Home arrow PHP arrow Page 8 - Cracking The Vault (part 1)

Seeding The System - PHP

Electronic documents are all well and good - but when you work onthem collaboratively, they can end up being more difficult to handle thanordinary pieces of paper. Multiple versions, competing standards, accesspermissions and revision history tracking are just some of the issues thatarise in a paperless office. This article discusses building and deployinga document management system across your network - and also teachesbeginnners a little bit about designing Web-based applications with PHP andmySQL in the process.

  1. Cracking The Vault (part 1)
  2. Just Another Day At The Office
  3. An Evil Plan Is Born
  4. Setting The Ground Rules
  5. Design Time
  6. Start Me Up
  7. Entry Points
  8. Seeding The System
  9. Red And Green Clouds
  10. Digging Deeper
  11. Basic Maintenance
  12. The D Word
By: Vikram Vaswani, (c) Melonfire
Rating: starstarstarstarstar / 2
May 14, 2001

print this article


Since "add.php" is a form, the script is divided into two sections; the first section displays the form, while the second section processes the form data.

if(!$submit) { // form has not been submitted yet -> display form ?> <table border="0" cellspacing="5" cellpadding="5"> <form action="<? echo $PHP_SELF; ?>" method="POST" enctype="multipart/form-data"> <tr> <td><b>Location</b></td> <td colspan=3><input name="file" type="file"></td> </tr> <!-- snip! --> <tr> <td valign="top"><b><i>View</i> rights</b></td> <td><select name="view[]" multiple> <? // query to get a list of available users $query = "SELECT id, username FROM user ORDER BY username"; $result = mysql_db_query($database, $query, $connection) or die ("Error in query: $query. " . mysql_error()); while(list($id, $username) = mysql_fetch_row($result)) { $str = "<option value=\"$id\""; // pre-select logged-in user's name if ($id == $SESSION_UID) { $str .= " selected"; } $str .= ">$username</option>"; echo $str; } ?> </select></td> </tr> <!-- snip! --> </form> </table> <? } else { // form processing code } ?>

A couple of points to be noted about this form. First, since I plan to use this to upload files, I've specified the form encoding type to be "multipart/form-data" and added a form field of type "file". And a little further down, I've queried the database to generate a list of users so that rights can be assigned appropriately. Note how I'm checking each user's ID against the current $SESSION_UID in order to pre-select the current user's name.

Although I'm going to use the results of the SELECT query in two places - to generate a list for both "view" and "modify" rights - it isn't necessary to run the query twice. This is because the mysql_data_seek() function takes you back to the top of the current resultset, allowing you to reuse query results more than once.

<!-- code for "modify" rights user list --> <td><select name="modify[]" multiple> <? mysql_data_seek($result, 0); while(list($id, $username) = mysql_fetch_row($result)) { $str = "<option value=\"$id\""; if ($id == $SESSION_UID) { $str .= " selected"; } $str .= ">$username</option>"; echo $str; } mysql_free_result ($result); mysql_close($connection); ?> </select></td>

Once the form is submitted, the same script is called; however, since the $submit variable will now exist, the second half of the script springs into action.

<? if (!$submit) { // form } else { // form has been submitted -> process data // checks // no file! if ($file_size <= 0) { header("Location:error.php?ec=11"); exit; } // no users with view rights! if (sizeof($view) <= 0) { header("Location:error.php?ec=12"); exit; } // no users with modify rights! if (sizeof($modify) <= 0) { header("Location:error.php?ec=12"); exit; } // check file type foreach($allowedFileTypes as $this) { if ($file_type == $this) { $allowedFile = 1; break; } } // illegal file type! if ($allowedFile != 1) { header("Location:error.php?ec=13"); exit; } // all checks completed, proceed! // all checks completed, proceed! // INSERT into db $query = "INSERT INTO data (category, owner, realname, created, description, comment) VALUES('$category', '$SESSION_UID', '$file_name', NOW(), '$description', '$comment')"; $result = mysql_db_query($database, $query, $connection) or die ("Error in query: $query. " . mysql_error()); // get id from INSERT operation $fileId = mysql_insert_id($connection); // INSERT user permissions - view for($x=0; $x<sizeof($view); $x++) { $query = "INSERT INTO perms (fid, uid, rights) VALUES('$fileId', '$view[$x]', '1')"; $result = mysql_db_query($database, $query, $connection) or die ("Error in query: $query. " . mysql_error()); } // INSERT user permissions - modify for($x=0; $x<sizeof($modify); $x++) { $query = "INSERT INTO perms (fid, uid, rights) VALUES('$fileId', '$modify[$x]', '2')"; $result = mysql_db_query($database, $query, $connection) or die ("Error in query: $query. " . mysql_error()); } // use id to generate a file name // save uploaded file with new name $newFileName = $fileId . ".dat"; copy($file, $dataDir . $newFileName); // back to main page $message = "Document successfully added"; header("Location: out.php?message=$message"); mysql_close($connection); } ?>

The first thing to be done is to verify certain file properties - for example, the file size must be greater than zero bytes, and the file must be of an allowed file type. In order to perform these checks, I'm using the four variables created by PHP whenever a file is uploaded - $file is the temporary file name assigned by PHP, $file_size is the size of the uploaded file, $file_type returns the MIME type, and $file_name is the original name of the file.

Assuming everything checks out OK, I then process the descriptive data entered by the user, INSERT it into the "data" table, process the list of users with "view" and modify" rights, INSERT this data into the "perms" table, rename the uploaded file and copy it to the storage area, and redirect the browser back to "out.php" with a status message indicating success.

There is an interesting chicken-and-egg situation here that you may be familiar with. I need to rename the newly-uploaded file to "fileID.dat"; however, I can only do this once the record has been inserted into the table and an ID generated for it. Once the ID is generated, I would normally need to query the table again to obtain the ID. However, the mysql_insert_id() function stores the ID generated by the last INSERT operation, and can conveniently be used here.

This article copyright Melonfire 2001. All rights reserved.

>>> More PHP Articles          >>> More By Vikram Vaswani, (c) Melonfire

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: