How can this code be improved

tbobker

I have started my first real application, and it has taught me alot already, i dont know much only i know that the code i have written is definately not efficient only it does the job that i intended..well for the moment.

I have started building a cms only it is a template system whereby you register and get given a URL www.mysite.com?username=someone and can administer your own website. All the content is in the database and i have a rough skeleton of what i want to achieve.

This is a link to see the front end:
www.theglobalarts.com/index1.txt

this is a link to see the admin section (to many if statements!!!!)
www.theglobalarts.com/index.txt

Some guidence on how to improve this would be great. I really want to design classes so i can prepare it to be expanded.

p.s The code critique rules said post here if not completly finished?

p.p.s go to www.theglobalarts.com/login.php if you want to test it out?

Thanks.

thorpe

Well, just for starters. Non numerical array indexes should be surrounded by quotes, so this...

if($_GET[username] =="")

should be...

if($_GET['username'] =="")

While were there, you really should be using...

if (isset($_GET['username']))

instead. You'll also need to use it on $_GET['id'] before trying to use that in a query, could cause warnings otherwise.

Should I go on?

tbobker

yes go on all you like, keep seeing this isset seems like an important 'function'?

bradgrafelman

Well, it's important in this situation in the fact that if the variable isn't set, it won't cause errors/notices, whereas the above code tries to compare the variable (whether it's set or not) to a value.

halojoy

Besides to change all $GET[username] to $GET['username']
and all $GET[id] to $GET['id']
you can start by removing one of two sessions_start();

And add this is first line of your script
error_reporting(E_ALL); ... this is DEBUG and what we use when Coding

here is the code of index.txt

<?php

error_reporting(E_ALL); // DEBUG Mode

session_start();

if (!$_SESSION['user']) { // Corrected ['user']

//   session_start(); we remove this

$_SESSION['user'] = $_POST['username']; // Correct a few bad things!

include("dbconnect.inc.php");

if ($rec = mysql_fetch_array(mysql_query("SELECT * FROM login WHERE username='$_POST[username]' AND password = '$_POST[password]'"))) {
    if (($rec['username'] == $_SESSION[user]) && ($rec['password'] == $_POST[password])) {
        include ("index.php");
        echo "<p class=data> <center>Successfully,Logged in<br>
		   <br><a href=index.php>Click here if your browser is not redirecting automatically or you don't want to wait.</a><br></center>";
        print "<script>";
        print " self.location='index.php';";
        print "</script>";
    } 
} else {
    echo'
                <html>
	    <body>
	      <div align="center">
	        <form method="post" action="', $PHP_SELF, '">';
    echo'Username:&nbsp;<input type="text" name="username"><br>
		   Password:&nbsp;<input type="password" name="password"><br>
		   <input type="submit">
	        </form>
	      </div>
	     </body>
	     </html>';
} 
} else {
    echo'
             <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
             <html>
             <head>
             <title>Admin Section</title>
             <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
		<style rel="stylesheet" type="text/css">
		a
		{
		  font-family: arial, sans serif;
		}
		a.head
		{
		  color: #ffffff;
		  text-decoration: none;

	}
	a.head:hover
	{
	  color: red;
	}
	</style>
         </head>
         <body>
       <table width="600" border="1" bordercolor="#000000" style="border-collapse: collapse" align="center" >
        <tr>
	          <td height="82" align="center" colspan="2"><a href="logout.php">LogOut</a>&nbsp;<a href="index.php">Admin Home</a></td>
        </tr>
             <tr>
               <td  align="center" colspan="2" bgcolor="blue">
             <font color="#ffffff"><a class="head" href="index.php?action=homepage">Home Page</a>&nbsp;&nbsp;|&nbsp;&nbsp;<a class="head" href="index.php?action=addpage">Add Pages</a>&nbsp;&nbsp;|&nbsp;&nbsp;<a class="head" href="index.php?action=editpage">Edit Pages</a></font>
           </td>
          </tr>';

include("dbconnect.inc.php");

if ($_GET[action] == 'addpage' && $_POST['submit']) {
    session_start();

