Pseudo-code for A2 - Session-based version of Assignment
See A2-diagram.pptx for click animated diagram showing relation between the different scripts below. Under 302-videos refer to video P05C for discussion of session-variables-protected-access-redirects-02. P02.4H video has discussion of the HTTP headers exchanged.
During initial development: use simple stubs for scripts, especially to verify the redirect behaviors work as intended.
Section I - Login Gatekeeper - session-based
Login.html - Form with fields for name and password and radio button choice as "admin" or "user"
Login.php
0. Run the session_start command. (This could be done later but it is simpler to do it here due to certain subtleties related to sending output to the browser.)
1. Get form data and use get_type (modified) to sanitize it.
The get_type function in Login.php for the Login.html form data is simpler than the similar function for the A1 form in Assignment01 because there are fewer elements to check. (Eventually I will describe that the new get_case should use mysql_real_escape_string to make the input safe, which entails applying that function to all the form inputs.)
If it's the admin choice, call the new version of the admin function (which redirects to Login.html if bad.)
If it's a customer choice, call the new version of the user function (which redirects to Login.html if bad.)
Thus if a credentials test fails, redirect to Login.html using: PHP header function with a brief delay (at most 2 seconds!) for visual/pedagogical effect, print explanatory comment(which will appear briefly because of the delayinthe redirect)and exitscript.
2. You only get this far only if the request wasvalid.
3. Define the session variables to protect access to the restricted scripts.
Set $_SESSION ["logged_in"] to true if thecredentialswere valid in both cases.
Set $_SESSION["state"] to "admin" or "user" depending on the radio choice in Login.html
4. Redirect to either admin.php or user.php (these are not the admin & user functions; they are separate scripts) but include a delay and a print explanation:
If form choice was admin then redirect header is to admin.php and exit thecurrentlogin.php script.
If form choice was user then redirect to user.php scriptwith brief delay/print explanation and exit this script
Section II - Admin Handler Script
admin.php
1. The admin.php script checks $_SESSION ["logged_in"] and $_SESSION["state"] for "admin" to see if the request to run the script is authorized.
2. If request is not authorized, then redirect with message and delay to Login.html /exit.
3. If request is authorized, then continue script and use get_A and get_T for admin to display DB tables.
Section III A - The Script that presents the Customer deposit/withdraw Form
user.php
1. The user.php script checks $_SESSION ["logged_in"] and $_SESSION["state"] for "user" to see if the request to run the script is authorized.
2. If the page request is not authorized, then redirect with message and delay to Login.html /exits.
3. Note that the Form in this page (after some initial PHP code) is not even reached or displayed in browser if the above exit at (2) occurs.
If the page request is authorized, then:
1. Greet the user by name.
2. Display the user's current_balance from $_SESSION["current_balance"].
3. After/outsidethe PHP section of the page define a form with:
a. Input field for amount of transaction
b. radio buttons with 'D' or 'W' choice for transaction
c. action = "transact.php" for thesession script that handles the transaction
d. checkboxto receive mail copy of results
Section III B - The Script that handles the customer deposit/withdraw form - transact.php
As usual the transact.php script checks $_SESSION ["logged_in"] and $_SESSION["state"] to prevent unauthorized access to the script (thisalso excludes the administrator.)If authorization fails proceed like for the admin script to redirect. If authorization succeeds the script continues with an IF-ELSE processing section -- which is followed by a few HTML hyperlinks (this is after the initial "" section.)Get the choice and amount data from the form and use mysql_real_escape_string for SQL injection protection.
If choice is 'W' and amount > current_balance then print warning message
ElseDo the following (1-3):
1. If choice is 'D' then
a. Define/execute SQLs to log the transaction to T and update A table's current_balance.
b. Increment $_SESSION["current_balance"] by amount.
c. Display/printin browserthe unique updated A row and the new T row using get_A and get_T.
2. If choice is 'W' then
a. Define/execute SQLs to log transaction to T table and update A table's current_balance
b. Decrement $_SESSION["current_balance"] by amount.
c. Print the unique updated A row and the new T row and to browser, etc as in (2) above.
3. As usual useget_A and get_Tto capture the results for a possible mail message, based on the form's checkbox. Send mail if the box is checked.
AFTER the transact.php page's section above:
1. Define a hyperlink in the (HTML section of the page) which the user can click to go back to the user.php script. The session will then still continue and user.php will present a new form.
2. Optionally, for the bonus question below you can define another hyper link to an additional session script that completely logs out the session. You have to research for yourself how the logout script works.
Other Required Features-use hashed customer passwords in Accounts and the mysql_real_escape_string function to protect against SQL injection.
CHALLENGES and Supplemental problems -
Use external JS library including the