Search the Community

I have been getting some errors in my chapter 13 site and I am not sure how I can fix them. I am able to login with the login.php page. When I do I get this error. ?php // Script 13.4 - footer.html // Display general admin links... // - if the user is an administrator and it's not the logout.php page // - or if the $loggedin variable is true (i.e., the user just logged in) if ( (is_administrator() && (basename($_SERVER['PHP_SELF']) != 'logout.php')) OR (isset($loggedin) && $loggedin) ) { // Create the links: print ' When I go to the add_quotes.php page I get this error. When I try and add a quote I get this list of errors. Here is my add_quotes.php code I am getting a red underline error on the ! is administrator line I added LINE is # where each line error is for my error list above <?php // Script 13.7 - add_quote.php /* This script adds a quote. */ // Define a page title and include the header: define('TITLE', 'Add a Quote'); include('templates/header.html'); print '<h2>Add a Quotation</h2>'; // Restrict access to administrators only: if (!is_administrator()) { (THIS LINE IS GIVING ME AN ERROR) print '<h2>Access Denied!</h2><p class="error">You do not have permission to access this page.</p>'; include('templates/footer.html'); exit(); } // Check for a form submission: if ($_SERVER['REQUEST_METHOD'] == 'POST') { // Handle the form. if ( !empty($_POST['quote']) && !empty($_POST['source']) ) { // Need the database connection: LINE 23 include('C:/xampp/htdocs/PHP/Chapter13/mysqli_connect.php'); // Prepare the values for storing: LINE 26 $quote = mysqli_real_escape_string($dbc, trim(strip_tags($_POST['quote']))); LINE 27 $source = mysqli_real_escape_string($dbc, trim(strip_tags($_POST['source']))); // Create the "favorite" value: if (isset($_POST['favorite'])) { $favorite = 1; } else { $favorite = 0; } $query = "INSERT INTO quotes (quote, source, favorite) VALUES ('$quote', '$source', $favorite)"; LINE 37 mysqli_query($dbc, $query); LINE 39 if (mysqli_affected_rows($dbc) == 1){ // Print a message: print '<p>Your quotation has been stored.</p>'; } else { print '<p class="error">Could not store the quote because:<br>' . mysqli_error($dbc) . '.</p><p>The query being run was: ' . $query . '</p>'; } // Close the connection: LINE 47 mysqli_close($dbc); } else { // Failed to enter a quotation. LINE 43 print '<p class="error">Please enter a quotation and a source!</p>'; } } // End of submitted IF. // Leave PHP and display the form: ?> <form action="add_quote.php" method="post"> <p><label>Quote <textarea name="quote" rows="5" cols="30"></textarea></label></p> <p><label>Source <input type="text" name="source"></label></p> <p><label>Is this a favorite? <input type="checkbox" name="favorite" value="yes"></label></p> <p><input type="submit" name="submit" value="Add This Quote!"></p> </form> <?php include('templates/footer.html'); ?>

code: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>Add a Blog Entry</title> </head> <body> <h1>Add a Blog Entry</h1> <?php // Script 12.5 - add_entry.php /* This script adds a blog entry to the database. */ if ($_SERVER['REQUEST_METHOD'] == 'POST') { // Handle the form. // Connect and select: $dbc = mysql_connect('localhost', 'root', 'musica'); mysql_select_db('myblog', $dbc); // Validate the form data: $problem = FALSE; if (!empty($_POST['title']) && !empty($_POST['entry'])) { $title = trim(strip_tags($_POST['title'])); $entry = trim(strip_tags($_POST['entry'])); } else { print '<p style="color: red;">Please submit both a title and an entry.</p>'; $problem = TRUE; } if (!$problem) { // Define the query: $query = "INSERT INTO entries (entry_id, title, entry, date_entered) VALUES (0, '$title', '$entry', NOW())"; // Execute the query: if (@mysql_query($query, $dbc)) { print '<p>The blog entry has been added!</p>'; } else { print '<p style="color: red;">Could not add the entry because:<br />' . mysql_error($dbc) . '.</p><p>The query being run was: ' . $query . '</p>'; } } // No problem! mysql_close($dbc); // Close the connection. } // End of form submission IF. // Display the form: ?> <form action="add_entry.php" method="post"> <p>Entry Title: <input type="text" name="title" size="40" maxsize="100" /></p> <p>Entry Text: <textarea name="entry" cols="40" rows="5"></textarea></p> <input type="submit" name="submit" value="Post This Entry!" /> </form> </body> </html> iI'm getting the folowing output, what am i doing wrong? Add a Blog EntryPlease submit both a title and an entry.'; $problem = TRUE; } if (!$problem) { // Define the query: $query = "INSERT INTO entries (entry_id, title, entry, date_entered) VALUES (0, '$title', '$entry', NOW())"; // Execute the query: if (@mysql_query($query, $dbc)) { print ' The blog entry has been added! '; } else { print ' Could not add the entry because: ' . mysql_error($dbc) . '. The query being run was: ' . $query . ' '; } } // No problem! mysql_close($dbc); // Close the connection. } // End of form submission IF. // Display the form: ?> Entry Title: Entry Text:

In the Chapter 13 web app, cookies are used to verify if a person has administrator access. It seems that using a cookie is similar to a password in the way that in the book, Larry says to set a cookie with sort of a random name and value. For instance, don't set a cookie with the name of 'login' and the value of 'true' (instead a cookie named Samuel is set with a value of Clemens). But, because cookies are easily viewed once they are set, for example using firebug on firefox, it seems like this is not the best method for veirifying who has access to a site and who doesn't. For example. Lets say someone signs up for a username and password on my site, I grant that person permission to my site and set a cookie named Samuel with a value of Clemens. But lets say for some reason in the future I choose to deny that user access to my site. If while he had access to my site, he happened to check the name and value of the cookie, that person after he looses access to my site could easily create a cookie himself named Samuel with a value of Clemens. Then what? Is this the method that websites actually use to verify login credentials? (obviously I know this is a beginner book and there is probably much more to it than this, but I was wondering if this was an easy way to mimic a login example, or if some form of this method is used in professional sites.)