• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 171
  • Last Modified:

Updating a restriced page

Hello all,

I have a site which allows members to enter their profile. The profile contents go into a MySQL database and are displayed as php pages in the site.

I want to allow my users to be able to update their profile - but want to allow them only to be able to access their particular page/profile on the database and not have access to the other profiles within the database.

Instead of a password and username, I want the person just to enter their email address and then be taken to the profile featuring that particulat email address in the database (their profile).

The email address would be the unique identifier in this case.

I have created a simple update record form but I don't know how I would create a page that asks for an email address and then (if a valid email address is supplied) takes the member to the database page with the matching email address.

Any thoughts or ideas on this one would be greatly appreciated.

Thanks

Adam
0
ayounis
Asked:
ayounis
  • 6
  • 5
  • 2
2 Solutions
 
alexhoganCommented:
Adam,

This is actually pretty easy..,

Create a page with a form that allows the user to enter their email address.
Have the form point to a processing page.  
(Some would say that you could go straight to the edit page here but I would disagree.  What if you needed to expand the functionality?)
The processing page will use the $POST in the WHERE clause.

example:

"SELECT *
 FROM myTable
 WHERE emailaddress = ".$POST['emailaddress'];

Now you have a recordset that contains all the users information.  You will need to pass that to the page that will be displaying that information, so lets loop through the fields in the recordset.

while($row = mysql_fetch_assoc($stmt)){
    $fieldone   = $row['fieldone'];
    $fieldtwo   = $row['fieldtwo'];
    $fieldthree = $row['fieldthree'];
    ....
}

Now you have the contents of the fields in the recordset in variables.

But you need to pass them to another page, so you might consider this;

while($row = mysql_fetch_assoc($stmt)){
    $_SESSION['fieldone']   = $row['fieldone'];
    $_SESSION['fieldtwo']   = $row['fieldtwo'];
    $_SESSION['fieldthree'] = $row['fieldthree'];
    ....
}

Now you have the values in session objects that you can access from any page.

From here create an edit page that has all the fields that the user can modify and place the values of the corresponding session objects in those page objects.  You will probably want to do some validation prior to getting this far but I'm just showing you the basics.

Now when your user makes a change to any of the fields on the edit form you will pass that to a processing page, preferrably the same on you're already using, to do the updating to the database.

I know what you're about to say.., "How can I use the same page?  Won't it just do the same thing it did when I first accessed it?"

What we're going to do is have that processing page present different functionality based on what is passed to it.

So, we'll start by writing a switch statement and the first case will be our default.  That default case will fire whenever none of the other case requirements are met.  What are the case requirements?  Its going to be a URL parameter.  When you come in from the first page your not going to pass a parameter in the action method of the form tag.  When, however you come in from the edit page let's pass a parameter of 1.  So the action method of the form tag would look something like this, action="myProcessingPage.php?param=1".

In the processing page we have the following;

if(!empty($_GET['param'])){
    $param = $_GET['param'];
}

Now remember empty() will register a 0 as a value, so param=0 will return as not empty.

Our switch statement would look like this;

switch($param){
    default:
        // This will process the initial values of the users email address
        break;
   
    case 1:
        // Here you will place the code to process the updates from the user
        break;
}

And that about wraps it up...

As you can see you can now use the same processing page to process a number of requests to the database from any number of your forms.  This will allow you greater flexibility when modifying the code and expanding functionality.  Plus now you only have to look in one place to see your code for database transactions.
0
 
ayounisAuthor Commented:
Thanks alexhogan for the quality and detailed explaination. I am afraid to say, however,  I only undertsood part of the detailed response, as I have a very limited understanding of programming in general. I have no doubt it is a fully workable and correct solution, only I am not skilled enough to implement it.

