-
Notifications
You must be signed in to change notification settings - Fork 1
/
create_message.php
114 lines (95 loc) · 4.14 KB
/
create_message.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
<?php
// First we execute our common code to connection to the database and start the session
require("common.php");
// At the top of the page we check to see whether the user is logged in or not
if(empty($_SESSION['user']))
{
// If they are not, we redirect them to the login page.
header("Location: login.php");
// Remember that this die statement is absolutely critical. Without it,
// people can view your members-only content without logging in.
die("Redirecting to login.php");
}
// Everything below this point in the file is secured by the login system
if(!empty($_POST))
{
// Ensure that the user has entered a non-empty message title
if(empty($_POST['title']))
{
// Note that die() is generally a terrible way of handling user errors
// like this. It is much better to display the error with the form
// and allow the user to correct their mistake. However, that is an
// exercise for you to implement yourself.
die("Please enter a title.");
}
// Ensure that the user has entered a non-empty password
if(empty($_POST['message']))
{
die("Please enter a message.");
}
// An INSERT query is used to add new rows to a database table.
// Again, we are using special tokens (technically called parameters) to
// protect against SQL injection attacks.
$query = "
INSERT INTO messages (
title,
message,
userId,
messageType
) VALUES (
:title,
:message,
:userId,
:messageType
)
";
// Here we prepare our tokens for insertion into the SQL query. We do not
// store the original password; only the hashed version of it. We do store
// the salt (in its plaintext form; this is not a security risk).
$query_params = array(
':title' => $_POST['title'],
':message' => $_POST['message'],
':userId' => $_SESSION['user']['userId'],
':messageType' => $_POST['messageType']
);
try
{
// Execute the query to create the user
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// This redirects the user back to the messages page after they create a new message
header("Location: private.php");
// Calling die or exit after performing a redirect using the header function
// is critical. The rest of your PHP script will continue to execute and
// will be sent to the user if you do not die or exit.
die("Redirecting to private.php");
}
?>
<!-- The above form looks like this -->
<form action="create_message.php" method="post">
<div class="row">
<div class="six columns">
<label for="title">Message title</label>
<input class="u-full-width" maxlength="50" type="text" id="title" name="title" placeholder="Message title" required>
</div>
<div class="three columns">
<label for="messageType">Message type</label>
<select class="u-full-width" name="messageType" id="messageType">
<option selected="true" value="info">Information</option>
<option value="success">Success</option>
<option value="warning">Warning</option>
<option value="error">Error</option>
</select>
</div>
</div>
<label for="message">Message</label>
<textarea class="u-full-width" maxlength="255" placeholder="Message text..." id="message" name="message" required></textarea>
<input class="button-primary" type="submit" value="Add message">
</form>