The Form

File: form_handle.php

<form method="POST" action="fom_handle.php">
 <input type="text" name="test_field">
 <input type="submit" name="submit" value="Send!">
</form>

Handling the form data

Ok in this form we made 2 fields. One text input field, we named ‘test_field’ and one submit button we called ’submit’ and already gave the value ‘Send!’ to it. Now once the submit button gets pressed, the data of the input fields will be send using the method POST to the file form_handle.php ( as set in the form tag ). This means all values of the input fields will be stored into $_POST['input_field_name'] variables. So in our case we got 2 input fields, and so 2 $_POST variables will be created. One for the field ‘test_field’, which will be stored in $_POST['test_field'], and one for the submit button field we called ’submit’, which will bestored in $_POST['submit']. So in this way the data will be send to the page once the form gets submitted using the form. The submit button we gave a default value already ‘Send!’ so for this input field always this variable will be created:

$_POST['submit'] = "Send!";

Once the form has been submitted. So we can actually CHECK if the form was submitted, by validating this:

<?php
if($_POST['submit'] == "Send!") { //form has been submitted correctly?

   //handle form data

}

  //show form

}
?>

Because when the form gets submitted, as mentioned above, for each field will be created a variable $_POST['field_name'] and given a value ( either filled in by user or the default value ) which is default set to ‘Send!’ for the submit button. So the variable $_POST['submit'] must have been created if the form was submitted and must be given the value ‘Send!’ to as we gave it that value inside the form submit button input field. But we also made another input field we called ‘test’. This field we didn’t gave a value and can be filled in by the user as it’s a “text” input field. Which looks like this:

And we want to show what the user filled in there. And as we know the data of the input fields are stored in $_POST['input_field_name'], we can get the data filled in for the field named ‘test’ from the variable $_POST['test']. So let’s do this. But of course only when the form was submitted this is possible, so we use the loop we created to check whether the form was submitted or not:

File: form_handle.php

<?php

if($_POST['submit'] == "Send!") { //form has been submitted correctly?

   //handle form data
   echo "Input field: 'test' - You filled in: ".$_POST['test'];

}else{ //not submitted? show form

?>

<form method="POST" action="fom_handle.php">
 <input type="text" name="test_field">
 <input type="submit" name="submit" value="Send!">
</form>

<?php

}

?>

When the form has not been submitted yet, this will output:

Once the form has been submitted this will output:

Input field: ‘test’ – You filled in: [here what the user filled in for this field]

Allright, so those are the basics of retrieving user input data. The same principe works for all other input fields such as checkboxes ( which get their value when they’re checked ), radio boxes, etc..

However there’s also a second method: the GET method. It works the same for retrieving the data, they’re put inside $_GET['input_field_name'] when submitting the form. However, they can be changed inside the url. As they’re now submited through url. Like:

form_handle.php?submit=Send!&test=what_the_user_filled_in_for_this_field

So it could be manipulated very easily by changing that inside the url, and beside that, the user can see all values of as well hidden input fields ( which are given a default value for example ) through url. For example you’d have an input field:

<input type='hidden' name='key' value='myverylongsecretkey2985230'>

Then once the form gets submitted using GET method you’ll see this key just in the url!

form_handle.php?key=myverylongsecretkey2985230

So you don’t want that. So usually POST methods are used for securely submitting form, user input data.

End of tutorial

We’ve come to the end of this small tutorial. Hope you learnt something in this tutorial and also have a look at the tutorial about User Input Validation. Which can nicely be combined with this tutorial on how to actually first RETRIEVE the user input data before validating it or anything. Enjoy!

Tutorial Content

First off, this tutorial is meant for creating a very basic shopping cart system. Not offering a copy-pastable setup script. It will show you how you can create the following functions for your shopping cart system:

* Adding products ( stored into session arrays )

* Removing products

* Empty/Clear shopping cart

* Retrieving all products ( from session )

* Changing amount on products

We’ll just be creating a simple basic shopping cart system now that is cappable of these 4 things. We won’t be using classes, OOP yet, which we’ll be doing in the next tutorial ( Advanced Shopping Cart System ). Having mentioned this all – let’s start.

