"email me and ask", // YOU! "Annie"=>"secret" ); // Have we got a valid username... $gotusername=((isset($_SESSION['enteredby']))&&(array_key_exists($_SESSION['enteredby'], $allowed))); // And is the password right for that user... $gotpwd=((isset($_SESSION['pwd']))&&($gotusername)&&($_SESSION['pwd']==$allowed[$_SESSION['enteredby']])); // Write out the XML and doctype lines $doctype=''; $xml=""; echo $xml . "\n" . $doctype . "\n"; ?> Manage food database

Manage food

Logged in as ' . $_SESSION['enteredby'] . '

'; } else { if ($gotusername) { echo '

Password not recognised.

'; session_destroy(); // So that form data is removed from session } else if (isset($_SESSION['pwd'])) { echo '

User name ' . $_SESSION['enteredby'] . ' not recognised.

'; session_destroy(); } else { echo '

Not logged in; you may not enter data.

'; } } ?>
ENTER YOUR NAME:

'; echo '

ENTER PASSWORD:

'; echo '

'; } /* If user is logged in, then display the form for adding/updating/deleting entries in the database, plus logout button Delete button is on the same line as the ref no. because deleting an entry just takest that number, and ignores the rest of the fields Restrict user entry whenever possible (use Foodtype: Category: Manufacturer: Packaging: Weight: g Description: Price:£ '; // Buttons... echo '

'; echo '

'; } echo "
"; /* Read the values from the $_POST variable passed from the form. Use pg_escape_string to sanitise and ensure no problems with characters like ; and " in variables */ $ref=$_POST['ref']; $foodtype=pg_escape_string($_POST['foodtype']); $category=pg_escape_string($_POST['category']); $manufacturer=pg_escape_string($_POST['manufacturer']); $packaging=pg_escape_string($_POST['packaging']); $weight=$_POST['weight']; $description=pg_escape_string($_POST['description']); $price=$_POST['price']; $update=$_POST['update']; $enteredby=pg_escape_string($_SESSION['enteredby']); if ($gotpwd) { /* Valid password entered into form, so open database under account ais which has write permissions on the database table */ $con=pg_connect("host=db.dcs.aber.ac.uk port=5432 dbname=teaching user=ais password=PASSWORD"); if (!con) // Failed to open database table. No point in continuing - write out error { die('Could not connect: ' . pg_error()); } /* If the reference number is set, we assume user is adding or updating an entry (even if all the rest of the fields were empty). */ if ($ref) { // Note on the next line (& subsequent), we have forced single quotes around $ref. // This did not used to be required in older versions, and looks a little odd // (see http://forums.yessoftware.com/posts.php?post_id=113033). $res=pg_query($con, "SELECT * from food WHERE ref='".$ref."'"); if ($a=pg_fetch_array($res)) // ie it's already in the database, so update it { if (isset($_POST['delete'])) { echo "Found $ref; deleting it."; $res=pg_query($con, "DELETE FROM food WHERE ref='".$ref."'"); } else { // Do the updating of the database - add (or replace) the entry // Note we're assuming that any other submit was an add/replace echo "Ref $ref already exists, updating entry."; $res=pg_query($con, "UPDATE food SET foodtype='$foodtype' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET category='$category' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET manufacturer='$manufacturer' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET packaging='$packaging' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET weight='$weight' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET description='$description' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET price='$price' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET enteredby='$enteredby' WHERE ref='".$ref."'"); } } else { // it's not in the database yet if (isset($_POST['delete'])) // User tried to delete something that wasn't there { echo "I couldn't find that item to delete!"; } else {// User is adding, so insert it // Note we are assuming that if the submit button pressed wasn't the delete button, // then it was the Add/replace button. That's OK, but if we add another submit // button in the future, it would cause an issue echo "Added new data, reference $ref"; $res=pg_query($con, "INSERT INTO food VALUES ($ref, '$foodtype', '$category', '$manufacturer', '$packaging', $weight, '$description', $price, '$enteredby')"); } } } else { // User entered nothing into ref field of form echo "You may update the database. Use a reference number which hasn't been used before to add, or use an existing reference number to update. To delete an entry, just enter a reference number and select Delete."; } } else // Not got (correct) password yet so connect to database with csguest account { echo "

Enter password to update the database!

"; $con=pg_connect("host=db.dcs.aber.ac.uk port=5432 dbname=teaching user=csguest password=PASSWORD"); if (!con) { die('Could not connect: ' . pg_error()); } } /* Whether or not we have a valid password, write out contents of database (if we have authenticated, this is done under user ais. If not, csguest) */ echo "
\n"; $res = pg_query ($con, "select count(ref) from food"); $a=pg_fetch_row($res); echo "

Total " . $a[0] . " items in database.

"; echo "\n\n\n"; echo "\n"; echo "\n\n\n"; $res=pg_query($con, "SELECT * from food ORDER BY ref"); while ($a = pg_fetch_array ($res)) { echo ""; for ($j = 0; $j < pg_num_fields($res); $j++) { // htmlspecialchars converts things like & to HTML entity codes echo ""; } echo "\n"; } echo "\n
Ref CodeFoodtypeCategoryManufacturerPackagingWeightDescriptionPriceEntered by
" . htmlspecialchars($a[$j], ENT_QUOTES) . "
"; ?>

Valid XHTML 1.0 Transitional