Implementing Login

When a brand new user comes to our site, there are three things we would like them to do. First, look at what we have to offer; second, sign up with us; and third, log in. We will look at each of these in turn.

In Figure 28.4, you can see the screen we present to users when they first come to our site.

Figure 28.4. On arrival, users can create a new account, view available lists, or just log in.

We'll look at creating a new account and logging in now, and return to viewing list details in the "Implementing User Functions" and "Implementing Administrative Functions" sections later on.

Creating a New Account

If a user selects the New Account menu option, this activates the new-account action. This activates the following code in index.php:

						
case 'new-account':

{
  unset($normal_user);
  unset($admin_user);
  display_account_form($normal_user, $admin_user);
  break;
}

					

This code effectively logs out a user if they are currently logged in, and displays the account details form as shown in Figure 28.5.

Figure 28.5. The new account creation form enables users to enter their details.

This form is generated by the display_account_form() function from the output_fns.php library. This function is used both here and in the account-settings action to display a form to enable the user to set up an account. If the function is invoked from the account-settings action, the form will be filled with the user's existing account data. Here the form is blank, ready for new account details. Because this function only outputs HTML, we will not go through it here.

The submit button on this form invokes the store-account action. The code for this action is as follows:

						
case 'store-account':
{
  if (store_account($normal_user, $admin_user, $HTTP_POST_VARS))
    $action = '';
  if(!check_logged_in())
    display_login_form($action);
  break;
}

					

The store_account() function writes the account details to the database. The code for this function is shown in Listing 28.4.

Listing 28.3 store_account() Function from mlm_fns.php—These Functions Check Whether or Not a User Is Logged In, and at What Level

// add a new subscriber to the database, or let a user modify their data
function store_account($normal_user, $admin_user, $details)
{	
  if(!filled_out($details))
  {
    echo "All fields must be filled in.  Try again.<br><br>";
    return false;
  }
  else
  {
    if(subscriber_exists($details['email']))
    {
      //check logged in as the user they are trying to change
      if(get_email()==$details['email'])
      {
        $query = "update subscribers set realname = '$details[realname]',
                                         mimetype = '$details[mimetype]'
                  where email = '" . $details[email] . "'";
        if(db_connect() && mysql_query($query))
        {
          return true;
        }
        else
        {
          echo "could not store changes.<br><br><br><br><br><br>";
          return false;
        }
      }
      else
      {
        echo "<p>Sorry, that email address is already registered here.";
        echo "<p>You will need to log in with that address to change "
             ." Web settings.";
        return false;
      }
    }
    else // new account
    {
      $query = "insert into subscribers
                        values ('$details[email]', 
                        '$details[realname]',
                        '$details[mimetype]',
                         password('$details[new_password]'),
                                                0)";
      if(db_connect() && mysql_query($query))
      {
        return true;
      }
      else
      {
        echo "Could not store new account.<br><br><br><br><br><br>";
        return false;
      }
    }
  }
}

This function first checks that the user has filled in the required details.

If this is okay, the function will then either create a new user, or update the account details if the user already exists. A user can only update the account details of the user he is logged in as.

This is checked using the get_email() function, which retrieves the email address of the user who is currently logged in. We'll return to this later, as it uses session variables that are set up when the user logs in.

Logging In

If a user fills in the login form we saw back in Figure 28.4 and clicks on the Log In button, she will enter the index.php script with the $email and $password variables set. This will activate the login code, which is in the pre-processing stage of the script, as follows:

						
// need to process log in or out requests before anything else
  if($email&&$password)
  {
    $login = login($email, $password);

    if($login == 'admin')
    {
      $status .= "<p><b>".get_real_name($email)."</b> logged in"
                  ." successfully as <b>Administrator</b><br><br><br><br><br>";
      $admin_user = $email;
      session_register("admin_user");
    }
    else if($login == 'normal')
    {
      $status .= "<p><b>".get_real_name($email)."</b> logged in"
                 ." successfully.<br><br>";
      $normal_user = $email;
      session_register("normal_user");
    }
    else
    {
      $status .= "<p>Sorry, we could not log you in with that
                  email address and password.<br>";
    }
  }

					

As you can see, we first try to log them in using the login() function from the user_auth_fns.php library. This is slightly different from the login functions we have used elsewhere, so we'll take a look at it. The code for this function is shown in Listing 28.4.

Listing 28.4 login() Function from user_auth_fns.php—This Function Checks a User's Login Details

function login($email, $password)
// check username and password with db
// if yes, return login type
// else return false
{
  // connect to db
  $conn = db_connect();
  if (!$conn)
    return 0;

  $query = "select admin from subscribers
                         where email='$email'
                         and password = password('$password')";
  //echo $query;
  $result = mysql_query($query);
  if (!$result)
    return false;

  if (mysql_num_rows($result)<1)
    return false;

  if(mysql_result($result, 0, 0) == 1)
    return 'admin';
  else
    return 'normal';
}

Previously with login functions, we have returned true if the login was successful and false if it was not. In this case, we still return false if the login failed, but if it was successful we return the user type, either 'admin' or 'normal'. We check the user type by retrieving the value stored in the admin column in the subscribers'table, for a particular combination of email address and password. If no results are returned, we return false. If a user is an administrator, this value will be 1 (true), and we return 'admin'. Otherwise, we return 'normal'.

Returning to the main line of execution, we register a session variable to keep track of who our user is. This will either be $admin_user if she is an administrator, or $normal_user if she is a regular user. Whichever one of these variables we set will contain the email address of the user. To simplify checking for the email address of a user, we use the get_email() get email() mentioned earlier.

This function is shown in Listing 28.5.

Listing 28.5 get_email() function from mlm_fns.php—Returns the Email Address of the Logged In User

function get_email()
{
  global $normal_user;
  global $admin_user;

  if (session_is_registered("normal_user"))
    return $normal_user;
  if (session_is_registered("admin_user"))
   return $admin_user;

  return false;
}

Back in our main program, we report to the user whether she was logged in or not, and at what level.

The output from one login attempt is shown in Figure 28.6.

Figure 28.6. The system reports to the user that login was successful.

Now that we have logged in a user, we can proceed to the user functions.