    $name = $_SESSION[user];

    include("nav.php");
    include("dbconnect.inc.php");

    $sql = "INSERT INTO pages VALUES('','$name','$_POST[title]','$_POST[text]');";
    $result = mysql_query($sql, $conn);

    echo'<tr><td align=center>You have added a page</td></tr></table></body></html>';
} elseif ($_GET[action] == 'addpage') {

    ?> <tr>
                 <td  align="center">
		<br>
		<form name="" method="post" action="index.php?action=addpage">
  			<p>
        		<input type="text" name="title"><br><br>
		<textarea name="text" cols="40" rows="10"></textarea>
		<p>
    		<input type="submit" name="submit" value="submit">
      		</p>
			</form>
	      </td>
                </tr>
              </table>
           </body>
           </html>
	<?php
} elseif ($_GET['action'] == 'editpage' && $_POST['submit']) {
    $text = $_POST['text'];
    $title = $_POST['title'];
    $title_id = $_POST['title_id'];

    $sql = "UPDATE pages SET content = '$text', title = '$title' WHERE username = '$_SESSION[user]' AND title = '$title_id';";
    mysql_query($sql, $conn);
    echo'<tr><td align=center><font color=red>successfully updated the ' . $title_id . ' page</font></td></tr></table>';
} elseif ($_GET['action'] == 'editpage') {
    include("nav.php");

    ?>
		<?php nav();
    ?>

		<tr><td  align="center" colspan="2">
		<br>
		<form name="" method="post" action="index.php?action=editpage">
  			  <p>

	<?php
    $sql = "SELECT * from pages where username = '$_SESSION[user]' AND title='$_GET[id]'";
    $result = mysql_query($sql, $conn);
    $row = mysql_fetch_assoc($result);

    ?>
		     <input type="text" name="title" value="<?php echo $_GET[id];
    ?>"><br><br>

		     <!-- hidden field so that i can determin which title to update -->
		     <input type="hidden" name="title_id" value="<?php echo $_GET[id];
    ?>">
		     <textarea name="text" cols="40" rows="10"><?php echo $row[content];
    ?></textarea>
		     <br>
		     <p>
    		     <input type="submit" name="submit" value="submit">
		</form>
	      </td>
	     </tr>
           </table>
             </body>
             </html>
            <?php
} elseif ($_GET['action'] == 'homepage' && $_POST['submit']) {
    $text = $_POST['text'];
    $sql = "UPDATE home set content='$text' where username='$_SESSION[user]'";
    $result = mysql_query($sql, $conn);

    echo'<tr><td align=center><font color=red>You have succefully updated the Homepage</font></td></tr></table>';
} elseif ($_GET['action'] == 'homepage') {
    ?>
	      <tr><td  align="center" colspan="2">
		<br>
		<form name="" method="post" action="index.php?action=homepage">
  			  <p>

	<?php
    $sql = "SELECT * from home where username = '$_SESSION[user]'";
    $result = mysql_query($sql, $conn);
    $row = mysql_fetch_assoc($result);

    ?>
		     <textarea name="text" cols="40" rows="10"><?php echo $row[content];
    ?></textarea>
		     <br>
		     <p>
    		     <input type="submit" name="submit" value="submit">
		</form>
	      </td>
	     </tr>
           </table>
             </body>
             </html>
<?php } else {
    echo'<tr><td align=center>this is the admin homepage!</td></tr></table>';
} 
} 

?>

tbobker

Oh bloody hell i think that error_reporting(E_ALL); is showing up a few errors in my code.

