User Personalization with PHP: The Admin Section / Page 2 | WebReference

User Personalization with PHP: The Admin Section / Page 2


User Personalization with PHP: The Admin Section [con't]

Deleting Bookmarks

When a user clicks on the link to delete a bookmark, the user is sent to a script called delete.php. Also included in this link is the bookmark ID called $b_id. The aim of the script is of course to remove the selected bookmark from the system. The delete script has the following code:

So, how does the code work? First, it connects to the database, and second it checks what it is actually suppose to do. The script contains enough intelligence to decide what to do based on the information that is supplied from the two feeder scripts. Two ID's are sent from the two feeder scripts, one is called b_id and the other u_id. You probably guessed by now that b_id refers to the bookmark ID and the u_id refers to the user ID. In our case, we are dealing with the bookmark ID. The script checks which of the two it is suppose to deal with, based on the kind of ID that is sent. The if condition does the job of making the decision:

..statements here.. 

Once it has determined which of the ID's it needs to work with, the script then validates the data type. This is very important since our application is vulnerable at this stage. Any attacker that wants to crash our application can simple change the ID into a letter or any other character to crash the application, so we need to take the appropriate measures to try and minimize or avoid this. Since we know that the ID of both the bookmark and user are numbers, we use the is_numeric() function to check if the ID value is actually a number or not:


Then we run a query and remove the bookmark or user from the system:

$del = "DELETE * FROM bmarks WHERE bid = '".$bid."'";

After running the query, we redirect the user back to the page that they where on before. The code also makes provision for any errors that may occur during the execution of the query:

User Management

The user management section deals with managing users of the system. Unlike the bookmarks script, this script carries out an additional function, which is to give a user admin privileges. Like the bookmarks script, the user.php script provides a list of all of the users in the system. The reason for this is that it makes it easy for the administrator to either upgrade or remove a user from the system. Below is the code that retrieves the user details from the database:

You will note that the data retrieval code for the users is exactly the same as the one used for the bookmarks, except in this case the users database table is used instead of the bookmarks one. Therefore, I will not be going through every bit of the code, but only those that I think need to be emphasized. As with the all of the scripts in this section, the script checks to see if the user has the right to be on this page. Then it runs a query to attempt to extract a list of all the users of the system. The query actually only retrieves a count of the number of users in the system.

Then the code uses a variable created in the main PHP code to extract and list the names of the users in dynamic table rows. One of the columns also lists an action called 'Make Admin' that enables an administrator to create a new administrator from the list of user names. Below is a screen shot of the user.php script followed by its code listing:

See Figure 3

The HTML code for the page:

As you can see, the HTML code for this page is almost exactly the same as that for the bookmarks page, except for the fact that it is specific to users of the system.

When the user clicks on the 'Make Admin' link, the code takes the user to a script called update.php. This script is responsible for upgrading a user to admin status. It has the following code:

The code first checks if the ID that it received has a value:


If so, then it checks to see if that value is a number:


Once it is satisfied that the value is a number, the code continues to run an update query and reset the level column of the table to 'admin':

$update = "UPDATE users SET level = 'admin' WHERE uid = '".$uid."'";

That's it for the user personalization series. Please feel free to add more functionality to suit your needs. The application is of a generic nature and is able to adapt to any changes that you may want to make. Also, feel free to email me with any questions that you may have.

Download the files for this article.

Original: June 3, 2009