Lecture Notes - Week 11
- 23 - Adding User Logins
Screencasts - Week 11
- Part 1: Creating user table, parameterized queries, page titles
- Part 2: Signup, login, logout
- Part 3: Access restriction, demo, lab
Outline of Topics
- Creating database table for user information
- Create a
- Using page titles to identify our scripts
- Creating new scripts for users:
- Restrict access to adding, editing, and removing students
Since we now have the skills for better securing our web application, let's continue modifying our Student Listing application to add individual logins with the ability to sign up new users. We also want to limit the ability to add, edit, or remove students to administrators, and only let users edit their own information.
Creating database table for user information
To add user logins, we need to create another table in the
Student database to hold user information. Let’s create a
user table that holds the following fields:
It will have two types of access privileges:
admin. When we sign up a new user, we want to set the default access privileges to
user. Any user account you want to have
admin privileges must be altered manually in the database table. We also want a default value of
CURRENT_TIMESTAMP set for the
date_created field, which also gets set when we sign up a new user. Finally we want a field called
studentListing_id for mapping to a new entry in the
studentListing table when signing a new user up.
studentListing_idcould be set as a foreign_key, but for this example I didn't want to mess with access restrictions, etc.
Since we want to sanitize all our inputs, let's create a script called
queryutils.php with a function for creating parameterized queries.
Using page titles to identify our scripts
Going forward, we want to be able to identify our scripts for programatic decisions we might need to make in the future. For example, we want to restrict the ability to add and remove students to administrators only. However, we do want to allow users to edit their own student details. This is best achieved by creating a script called
pagetitles.php to hold constants identifying our scripts and modifying our scripts to use these constants. This will make more sense when we add a navigation menu next week.
Creating new scripts for users
Now we need to create some scripts for signing up new users, allowing them to log in, and log out.
NOTE: We will not be adding any links on our
index.phpscript for users to sign up and login in this demonstration because next week we will add a navigation menu which will have these links and others. In fact, when we add the navigation menu, we'll remove links back to the main page and the link on the main page for adding a student. For now, that makes our application hard to use, however we'll fix it next week .
In order to create new users we need to create a
signup.php script to get their credentials into the database. Our signup form will look like this:
Logging these users in allows us to create Session variables so we can keep track of our user as long as they're logged in. In order to log these new users in we need to create a
login.php script to verify their credentials. Our login form will look like this:
When the user's session is over, we'll want to log them out and clear out their session variables. Let's create a
logout.php script to do this.
Restrict access to adding, editing, and removing students
We want to restrict the access to adding, editing, and removing students to administrators. However, we do want to allow the user that is logged in to edit their own student details.
Let's modify our
authorizeaccess.php script, so that instead of using HTTP authentication, we'll take a look at the access privileges of the user to determine their access to scripts protected by the
authorizeaccess.php script. We'll also allow access to editing the student details if this user's
studentListing_id Session variable matches the ID they want to edit.
Finally, let's create an
unauthorizedaccess.php script that the user get's redirected to if they try to access a page they don't have privileges to access.