As I am in no way confident of my programming abilities here, I thought I could (as you mentioned some would suggest) go straight into the edit page using the code you provided and set up the following basic page trying to do just that ( For my immediate needs this will suffice -walk before you can run and all that).:

<?php require_once('Connections/connectiona.php'); ?>
<?php
mysql_select_db($database_connectiona, $connectiona);
$query_rsupdate = "SELECT * FROM TestTable WHERE TestTable.contactmail = $POST['email'];"
$rsupdate = mysql_query($query_rsupdate, $connectiona) or die(mysql_error());
$row_rsupdate = mysql_fetch_assoc($rsupdate);
$totalRows_rsupdate = mysql_num_rows($rsupdate);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>

<body>
<form name="form1" method="post" action="updatetest.php">
  <p>
    <input name="email" type="text" id="email">
  </p>
  <p>&nbsp;</p>
  <p>
    <input type="submit" name="Submit" value="Submit">
  </p>
  <p>&nbsp;</p>
</form>
</body>
</html>
<?php
mysql_free_result($rsupdate);
?>

On this example I had hoped to be directed to the updatetest.php page.

contactmail is the database row and email is form textfield name.

This however, returned the error;

Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/cjpqapym/public_html/test.php on line 4

The only actually coding I attempted (via the Dreamweaver recordset) was, as you instructed; $query_rsupdate = "SELECT * FROM TestTable WHERE TestTable.contactmail = $POST['email'];"

but I'm still failing to get that to work. I'm stopping for Lunch now, and hope to come back feed and inspired.

Thanks again.
0
 
alexhoganCommented:
Try this;

<?php require_once('Connections/connectiona.php'); ?>
<?php
mysql_select_db($database_connectiona, $connectiona);
$query_rsupdate = "SELECT * FROM TestTable WHERE TestTable.contactmail =". $POST['email'];
$rsupdate = mysql_query($query_rsupdate, $connectiona) or die(mysql_error());
$row_rsupdate = mysql_fetch_assoc($rsupdate);
$totalRows_rsupdate = mysql_num_rows($rsupdate);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>

<body>
<form name="form1" method="post" action="updatetest.php">
  <p>
    <input name="email" type="text" id="email">
  </p>
  <p>&nbsp;</p>
  <p>
    <input type="submit" name="Submit" value="Submit">
  </p>
  <p>&nbsp;</p>
</form>
</body>
</html>
<?php
mysql_free_result($rsupdate);
?>
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
ayounisAuthor Commented:
Just ran it. Got :

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

I'm looking into it now.....

Thanks again
0
 
ayounisAuthor Commented:

Mmm, I seem to be going round and round with this. I've tried using the Dreamweaver Log on Functionality and am able to log on using the email addresses, and arrive at the update screen - which updates. However, I can only arrive at the update screen for the record in the database which is at the top of the database. So basically, no matter who logs in, they get the update record for whoever is top of the database.

I've tried passing it as a URL and a number of different things but as of yet, no joy.

Thanks again for your help though. Calling it a day for today.
0
 
Havin_itCommented:
Hi Adam,

I think the problem in the query command is with quoting in the email address argument. alexhogan had it nearly right, but try this:

$query_rsupdate = "SELECT * FROM TestTable WHERE contactmail = '". $POST['email']."'";

(It's a bit hard to see, but this is concatenating three segments: the main part of the query ending in an opening single-quote; the email variable; then another string containing the closing single-quote.  Double-quotes enclose the two strings that make up the query, and the dots concatenate the three segments together as one string.)

Also declaring the table name after WHERE is redundant in this case, so I took that out.

Lastly, if you don't want to worry too much about how your following script will handle a not-found address, add this line below the mysql statements:

if($totalRows_rsupdate<1)
   header("Location: http://www.example.com/rejected.php");

That will bounce anyone who gives an invalid address to an error page of your choice.  Note that you can only use this command in the top section of the code, before ANY echo statements or any non-PHP content in the document.  I can't recall if line-breaks are included in this, but if they are, you'll need to join the top two PHP sections together by changing

<?php require_once('Connections/connectiona.php'); ?>
<?php
mysql_select_db($database_connectiona, $connectiona);

to

<?php require_once('Connections/connectiona.php');
mysql_select_db($database_connectiona, $connectiona);

Lastly REALLY lastly, do consider adding a second ID field (a password) to this setup. Email addresses are not secret things, and while you may not see any reason for someone to wish to tamper with another's profile, that doesn't mean they will not do so.  I think your users would appreciate the precaution.
0
 
alexhoganCommented:
Havin_it,

I had it correct...