There is only 4

Notice: Undefined index: user in /home/global/public_html/admin/index.php on line 7

Notice: Undefined index: username in /home/global/public_html/admin/index.php on line 11

Notice: Undefined index: username in /home/global/public_html/admin/index.php on line 15

Notice: Undefined index: password in /home/global/public_html/admin/index.php on line 15

are they talking about the indexes in $SESSION and $POST? the [this]

im not happy with this line;

if ($rec = mysql_fetch_array(mysql_query("SELECT * FROM login WHERE username='$_POST['username']' AND password = '$_POST['password']'"))) {

Does it seem ok to you?

bradgrafelman

Uh... few things.

Array indeces in your case should be strings. $row[name] does not have a string as an index, but a constant. PHP will detect this (assuming there actually isn't a constant named 'last') and throw an E_WARNING and then assume it is a string. So, use quotes: $row['name'].
Arrays, more specifically items in arrays referenced by indeces, should not simply appear inside a double-quoted string. If they do, they should be wrapped in braces ( {} ). Instead, I usually escape out of the string and concatenate the array in the middle, like so:
```
echo 'Your name is: ' . $row['name'] . '! Hello there.';
```
Instead of saying things like if (!$SESSION['user']) {, you should be using thorpe's approach of if (!isset($SESSION['user'])) {
As a general rule, you should try to separate HTML from PHP. Use separate includes or template files to put the HTML in, otherwise the code gets way to messy as yours has become.

I only corrected a small bit of the beginning of the code... glancing at the rest of the somewhat messy code, I think I'll let you give it a shot on your own.

<?php 

error_reporting(E_ALL); // DEBUG Mode 

session_start(); 

if (!$_SESSION['user']) { // BEGIN CORRECTIONS BY: bradgrafelman

require_once("dbconnect.inc.php"); 

if (isset($_POST['username']) && isset($_POST['password')) {
	$query = 'SELECT * FROM `login` WHERE `username`=\'' . $_POST['username'] . '\' AND `password` = \'' . $_POST[password] . '\' LIMIT 1';
	$exec = mysql_query($query) or die('MySQL error: ' . mysql_error());
	$rec = mysql_fetch_assoc($exec); 
        if (($rec['username'] == $_POST['username']) && ($rec['password'] == $_POST['password'])) { 
            $_SESSION['username'] = $_POST['username'];
            // include ("index.php"); <-- why are you including this?
            echo '<p class="data"> <center>Successfully Logged in<br> 
               <br><a href="index.php">Click here if your browser is not redirecting automatically or you don\'t want to wait.</a><br></center>'; 
			session_write_close(); // make sure session data is saved
			header('Location: index.php'); // This is more reliable than using a JS redirect
        } 
    } else { 
        echo ' 
                    <html> 
            <body> 
              <div align="center"> 
                <form method="post" action="' . $_SERVER['PHP_SELF'] . '">' . 
        'Username:&nbsp;<input type="text" name="username"><br> 
               Password:&nbsp;<input type="password" name="password"><br> 
               <input type="submit"> 
                </form> 
              </div> 
             </body> 
             </html>'; 
    } 
 // END CORRECTIONS BY: bradgrafelman
} else { 
    echo' 
             <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
             <html> 
             <head> 
             <title>Admin Section</title> 
             <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> 
        <style rel="stylesheet" type="text/css"> 
        a 
        { 
          font-family: arial, sans serif; 
        } 
        a.head 
        { 
          color: #ffffff; 
          text-decoration: none; 

    } 
    a.head:hover 
    { 
      color: red; 
    } 
    </style> 
         </head> 
         <body> 
       <table width="600" border="1" bordercolor="#000000" style="border-collapse: collapse" align="center" > 
          <tr> 
              <td height="82" align="center" colspan="2"><a href="logout.php">LogOut</a>&nbsp;<a href="index.php">Admin Home</a></td> 
        </tr> 
             <tr> 
               <td  align="center" colspan="2" bgcolor="blue"> 
             <font color="#ffffff"><a class="head" href="index.php?action=homepage">Home Page</a>&nbsp;&nbsp;|&nbsp;&nbsp;<a class="head" href="index.php?action=addpage">Add Pages</a>&nbsp;&nbsp;|&nbsp;&nbsp;<a class="head" href="index.php?action=editpage">Edit Pages</a></font> 
           </td> 
          </tr>'; 

include("dbconnect.inc.php"); 

if ($_GET[action] == 'addpage' && $_POST['submit']) { 
    session_start(); 

