Upon logging in the user is redirected to the /events/default.php page, which checks to make sure the user is logged in, and then displays the user's pre-entered events.
From this page, there are links so the user can log out, change their email address, change their password, and add a new event. Each event also contains links that allow editing/deleting of the event.
The user functions (modify email, modify password) are handled by the existing user class. Logging out is accomplished by using session_unregister() and session_destroy() to remove the session variables holding the user login information.
In order to handle events, I developed a class very similar to the user class. This class handles loading an existing event, modifying an existing event, deleting an event, and creating a new event.
One problem that I've seen before in websites is a lack of checking before making modifications
to data. For example, the page that lists your reminder events contains links such
as:
<a href=/events/delete_event.php?f_reminder_id=1>Delete</a>
A common problem is that the delete_event.php page will not check that you are the owner
of the event before deleting it. If it doesn't, any user can change the f_reminder_id=1
part of the URL to go through and systematically delete every reminder event in the database.
Oops.
To prevent this requires two pieces of code. The first is a function in the event class
to verify that the owner of the event is the same as a given user id:
function verifyUser ($p_user_id = 0) {
if ( ($p_user_id == $this->m_user_id) or ($this->m_reminder_id == 0) ) {
// return
return TRUE;
} else
return FALSE;
}
$l_event = new remindme_event($f_reminder_id);
// check to make sure current user owns current event
if (! $l_event->verifyUser($SUID)) {
header("Location: /events/\n\n");
exit;
}
Any time you are allowing the user to modify data, make sure to check that they have the necessary rights to make those changes.