The current project is structured as follows.
I kept the folder structure as consistent as possible with the previous blog posts but also sufficiently organised as otherwise it would have been a nightmare to maintain. The root directory only contains pages which will be requested by the user directly or scripts which will directly process user input, everything else goes into nested directories in the includes folder. Users can then be prevented from accessing the /includes directory by simply configuring an .htaccess file in that same directory.
The first page the user will load is the index.php page which gets served by default by apache when a file name is not specified. This page will check if a user is logged in by checking the $_SESSION variable for content and if found redirects the user directly to the members.php page, otherwise the user is presented with 2 forms, a registration form and a login form.
All output* functions are loaded from the includes/output/* directory and simply echo out various sections of html, 1 output function per file will be used, mainly to keep the the project as atomic as possible with less impact should any changes be required at a later stage.
The outputNotLoggedInPage(); which should return the main body whenever a use is not logged in calls various other output functions e.g. outputRegisterForm() which renders the registration form and outputLoginForm() which renders the login form. In this manner the final page presented to the user will be made up of multiple sections defined as by the respective output functions.
The following page is displayed whenever a visitor (not logged in) requests the page, the individual sections that make up the entire layout are marked in color.
Please not that, none of the layouts presented in this blog post have been styled as this will be done at a later stage when all functionality is implemented and tested.
Both the registration and the login form use the post method form submission and are processed by processLogin.php and register.php respectively which will post back to the index.php page with any outcome in either the $_SESSION['error'] and $_SESSION['message'] variables depending if successful or not.
The index.php script will check if any of the above variables are set and if so will echo the results back to the user and then unset the variables to prevent the messages from being shown multiple times. Both message types could have been easily stored in a single session variable such as just $_SESSION['message'], I chose to keep them separate because I might need to differentiate between successful and error messages when styling the pages.
User Registration
The user registration feature will allow any visitor to create an account on the system, all user details will be stored on a MySQL database in a user table which is currently structured as follows.
The password field is a 32 character long field as passwords will not be stored in plain text, but as an md5 hash of the seeded password.
On submitting the registration form the control is passed to register.php script which will process the registration by first validating that both fields were populated correctly and then verifies that the inputted user is not already used, if all validation checks are passed all user inputs are escaped through the mysq_real_escape_string() function to protect against SQL injection attacks. The password input is concatenated to the SEED constant and then hashed using the standard md5() function, in this manner we are not storing passwords as plain text on the database, a seed is used to make it harder for successful dictionary attacks on the md5() hashed passwords should this data ever be compromised. A new record is created in the user table, and the apropriate messages are displayed to the user using the $_SESSION['error'] and $_SESSION['message'] as explained earlier. The registration process will be slightly enhanced later to create the ~home directory for each user which will contain all user uploaded files.
 |
| account registration - form filled in |
 |
| account registration successful |
On submitting the login form the control is passed to the processLogin.php script which will call the login(); function to authenticate the user, again all user input is escaped through the mysql_real_escape_string() function. The inputed password is then re-seeded (password concatenated with the same SEED used during the registration process) and hashed to be compared to what is on the database. On a successful login the user is redirected to the members.php page. Once authenticated the user will be automatically redirected to this page even when requesting the index.php page.
 |
| login form - filled in |
 |
| successful login - user redirected to the members area |
Logout Feature
The session needs to be destroyed whenever the user requests to be logged out, a generic action.php file will be used to handle such requests, the logout link displayed in the members area is a hyper link to action.php?a=logout which will simply destroy the session and redirect the user back to the index.php page.
Conclusion
in the next post I will do some modifications to the register feature to create a ~home directory for each user as well as integrate the file upload functionality developed in the first post of the series.
0 comments:
Post a Comment