Databases Reference
In-Depth Information
remove the gift with the specified
gift_id
from the current guest's shopping list. The
user is identified by the
username
session variable (
$_SESSION['username']
).
The script checks that the user is authenticated using the
logincheck( )
function and
that the URL requested by the browser includes attributes and values in a query string.
As discussed earlier, the query-string attributes can be accessed as elements of the
$_GET
superglobal array. The
action.php
script first cleans the values in
$_GET['gift_id']
and
$_GET['action']
and assigns them to the variables
$gift_id
and
$action
:
<?php
// action.php: Add or remove a gift from the user's shopping list
// Include database parameters and related functions
require_once("db.php");
// Check if the user is logged in
// (this also starts the session)
logincheck();
// Secure the user data
if(count($_GET))
{
// Connect to the MySQL DBMS and use the wedding database
// - credentials are in the file db.php
if(!($connection= @ mysqli_connect(
$DB_hostname, $DB_username, $DB_password, $DB_databasename)))
showerror($connection);
$gift_id = clean($_GET['gift_id'], 5);
$action = clean($_GET['action'] , 6);
// ...
The script then checks whether the requested action is either
add
or
remove
. If it isn't,
we stop processing to avoid corrupting the database, and also to block an attacker trying
to manipulate the behavior of our script. The script will proceed beyond this point only
if a valid action has been requested, so we don't need to add an
else
clause to the
if
statement:
// Is the action something we know about?
if($action != "add" && $action != "remove")
// No, it's not; perhaps someone's trying to manipulate the
// URL query string?
die("Unknown action: ".$action);
// The program should reach this point only if the action is add
// or remove, since otherwise processing stops with the die()
// instruction.
// What did the user want us to do?
if ($action == "add")
{