No problem! I did see your other post, but unfortunately, I have no experience with Tiny MCE so I didn't feel comfortable responding.
What you're looking for doesn’t sound too complex. There are two simple options that I can think of:
1. Allow users to register using their email address and a password. During the registration process, send them an email with a verification code to confirm they own the email. When they visit your site, they login using their email and password and the system then allows them to edit the entries associated with their email address.
2. The user visits your calendar and enters their email address. The system emails them a temporary access code, and this code allows them to create/edit events with their email address.
Option one is the more powerful option - it is a full login system, and they don't have to verify their email each time they want to edit their events.
Option two is the simpler option - there is no persistent login system, but they must verify their email each time they want to access their events.
Both options require sending emails.
Is your webserver setup to send emails?
Ah thanks, that helps a lot to clarify what you’re trying to achieve. I assume the events are already setup and stored in a MySQL database?
For your scenario, I’d recommend adding a verification check on the PHP endpoint that is handling the editing of the calendar. The logic flow could be something such as:
1. User visits your site and authenticates (either with email + password or one time code [see below])
2. The server has now confirmed that the user owns the email address <x>. Store the validated email in the user’s session
3. On the post-login page, query the database to select all entries where the email is <x>. Use the email stored in the session, not any input from the user. Generate the list of links and display it to the user
4. Each calendar link points to the same PHP page with a get parameter to specify the calendar item they’re accessing. E.g.
/editCalendarEvent.php?id=<y> (where <y> is the ID of the item).
5. The user clicks one of the links and is redirected to /editCalendarEvent.php?id=<y>
6. The script queries the database to get the details of the relevant calendar item. You check to ensure that the value of the email in the user’s session matches the email stored against calendar item <y> in the database. You will need to sanitise all input that the user can impact (to prevent injection attacks). This means santising both the id value <y>, and the user’s email address <x>. You’d check that they have access when they first navigate to the edit page (to ensure they’re viewing the editing page for their event), and again when they submit the edit (to ensure they’re submitting an edit on a calendar item they own).
A sample query for loading a calendar event only for the user who owns it is included below. Just note I haven’t tested it so there may be errors, and it also needs more stuff added to it such as validation / error handling. You’d implement a similar process for updating the value of an existing item in the database.
I would
highly recommend using prepared PDO statements, instead of MySQLi, as it has strong benefits including ease-of-use, security, and speed.
PHP Code:
<?php
/*
Please note that this example doesn't really account for error handling
Some of the code, such as the PDO connection may throw an error such as PDOException
There's a lot of disagreement about how to handle errors in PHP
It doesn't really matter if you want to put it in a try/catch statement, or if you want to configure PHP to
handle the error gracefully, or if you want to bind an error handler.
All you need to make sure is that you don't display error messages + debugging info to the user.
Log the error / debugging info and give the user a generic error instead.
Intersting post here - https://phpdelusions.net/articles/error_reporting and some more opinions here - https://stackoverflow.com/a/6455041
*/
session_start();
//Update this to your connection parameters. If you're security conscious, you should move these values out of source code and into a configuration file. See https://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php
$dbHost = "localhost";
$dbName = "db";
$dbUser = "username";
$dbPass = "password";
try {
$pdo = new \PDO("mysql:host=${dbHost};dbname=${dbName};charset=utf8", $dbUser, $dbPass);
$pdo->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);
}
catch(\PDOException $e) {
//Don't print exception messages ($e) to users. See my comment at the top of the code for more info.
die("Connection error");
}
//Customise your SQL query as required
$stmt = $pdo->prepare("SELECT * FROM calendarEvents WHERE id=:id AND email=:email");
//Even though using prepared statements protects from SQL Injection, you still need to validate both the ID and email! Don't use without validation!
$stmt->bindParam(':id', $_GET['id']); //The calendar ID parameter from the URL
$stmt->bindParam(':email', $_SESSION['email']); //The user's email (from session)
//Execute the SQL query
$calendarItem = $stmt->fetch();
//That combination of event ID and user email doesn't exist in the database.
//Could be a user trying to access someone else's event, or an event that doesn't exist, etc.
if(!$calendarItem) {
//Ideally you would gracefully handle this issue instead of using die
die("That calendar event couldn't be found.");
}
//$calendarItem now contains the item you want to display.
?>
Please feel free to ask more questions, or for help with specific code.
Senior Coders
Originally Posted by keyboard
Posting Permissions
Reply With Quote
Bookmarks