    $name = $_SESSION[user]; 

    include("nav.php"); 
    include("dbconnect.inc.php"); 

    $sql = "INSERT INTO pages VALUES('','$name','$_POST[title]','$_POST[text]');"; 
    $result = mysql_query($sql, $conn); 

    echo'<tr><td align=center>You have added a page</td></tr></table></body></html>'; 
} elseif ($_GET[action] == 'addpage') { 

    ?> <tr> 
                 <td  align="center"> 
        <br> 
        <form name="" method="post" action="index.php?action=addpage"> 
              <p> 
                <input type="text" name="title"><br><br> 
        <textarea name="text" cols="40" rows="10"></textarea> 
        <p> 
            <input type="submit" name="submit" value="submit"> 
              </p> 
            </form> 
          </td> 
                </tr> 
              </table> 
           </body> 
           </html> 
    <?php 
} elseif ($_GET['action'] == 'editpage' && $_POST['submit']) { 
    $text = $_POST['text']; 
    $title = $_POST['title']; 
    $title_id = $_POST['title_id']; 

    $sql = "UPDATE pages SET content = '$text', title = '$title' WHERE username = '$_SESSION[user]' AND title = '$title_id';"; 
    mysql_query($sql, $conn); 
    echo'<tr><td align=center><font color=red>successfully updated the ' . $title_id . ' page</font></td></tr></table>'; 
} elseif ($_GET['action'] == 'editpage') { 
    include("nav.php"); 

    ?> 
        <?php nav(); 
    ?> 

        <tr><td  align="center" colspan="2"> 
        <br> 
        <form name="" method="post" action="index.php?action=editpage"> 
                <p> 

    <?php 
    $sql = "SELECT * from pages where username = '$_SESSION[user]' AND title='$_GET[id]'"; 
    $result = mysql_query($sql, $conn); 
    $row = mysql_fetch_assoc($result); 

    ?> 
             <input type="text" name="title" value="<?php echo $_GET[id]; 
    ?>"><br><br> 

             <!-- hidden field so that i can determin which title to update --> 
             <input type="hidden" name="title_id" value="<?php echo $_GET[id]; 
    ?>"> 
             <textarea name="text" cols="40" rows="10"><?php echo $row[content]; 
    ?></textarea> 
             <br> 
             <p> 
                 <input type="submit" name="submit" value="submit"> 
        </form> 
          </td> 
         </tr> 
           </table> 
             </body> 
             </html> 
            <?php 
} elseif ($_GET['action'] == 'homepage' && $_POST['submit']) { 
    $text = $_POST['text']; 
    $sql = "UPDATE home set content='$text' where username='$_SESSION[user]'"; 
    $result = mysql_query($sql, $conn); 

    echo'<tr><td align=center><font color=red>You have succefully updated the Homepage</font></td></tr></table>'; 
} elseif ($_GET['action'] == 'homepage') { 
    ?> 
          <tr><td  align="center" colspan="2"> 
        <br> 
        <form name="" method="post" action="index.php?action=homepage"> 
                <p> 

    <?php 
    $sql = "SELECT * from home where username = '$_SESSION[user]'"; 
    $result = mysql_query($sql, $conn); 
    $row = mysql_fetch_assoc($result); 

    ?> 
             <textarea name="text" cols="40" rows="10"><?php echo $row[content]; 
    ?></textarea> 
             <br> 
             <p> 
                 <input type="submit" name="submit" value="submit"> 
        </form> 
          </td> 
         </tr> 
           </table> 
             </body> 
             </html> 
<?php } else { 
    echo'<tr><td align=center>this is the admin homepage!</td></tr></table>'; 
} 
} 

?>