"email me and ask", // YOU! "Annie"=>"secret" ); // Have we got a valid username... $gotusername=((isset($_SESSION['enteredby']))&&(array_key_exists($_SESSION['enteredby'], $allowed))); // And is the password right for that user... $gotpwd=((isset($_SESSION['pwd']))&&($gotusername)&&($_SESSION['pwd']==$allowed[$_SESSION['enteredby']])); // Write out the XML and doctype lines $doctype=''; $xml=""; echo $xml . "\n" . $doctype . "\n"; ?>
Password not recognised.
'; session_destroy(); // So that form data is removed from session } else if (isset($_SESSION['pwd'])) { echo 'User name ' . $_SESSION['enteredby'] . ' not recognised.
'; session_destroy(); } else { echo 'Not logged in; you may not enter data.
'; } } ?> "; /* Read the values from the $_POST variable passed from the form. Use pg_escape_string to sanitise and ensure no problems with characters like ; and " in variables */ $ref=$_POST['ref']; $foodtype=pg_escape_string($_POST['foodtype']); $category=pg_escape_string($_POST['category']); $manufacturer=pg_escape_string($_POST['manufacturer']); $packaging=pg_escape_string($_POST['packaging']); $weight=$_POST['weight']; $description=pg_escape_string($_POST['description']); $price=$_POST['price']; $update=$_POST['update']; $enteredby=pg_escape_string($_SESSION['enteredby']); if ($gotpwd) { /* Valid password entered into form, so open database under account ais which has write permissions on the database table */ $con=pg_connect("host=db.dcs.aber.ac.uk port=5432 dbname=teaching user=ais password=PASSWORD"); if (!con) // Failed to open database table. No point in continuing - write out error { die('Could not connect: ' . pg_error()); } /* If the reference number is set, we assume user is adding or updating an entry (even if all the rest of the fields were empty). */ if ($ref) { // Note on the next line (& subsequent), we have forced single quotes around $ref. // This did not used to be required in older versions, and looks a little odd // (see http://forums.yessoftware.com/posts.php?post_id=113033). $res=pg_query($con, "SELECT * from food WHERE ref='".$ref."'"); if ($a=pg_fetch_array($res)) // ie it's already in the database, so update it { if (isset($_POST['delete'])) { echo "Found $ref; deleting it."; $res=pg_query($con, "DELETE FROM food WHERE ref='".$ref."'"); } else { // Do the updating of the database - add (or replace) the entry // Note we're assuming that any other submit was an add/replace echo "Ref $ref already exists, updating entry."; $res=pg_query($con, "UPDATE food SET foodtype='$foodtype' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET category='$category' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET manufacturer='$manufacturer' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET packaging='$packaging' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET weight='$weight' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET description='$description' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET price='$price' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE food SET enteredby='$enteredby' WHERE ref='".$ref."'"); } } else { // it's not in the database yet if (isset($_POST['delete'])) // User tried to delete something that wasn't there { echo "I couldn't find that item to delete!"; } else {// User is adding, so insert it // Note we are assuming that if the submit button pressed wasn't the delete button, // then it was the Add/replace button. That's OK, but if we add another submit // button in the future, it would cause an issue echo "Added new data, reference $ref"; $res=pg_query($con, "INSERT INTO food VALUES ($ref, '$foodtype', '$category', '$manufacturer', '$packaging', $weight, '$description', $price, '$enteredby')"); } } } else { // User entered nothing into ref field of form echo "You may update the database. Use a reference number which hasn't been used before to add, or use an existing reference number to update. To delete an entry, just enter a reference number and select Delete."; } } else // Not got (correct) password yet so connect to database with csguest account { echo "Enter password to update the database!
"; $con=pg_connect("host=db.dcs.aber.ac.uk port=5432 dbname=teaching user=csguest password=PASSWORD"); if (!con) { die('Could not connect: ' . pg_error()); } } /* Whether or not we have a valid password, write out contents of database (if we have authenticated, this is done under user ais. If not, csguest) */ echo "Total " . $a[0] . " items in database.
"; echo "Ref Code | Foodtype | Category | Manufacturer | Packaging | Weight | Description | Price | Entered by | \n"; echo "
---|---|---|---|---|---|---|---|---|
" . htmlspecialchars($a[$j], ENT_QUOTES) . " | "; } echo "