Sign In | Subscribe
Start learning today, and be successful in your academic & professional career. Start Today!
Loading video...
This is a quick preview of the lesson. For full access, please Log In or Sign up.
For more information, please see full course syllabus of Advanced PHP
  • Discussion

  • Download Lecture Slides

  • Table of Contents

  • Transcription

  • Related Services

Bookmark and Share
Lecture Comments (1)

0 answers

Post by dave smith on August 26, 2015

I watched both the beginner and advanced course! WhoopWhoop!!!

Web Application Development

Lecture Slides are screen-captured images of important points in the lecture. Students can download and print out these lecture slide images to do practice problems as well as take notes while watching the lecture.

  • Intro 0:00
  • Version 20.0 Overview 0:13
    • Version 20.0 Changes & Examples Part 1
    • Version 20.0 Changes & Examples Part 2
    • Version 20.0 Changes & Examples Part 3
  • Version 20.0 (cont.) 8:31
    • Version 20.0 Changes & Examples Part 4

Transcription: Web Application Development

Hello again, and welcome back to's Advanced PHP with MySQL course.0000

In today's lesson, we are going to be wrapping up development of our web application,0005

incorporating what we learned in our last lesson about user authentication.0009

In this new version that we have (which is going to be version 20.0), what we are doing0014

is adding an authentication system to our administrative interface that we have for our web store.0018

The interface that we have, where we can add and remove items from the store, view orders in the store...0024

we are going to restrict that, so that only authorized users can do that.0031

Now, we learned in our last lesson...part of the homework for the last lesson was creating that Users table0034

that has a username and a password, and the password that has a hash to it.0039

What we are going to do is: we are going to be adding a page to our admin application that is going to allow us to create these admin users.0043

So, we are going to be creating a function in our DatabaseAccess class called insertUser.0050

So, we are going to be able to insert users into that Users table that we learned about in the last lesson.0056

Along with that, we are going to be creating a helper method called userExists, which is just going to help to check if a user exists in the database currently.0062

And then, one of the key functions that we are going to be implementing in our DatabaseAccess class is the authenticateUser method.0070

And that is going to be our way of, when a user logs into our administrative website, being able to verify0077

whether they represent a valid username and password combination within the Users table of our database.0083

If we go and look at our documentation for this version 20.0, this is our DatabaseAccess class.0089

One thing to note is that we have created a User class, which is just like our Item class or our Department class.0099

It is just a way of managing the data related to a user.0104

In this particular case, we stored the username, the firstName, and lastName within these User objects.0108

We don't store the password, for security reasons.0113

But we are going to use this User object to implement the functionality of adding in a user to the database.0116

In our DatabaseAccess class, we have added three methods.0126

One of the methods is the insertUser method, which is going to take a User object,0135

which, as we just saw, contains a firstName, a lastName, and a username; and then a password.0142

And then, it just going to perform an INSERT on that Users table.0148

It uses a helper method called userExists, which I had mentioned a minute ago.0151

That method simply runs a SELECT query on the database to see if the username passed in already exists.0156

And if it doesn't already exist, because it is a primary key, then it is going to allow us to continue to insert the user.0163

We are just building an INSERT query on the Users table.0170

And we are going to be using the sprintf formatted string function.0173

And we are going to be inserting as values, into our Users table, the username for the user, their first name, and their last name,0177

and then their password--but as we learned about last time, we are actually submitting the hash of their password.0186

So, it is going to be a 40-character string.0191

It is going to be the output of the sha1 hash function on the password that was passed in.0193

And then, we just test, as we normally do, to see if the user was added,0200

and then output an error and return false if there was a problem.0205

And if not, it is just going to return the User object that was successfully inserted into the database.0210

Now, probably the key method we have added to this is authenticateUser,0216

which is a method that takes a username string and a password string.0221

And what it does is: it runs a SELECT query on the Users table, and it checks to see if the combination exists0227

of the username passed in, and then the sha1 hash of the password passed to the method.0236

For example, you can see, in our sprintf function--we can see that where we are providing data for these wildcard characters,0244

in the formatting string, the first one we are providing is just the plain username.0255

And then, for the password, we are providing, again, the sha1 hash on that particular password.0260

The SELECT query is going to check the database: does a row in the Users table exist with this username given,0267

and then also whose password has a hash value that is equal to the hash value of the password passed in?0277

And if so, we run the query; if that is true, and it comes up, we are going to return a User object0284

that contains the username, first name, and last name of the valid user in the database.0290

Otherwise, it is going to return false and say, "No, this user can't be authenticated; that username and password hash pair do not exist in the table."0296

As far as the admin interface goes, we have added a new administrative page called addUser.php,0308

which is going to allow us to add new user accounts to our database.0315

And so, if we pull up the administrative site, this is what the page is going to look like.0321

Now, when you try to go to any different pages of the admin site, you are going to get a non-authorized warning.0328

And it is going to say, "Must be logged in to view this content; click here to log in."0333

And so, we are going to have our login; in this case, we are going to be using just the default admin account that we had set up before0337

to log in for the first time, which...that is part of why we created that in the last homework example.0346

So, I login with admin and then a password that is...that is right, I had changed the password.0351

I had set up the default password on this account to be 'admin'; so, admin, admin; and then we log in.0374

And what you are going to be using in your web application is admin, and then just the blank space (or the empty string) to log in for the first time.0380

Once you are able to log in, it is going to say, "Welcome to the store."0388

It is going to forward you to admin.php, and then you are going to see a new task over here called Add Admin User,0391

in which now you can create a regular user account that has a valid password.0399

So, for example, jsmith, we can add the user; "user account was successfully created."0404