Shopping Cart System File

Shpping Cart System PHP File and the structure of the session array containing all products of the shopping cart

What I usually start off with is creating the files we’ll be using. Which is only one:

* cart.php

As sessions are an important part of this system we’ll obviously need to set session_start first to be able to use session variables.

File: cart.php

<?php
session_start();

?>

We’ll be using the session $_SESSON['sc'] to store all products into (sc = shoppingcart ). So if it isn’t there yet, we’ll make it an empty array:

<?php
session_start();

if(!isset($_SESSION['sc']))
   $_SESSION['sc'] = array();
?>

isset is a function used to check if the variable or array has been set/defined. We put a ! before it to check if it has NOT been set yet. The array will be of the following structure (2 products for example, first product gets index 0 ( [0] ), second index 1, etc. ):

$_SESSION['sc'] = array(
         [0] => array("ID" => product_id, "amount" => product_amount),
         [1] => array("ID" => product_id, "amount" => product_amount),
         ... etc ... );

So for each new product, an array is added to the array ’sc’, containing the product ID and amount in cart. So for example to add a test product to the shopping cart at start:

<php
 session_start();

if(!isset($_SESSION['sc']))
   $_SESSION['sc'] = array();

//add test product if not already exists
if(!$_SESSION['sc'][0])
$_SESSION['sc'][0] = array("ID" => 1, "amount" => 10);
?>

Now we added a test product, ID of the product is 1 and the amount we set to 10.

Retrieve Current Products

Retrieve the products that are currently inside the shopping cart

With this info we can already make it retrieve the current products in the shopping cart. We’ll do this using a foreach loop. First however, we’ll need to check if there are any products in it at all, otherwise say it’s empty. We use the function count to count the amount of sub-variables or sub-arrays in this case, for the array $_SESSION['sc']. As each sub-array represents a product, we can tell if there are any products by counting them using the count function. We’ll store that in a variable $products. If it’s a value greater than 0 ( if there are any sub-arrays/products ), retrieve the products:

$products = count($_SESSION['sc']);
if($products > 0) { //if there are more than 0 products in the shopping cart

    //... retrieve products ...

}else{

   echo "Empty";

}

We’re now going to use 2 loops to retrieve the products. The first loop is a for loop which we use to get all products ( which are all sub-arrays ).

for($curr=0;$curr<$products;$curr++) {

}

What the for loop basicly does here is set a variable $curr to 0 ( the first index -> first product of the array ), which represents the product $_SESSION['sc'][0]. Then it executes the loop ( nothing yet inside ) for that product ( which is $_SESSION['sc'][0] in the first loop execution time, but which is always = $_SESSION['sc'][$curr] ). After executing the loop for that product, it checks whether there are any other products by checking if $curr ( the current index ) is smaller than the amount of products. Which is equal to the last index + 1, as the first product starts with the index 0 instead of 1, and counting products start by 1 of course. So if there are any more products, it gets the next one which has the next array index. As the previous index = $curr, the next one is $curr++, which increases the current index by 1.

Ok so now we can handle all products inside this loop. The current product will be $_SESSION['sc'][$curr] as $curr contains the index of the current product. But as each array got it’s own sub-array (containing the ID and Amount) we need to use a forloop. This will get both the ID and Amount values of the products (sub-arrays):

for($curr=0;$curr<$products;$curr++) {

    foreach( $_SESSION['sc'][$curr] as $key => $value ) {

        echo $key.":".$value." <br />";

    }

}

We know each product has it’s own index ( $curr ) and as value a sub-array like this:

array(“ID” => prod_id, “amount” => prod_amount)

So what we do is use a foreach loop to get the indexes ( ID and Amount ) of the array/product and the values of them (product id and product amount ). Then we echo them like this:

        echo $key.":".$value." <br />";

which outputs:

ID: product id here
amount: product amount here

for each product it found in the for loop.

