12/4/10 9:17 PM
Form Validation and User Authentication :: WDDBS ASL: Advanced Server-Side Languages
Page 1 of 4
http://localhost:8888/ASL/portal/daily/form-validation
PHP
CFML
CFScript
PHP
CFML & CFScript
$_POST (array)
email
rosborne@fullsail.com
password
mysecret
Form -‐ struct
EMAIL
rosborne@fullsail.com
FIELDNAMES
EMAIL,PASSWORD
For m Val i dat i on & User Aut hent i cat i on
Use your HTML skeleton to create a new form that can be used to authenticate (log in) a
user by their email address and password:
Notice that the form's
method
attribute is set to
POST
instead of
GET
.
This ensures that the
submitted information, the email address and password, are passed in the body of the
HTTP request and not in the URL—they don't show up in the browser's URL bar.
A form
action
of
?
ensures that the form submits back to itself.
If you enter information
and submit the form nothing happens yet, so add some code to the top of your
body
that
dumps out the form variables.
Form variables are populated into PHP's
$_POST
scope and
ColdFusion's
Form
scope.
When you complete and submit the form, you should see the values you entered:
<
form
action
=
"?"
method
=
"post"
>
<
h1
>Log In</
h1
>
<
dl
>
<
dt
>Email:</
dt
>
<
dd
><
input
type
=
"email"
name
=
"email"
/></
dd
>
<
dt
>Password:</
dt
>
<
dd
><
input
type
=
"password"
name
=
"password"
/></
dd
>
</
dl
>
<
input
type
=
"submit"
value
=
"Continue"
/>
</
form
>
<?php
require
'dBug.php'
;
new
dBug(
$_POST
);
?>
<
cfdump
var
=
"#Form#"
label=
<
cfscript
>
writeDump
(
Form
);
</
cfscript
>
12/4/10 9:17 PM
Form Validation and User Authentication :: WDDBS ASL: Advanced Server-Side Languages
Page 2 of 4
http://localhost:8888/ASL/portal/daily/form-validation
PASSWORD
mysecret
PHP
CFML
CFScript
PHP
CFML
CFScript
PHP
CFML
CFScript
Before you can authenticate the user, you should ensure the email address is in a valid
format and the password isn't blank.
Since the form is posting back to itself, you can't
assume it has been submitted—this may be the first time the page has been loaded.
You
should be paranoid and look to see if the form variables exist.
You shouldn't just check for one form field, for example just email and not password, as
you can't assume the form submission isn't a bot or a malicious user trying to find holes in
your application.
Once you are sure all of the form fields are present, you can continue on
to clean up the fields and make sure they look okay:
Once you are sure that all of the form inputs look okay, you can connect to the database
and query for the user:
if
(isset(
$_POST
[
'email'
&& isset(
$_POST
[
'password'
{
// more code will go here
}
// if we got email and password
<
cfif
structKeyExists
(
and
structKeyExists
<!-‐-‐-‐ more code will go here -‐-‐-‐>
</
cfif
>
if (
structKeyExists
(
Form
and
structKeyExists
{
// more code will go here
}
$email
= mb_strtolower(trim(
$password
= trim(
$_POST
$validator
=
new
EmailAddressValidator;
if
((
$password
!==
''
)
&&
$validator
-‐>check_email_address(
{
// authentication code here
}
<
cfset
email =
lcase
(
trim
<
cfset
password =
trim
<
cfif
(password neq
""
and
isValid
(
"email"
<!-‐-‐-‐ authentication code here -‐-‐-‐>
</
cfif
>
email =
lcase
(
trim
(
Form
password =
trim
(
Form
.password);
if ((password neq
""
)
and
isValid
(
"email"
{
// authentication code here
}
$db
=
new
PDO(
'mysql:host=127.0.0.1;port=8889;dbname=adb'
$stmt
=
$db
-‐>prepare('
<
cfquery
name=
"user"
>
stmt =
new
Query(
sql = "
12/4/10 9:17 PM
Form Validation and User Authentication :: WDDBS ASL: Advanced Server-Side Languages
Page 3 of 4
http://localhost:8888/ASL/portal/daily/form-validation
PHP
CFML
CFScript
If the user entered a valid email address and password, and a valid record was returned
from the database, you can store their information in the Session scope to be used later.
Dump out the Session scope to verify the information is there.
For both languages, Session concurrency is an issue.
If a user has multiple pages open at
the same time and each tries to modify the Session, the user could see strange problems.
For this reason, writes to the Session scope are locked to single-‐thread them: only one
page request at a time can write to the scope.
ColdFusion and PHP use different Session-‐locking semantics.
PHP automatically locks the
Session scope when the
session_start
function is called at the top of the page, so the
page can safely assume that it has exclusive access to the Session scope.
ColdFusion puts
the responsibility of locking the Session scope on the programmer, using the
cflock
tag or
lock
statement.
Given valid login credentials, you should see Session dumps:
SELECT id, name, email
FROM Users
WHERE (email = :email)
AND (password = MD5(:password))
');
$stmt
-‐>execute(
array
(
':email'
=>
$email
':password'
=>
$password
));
$user
=
$stmt
-‐>fetch(PDO::FETCH_ASSOC);
SELECT id, name, email
FROM Users
WHERE (email = <
cfqueryparam
AND
(password = MD5(<
</
cfquery
>
SELECT id, name, email
FROM Users
WHERE (email = :email)
AND
(password = MD5(:password))
");
stmt.addParam(name =
"email"
stmt.addParam(name =
"password"
user = stmt.execute().getResult();
if
(
$user
!== FALSE)
{
$_SESSION
[
'user'
] =
new
dBug(
$_SESSION
}
<
cfif
(user.recordCount
<
cflock
scope=
"Session"
<
cfset
Session
</
cflock
>
<
cfdump
var
=
"#Session#"
</
cfif
>
if (user.recordCount
eq
{
lock scope=
"Session"
{
Session
.user = user;
}
writeDump
(
Session
);
}
12/4/10 9:17 PM
Form Validation and User Authentication :: WDDBS ASL: Advanced Server-Side Languages
Page 4 of 4
http://localhost:8888/ASL/portal/daily/form-validation
PHP
CFML & CFScript
$_SESSION (array)
user
array
id
1
name
Rick O
email
rosborne@fullsail.com
Session -‐ struct
USER
query
EMAIL
ID
NAME
1
rosborne@fullsail.com
1
Rick O
While there are minor syntactic differences between PHP and CFML when it comes to
validating form data and authenticating users, you can see that the same process is used
for both:
1
.
Check that
all
form fields were submitted.
2
.
Clean up any fields as necessary.
(Trim spaces, lowercase email addresses, etc.)
3
.
Validate that each field
looks
okay.
(Email formats, non-‐empty required fields,
number ranges, dates, etc.)
4
.
Validate that each field
is
okay, for example against a database.
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο