/"); // Process the uploaded image and save the returned path $img_path = $image->processUploadedImage($_FILES['image']); }
catch(Exception $e) { // If an error occurred, output our custom error message die($e->getMessage()); } } else { // Avoids a notice if no image was uploaded $img_path = NULL; } // Include database credentials and connect to the database include_once 'db.inc.php'; $db = new PDO(DB_INFO, DB_USER, DB_PASS); // Edit an existing entry if(!empty($_POST['id'])) { $sql = "UPDATE entries SET title=?, image=?, entry=?, url=? WHERE id=? LIMIT 1"; $stmt = $db->prepare($sql); $stmt->execute( array( $_POST['title'], $img_path, $_POST['entry'], $url, $_POST['id'] ) ); $stmt->closeCursor(); }
// Create a new entry else { // Save the entry into the database $sql = "INSERT INTO entries (page, title, image, entry, url) VALUES (?, ?, ?, ?, ?)"; $stmt = $db->prepare($sql); $stmt->execute( array( $_POST['page'], $_POST['title'], $img_path, $_POST['entry'], $url ) ); $stmt->closeCursor(); } // Sanitize the page information for use in the success URL $page = htmlentities(strip_tags($_POST['page'])); // Send the user to the new entry header('Location: /simple_blog/'.$page.'/'.$url); exit; } // If a comment is being posted, handle it here else if($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['submit'] == 'Post Comment') { // Include and instantiate the Comments class include_once 'comments.inc.php'; $comments = new Comments(); // Save the comment if($comments->saveComment($_POST)) { // If available, store the entry the user came from if(isset($_SERVER['HTTP_REFERER'])) { $loc = $_SERVER['HTTP_REFERER']; }
else { $loc = '../'; } // Send the user back to the entry header('Location: '.$loc); exit; } // If saving fails, output an error message else { exit('Something went wrong while saving the comment.'), } } // If the delete link is clicked on a comment, confirm it here else if($_GET['action'] == 'comment_delete') { // Include and instantiate the Comments class include_once 'comments.inc.php'; $comments = new Comments(); echo $comments->confirmDelete($_GET['id']); exit; } // If the confirmDelete() form was submitted, handle it here else if($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['action'] == 'comment_delete') { // If set, store the entry from which we came $loc = isset($_POST['url']) ? $_POST['url'] : '../'; // If the user clicked "Yes", continue with deletion if($_POST['confirm'] == "Yes") { // Include and instantiate the Comments class include_once 'comments.inc.php'; $comments = new Comments();
// Delete the comment and return to the entry if($comments->deleteComment($_POST['id'])) { header('Location: '.$loc); exit; } // If deleting fails, output an error message else { exit('Could not delete the comment.'), } } // If the user didn't click "Yes", do nothing and return to the entry else { header('Location: '.$loc); exit; } } // If a user is trying to log in, check it here else if($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['action'] == 'login' && !empty($_POST['username']) && !empty($_POST['password'])) { // Include database credentials and connect to the database include_once 'db.inc.php'; $db = new PDO(DB_INFO, DB_USER, DB_PASS); $sql = "SELECT COUNT(*) AS num_users FROM admin WHERE username=? AND password=SHA1(?)"; $stmt = $db->prepare($sql); $stmt->execute(array($_POST['username'], $_POST['password'])); $response = $stmt->fetch(); if($response['num_users'] > 0) { $_SESSION['loggedin'] = 1; }
else { $_SESSION['loggedin'] = NULL; } header('Location: /simple_blog/'), exit; } // If an admin is being created, save it here else if($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['action'] == 'createuser' && !empty($_POST['username']) && !empty($_POST['password'])) { // Include database credentials and connect to the database include_once 'db.inc.php'; $db = new PDO(DB_INFO, DB_USER, DB_PASS); $sql = "INSERT INTO admin (username, password) VALUES(?, SHA1(?))"; $stmt = $db->prepare($sql); $stmt->execute(array($_POST['username'], $_POST['password'])); header('Location: /simple_blog/'), exit; } else { header('Location: ../'), exit; } ?>
You can test this code by navigating to http://localhost/simple_blog/admin and entering the username and password you inserted into the database previously (both values were set to admin). This redirects you to the main page and makes the Post a New Entry link visible again. If you open an entry, you can see that all the administrative links are visible again (see Figure 11-6).
3.148.144.228