$query_rsupdate = "SELECT * FROM TestTable WHERE contactmail = ". $POST['email'];

The period (.) at the beginning of the $POST is a concaetenation.  In PHP it is not necessary to encapsulate the query expression with quotes like it is in VB.  The single quote encapsulated with double quotes does absolutely nothing.

As a follow up the expression;

if($totalRows_rsupdate<1)
   header("Location: http://www.example.com/rejected.php");

Yes it needs to be sent before any echo statement but also before any header information is sent.  To insure that you don't get a "header inforamation already sent" error you will need to use output buffering.  This will allow you to trap any errors on the page and send the user to exactly where you want them.

Arbatrarily putting open ended branching statements with redirection is a bad idea.   A better suggestion would've been to put these statements in a config file that controlled all of the redirection based on certain conditions.  This will give the developer much more control and maintainability.
0
 
Havin_itCommented:
Alex, It's not so much a question of PHP syntax as of MySQL syntax.  In your example, the query string being sent to MySQL is

SELECT * FROM TestTable WHERE contactmail = adam@example.com

whereas mine makes it

SELECT * FROM TestTable WHERE contactmail = 'adam@example.com'

This is just how I've learned it by example in the past, but taking a glance through the MySQL manual section on SELECT queries, the string being searched for (here, the email address) always has single-quotes, which seems quite appropriate when dealing with strings.

You got me bang to rights on the other point, though; I admit it's a quick'n'dirty solution and could do with some form of exception-handling, though within the context of this skeleton script it seemed adequate.
0
 
ayounisAuthor Commented:
Thanks both of you for the detailed feedback

Just to update you - I changed the line of code, as suggested and when  I entered a valid email address, I was taken to my update page (The Error message did not appear).

Success....I thought.

However, it seems I was directed not to the profile with the corresponding email but still the first profile in the list.

I simply used the action text box in the form properties insepctor to link to my update page. I assume this is correct?

I have also checked and re-checked that my textfield names and columns are correct - they seem to be.

I will now try to find a similar tutorial to see if I can understand what's the problem.

Thanks again, for the ongoing help.

Regards

Adam
0
 
alexhoganCommented:
Adam,

Are you sending a URL parameter?  If you're not then you will always get the first record.  You will need to use that URL parameter as your locator to the record you wish to retrieve.
0
 
ayounisAuthor Commented:
Thanks Alexhogan

Okay, this I guess, is the problem. Not been doing anything like that...will look at how to that now....

Thanks for the guidance...
0
 
alexhoganCommented:
My post above will guide you through the process.
0
 
ayounisAuthor Commented:
thanks again alexhogan....

However, unfortunately I can't program and really only do things through the Dreamweaver interface so am struggling with your above post.

I've since set up a password function and now use it and the email address to try to log into the specific account(cheers for the advice Havin_it). I have also (I have been failing this all day) set up a simple log-on screen using the dreamweaver login Server Behaviour. I am happy with this and don't really want anything more advanced, but still cant set up the url parameter correctly. Still I'm going to the first profile in the database

I was trying

Update.php?recordID=<?php echo $row_rs1['autonumber']; ?>

With rs1 my record set and autonumber the identifier.

On Update.php I created a filtered recordset selecting the URL as recordID.

Anyway, this also didn't work - no dynamic data appears on the recordset. I've got the feeling that it's only one line of code (the URL Parameter) put in the right place, but I've had that feeling for a few days now (and it's not much of a help)

Anyway, thanks for the continued help, and apologies for not being able to follow your posting.

Regards

Adam
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now