"email me and ask", // YOU! "Annie"=>"secret" ); // Have we got a valid username... $gotusername=((isset($_SESSION['enteredby']))&&(array_key_exists($_SESSION['enteredby'], $allowed))); // And is the password right for that user... $gotpwd=((isset($_SESSION['pwd']))&&($gotusername)&&($_SESSION['pwd']==$allowed[$_SESSION['enteredby']])); // Write out the XML and doctype lines $doctype=''; $xml=""; echo $xml . "\n" . $doctype . "\n"; ?> Manage videogames database

Manage videogames

Logged in as ' . $_SESSION['enteredby'] . '

'; } else { if ($gotusername) { echo '

Password not recognised.

'; session_destroy(); // So that form data is removed from session } else if (isset($_SESSION['pwd'])) { echo '

User name ' . $_SESSION['enteredby'] . ' not recognised.

'; session_destroy(); } else { echo '

Not logged in; you may not enter data.

'; } } ?>
ENTER YOUR NAME:

'; echo '

ENTER PASSWORD:

'; echo '

'; } /* If user is logged in, then display the form for adding/updating/deleting entries in the database, plus logout button Delete button is on the same line as the ref no. because deleting an entry just takest that number, and ignores the rest of the fields Restrict user entry whenever possible (use Title: Platform: Publisher: Genre: PEGI rating: Description: Price:£ '; // Buttons... echo '

'; echo '

'; } echo "
"; /* Read the values from the $_POST variable passed from the form. Use pg_escape_string to sanitise and ensure no problems with characters like ; and " in variables */ $ref=$_POST['ref']; $title=pg_escape_string($_POST['title']); $platform=pg_escape_string($_POST['platform']); $publisher=pg_escape_string($_POST['publisher']); $genre=pg_escape_string($_POST['genre']); $pegi=$_POST['pegi']; $description=pg_escape_string($_POST['description']); $price=$_POST['price']; $update=$_POST['update']; $enteredby=pg_escape_string($_SESSION['enteredby']); if ($gotpwd) { /* Valid password entered into form, so open database under account ais which has write permissions on the database table */ $con=pg_connect("host=db.dcs.aber.ac.uk port=5432 dbname=teaching user=ais password=PASSWORD"); if (!con) // Failed to open database table. No point in continuing - write out error { die('Could not connect: ' . pg_error()); } /* If the reference number is set, we assume user is adding or updating an entry (even if all the rest of the fields were empty). */ if ($ref) { // Note on the next line (& subsequent), we have forced single quotes around $ref. // This did not used to be required in older versions, and looks a little odd // (see http://forums.yessoftware.com/posts.php?post_id=113033). $res=pg_query($con, "SELECT * from videogames WHERE ref='".$ref."'"); if ($a=pg_fetch_array($res)) // ie it's already in the database, so update it { if (isset($_POST['delete'])) { echo "Found $ref; deleting it."; $res=pg_query($con, "DELETE FROM videogames WHERE ref='".$ref."'"); } else { // Do the updating of the database - add (or replace) the entry // Note we're assuming that any other submit was an add/replace echo "Ref $ref already exists, updating entry."; $res=pg_query($con, "UPDATE videogames SET title='$title' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE videogames SET platform='$platform' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE videogames SET publisher='$publisher' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE videogames SET genre='$genre' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE videogames SET pegi='$pegi' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE videogames SET description='$description' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE videogames SET price='$price' WHERE ref='".$ref."'"); $res=pg_query($con, "UPDATE videogames SET enteredby='$enteredby' WHERE ref='".$ref."'"); } } else { // it's not in the database yet if (isset($_POST['delete'])) // User tried to delete something that wasn't there { echo "I couldn't find that item to delete!"; } else {// User is adding, so insert it // Note we are assuming that if the submit button pressed wasn't the delete button, // then it was the Add/replace button. That's OK, but if we add another submit // button in the future, it would cause an issue echo "Added new data, reference $ref"; $res=pg_query($con, "INSERT INTO videogames VALUES ($ref, '$title', '$platform', '$publisher', '$genre', $pegi, '$description', $price, '$enteredby')"); } } } else { // User entered nothing into ref field of form echo "You may update the database. Use a reference number which hasn't been used before to add, or use an existing reference number to update. To delete an entry, just enter a reference number and select Delete."; } } else // Not got (correct) password yet so connect to database with csguest account { echo "

Enter password to update the database!

"; $con=pg_connect("host=db.dcs.aber.ac.uk port=5432 dbname=teaching user=csguest password=PASSWORD"); if (!con) { die('Could not connect: ' . pg_error()); } } /* Whether or not we have a valid password, write out contents of database (if we have authenticated, this is done under user ais. If not, csguest) */ echo "
\n"; $res = pg_query ($con, "select count(ref) from videogames"); $a=pg_fetch_row($res); echo "

Total " . $a[0] . " items in database.

"; echo "\n\n\n"; echo "\n"; echo "\n\n\n"; $res=pg_query($con, "SELECT * from videogames ORDER BY ref"); while ($a = pg_fetch_array ($res)) { echo ""; for ($j = 0; $j < pg_num_fields($res); $j++) { // htmlspecialchars converts things like & to HTML entity codes echo ""; } echo "\n"; } echo "\n
Ref CodeTitlePlatformPublisherGenrePEGIDescriptionPriceEntered by
" . htmlspecialchars($a[$j], ENT_QUOTES) . "
"; ?>

Valid XHTML 1.0 Transitional