We can see, in our new admin site, that it has a welcome message after we have logged in that welcomes us by our first name.0420

We have a Logout link, so I am going to go ahead and log out.0426

And we are going to talk about that in a second.0430

And now, I am going to go ahead and log back in with this new account that I created.0432

And so now, you can see: it says "Welcome, John!"0441

And so, that is how you are going to be able to add new users to your website.0442

And once you have done that, you can go ahead and get rid of that insecure administrative account.0446

Now, the way that we have implemented the authentication is: in all of the pages that we want to require a user to be logged in,0452

we have added an INCLUDE statement that includes this file here, called adminAuth.php.0459

And if we take a look at that page, what it does is creates a new SessionManager object, which starts a session and gives us access to session variables.0465

And what it does is: it performs a test to see if a user session variable exists, using the in_session method that we have used before.0475

If the user session variable does not exist, then what it is going to do is used this header function0485

that we had learned about to redirect the user to notAuthorized.php.0491

For example, if I log out here, and I try to go to updateItemDepartment, you can see that we have been forwarded to notAuthorized.php.0495

And that is because we didn't have a valid session.0503

And the valid session is created in our new page that we have, called login.php.0506

We have a login.php script and a logout.php script, which perform their respective duties.0513

One is to log in the user, and one is to log out the user.0518

You saw how the login page works; if we go and take a look at the login script,0522

we can see that what it does is starts a session, and then, if the action is login...0529

And it performs a test to see if the user is already logged in,0536

because maybe a user might accidentally go to the login page, even though they are already logged in; and so, we just want to test for that.0539

So, you can ignore this for now; that is just additional error-catching logic.0546

But the main part of the script that we are interested in is: if the user's action was login, and they weren't already logged in,0551

we are going to create a connection to the database, and then we are going to authenticate the user,0558

based on that username and password they provided on the form we just saw.0562

This authenticateUser function will return false, as we saw, if the user is not a valid user.0566

Otherwise, it will return a User object that represents that user.0571

What we are going to do is: if the user is valid, we are going to store that User object that is returned,0575

using the setVariable method of our SessionManager class.0581

We are going to add a session variable called user, and we are going to store that User object within there.0584

And so, that is why this adminAuth page will work: because what it is going to do is test to see if that user session variable exists.0592

So, if this user hasn't gone through this login page and successfully been validated, and that user session variable hasn't been created,0602

then every time they try to go to these pages, they are going to get redirected to the nonAuthorized page.0610

The other thing is that, if the user does get logged in, what it automatically does is:0616

it is going to relocate them--redirect them--to the home page of the admin site, which is admin.php.0619

If not, it is going to output an error message saying "the username and password has failed" or "you were already logged in."0627

For example, just to show you again: this is login.php; if I log in with our new user, and we click Log In,0635

we can see that we get forwarded to admin.php, which is just the welcome page for this administrator website.0646

That is how the login part of it works.0651

We have a corresponding logout script, and as we learned in our last lesson, the way to have a user log out is: an authenticated user simply ends the session.0654

And so, all we do, in this script, is continue a new session by creating our SessionManager object.0664

We, again, check to see if the user is already logged in; and that is for some error checking on this page,0675

to see if a user is trying to access this page if they have already been logged in, and they came here unintentionally.0681

And then, the key thing that we are going to do is called the destroy method, on our SessionManager class,0686

which, as we learned about when we learned about sessions, goes through the four steps that we have for properly destroying a session, 0700.9 one of the main ones being destroying that session cookie, and also destroying the session data.0692

And then, we use this test up here to see if the user was logged in.0706

And if the user was logged in, then we let them know, "You have been successfully logged out."0712

And the reason we go ahead and test this up here for this is not necessarily error handling;0717

but the logic of the script is whether to output an error message, or say that they were successfully logged out.0725

We call this method in_session to set our "was logged in" flag before we call destroy,0730

because as we know, in destroy, we destroy all of that session data.0736

So, if we had reversed the order of these, then we wouldn't be able to see if the user was logged in or not.0741

And so, we wouldn't be able to output a message that says "You were successfully logged out,"0745

or rather, output a message that says "You cannot log out, because you are not logged in."0749

And so, that is how our logout script works.0754

Now, one other feature that we have added is: we have updated our adminHeader page,0758

which was previously adminHeader.html, which was the header page for all of our websites that had links to all of these different tasks.0763

And we have updated this beginning section to just add, when a user logs in, a welcome message that says "Welcome," and it has the user's first name.0770

And then also, it just outputs a Log Out link, so that they can log out of the store; and it just calls that logout.php script.0777

If we look at our adminHeader.phtml, everything is pretty much the same, except that we have added,0787

in our Header table, which includes that Educator logo and the part that says "Educator Admin Site," some PHP code.0794

So, this adminHeader.html has been renamed adminHeader.phtml, because now it contains a combination of HTML and PHP code.0804

And we have added just a little bit of a conditional check here.0811

And what it does is just tests if the user is logged in or not, and it does so by checking that session variable.0815

If the user session variable exists, then what it is going to say is: it is going to welcome, and it is going to output their first name.0825

And it gets that from the user variable that has been stored in the session.0831

And as we saw when we logged in, when we authenticate our user, if the user is authentic,0836

it returns a User object that contains all of the information (firstName, lastName, and username)0844

about the User, and gets stored in the session variable user.0847

So, in our admin page, we are going to be accessing that user variable; and that is going to give us access to the first name.0851

So, that is how we go ahead and output the first name.0856

And then, here, we simply have a simple link to logout.0858

And so, that is a little dynamic content that we have added to this version 20 of the website.0862

That ends today's lesson; it has been a pleasure teaching you this course--thank you for watching