Let’s put this all together:

<php
  session_start();

 if(!isset($_SESSION['sc']))
    $_SESSION['sc'] = array();

//removed test product

$products = count($_SESSION['sc']);
if($products > 0) { //if there are more than 0 products in the shopping cart

   for($curr=0;$curr<$products;$curr++) {

    foreach( $_SESSION['sc'][$curr] as $key => $value ) {

         echo $key.":".$value." <br />";

     }
   }

}else{

   echo "Empty";

}

Now we completed the first function for our shopping cart system: Retrieving all products. 4 more to go!

Function – Add Products

Function to add products to the shopping cart

Let’s start with creating a function to add a product. This shouldn’t be such a big hassle having discusses all of the structure of the shopping cart array and product sub-arrays. What we basicly need to do is add a new sub-array with the index of the last product’s index + 1 and create the sub array with the product ID and amount. We’ll have a look at the code:

    $new = count($_SESSION['sc']);
    $_SESSION['sc'][$new] = array("ID" => $_GET['p'], "amount" => 1);

So $new contains the new array id for the new product. This is equal to the amount of products because, as mentioned before, product 1 has the index 0. So the last product’s index is the amount of products -1, and we just count one plus that and we’d get our new product index. And we all know -1+1 = 0 So we can leave that out and just count the products and use that number as the new index for the new product added.
Then we add the product by creating a sub-array with the id and amount. The ID is here set to $_GET['p'], so cart.php?p=1 would add product id 1 ($_GET['p'] = 1).

Though we could now add one product twice, which would bug the system as there’s also already an amount set inside the product sub-array (ID and Amount is set for each product). So we need to check whether the product isn’t already in the shopping cart array. We can do this with the following for loop:

for($index=0;$index<$products;$index++) {

    if($_GET['p'] == $_SESSION['sc'][$index]['ID']) {

        $index_exists = true;

    }

}

Let’s go through this code. What it basicly does is set a variable $index to 0 ( the first product’s index ) and execute the loop for each index (product in the shopping cart array), which are the indexes 0 – ($products-1) in other words: $index<$products. Then for each product we need to check if the ID ($_SESSION['sc'][$index]['id']) is equal to the id of the product requested to be added ($_GET['p']). If this is the case for any of the products, $index_exists will be set to true. So when $index_exists is set to true, there was a product found with the ID requested to be added. In that case the product was already added to the shopping cart earlier.

Thus we just need to check if $index_exists is equal to true, if so: the product is already in the shopping cart -> show error message:

if($index_exists) {

    echo "<p>Product already added </p>";

}else{

    ///... else - product was not added earlier already -> add the product

}

Otherwise ( else ) the product wasn’t found in the shopping cart so it will be added successfully. We can there put our ‘product add’ code:

$new = count($_SESSION['sc']);
$_SESSION['sc'][$new] = array(“ID” => $_GET['p'], “amount” => 1);

=>

if(isset($index_exists)) {

    echo "<p>Product already added </p>";

}else{

    ///... else - product was not added earlier already -> add the product
    $new = count($_SESSION['sc']);
    $_SESSION['sc'][$new] = array("ID" => $_GET['p'], "amount" => 1);

}

Let’s put that all together again:

<php
   session_start();

  if(!isset($_SESSION['sc']))
     $_SESSION['sc'] = array();

 $products = count($_SESSION['sc']);
 if($products > 0) { //if there are more than 0 products in the shopping cart

   for($curr=0;$curr<$products;$curr++) {

     foreach( $_SESSION['sc'][$curr] as $key => $value ) {

          echo $key.":".$value." <br />";

      }
   }

 }else{

    echo "Empty";

 }

if($_GET['act'] == 'add' AND $_GET['p']) {

for($index=0;$index<$products;$index++) {

    if($_GET['p'] == $_SESSION['sc'][$index]['id']) {

        $index_exists = true;

    }

}

if(isset($index_exists)) {

     echo "<p>Product already added </p>";

 }else{

     ///... else - product was not added earlier already -> add the product
    $new = count($_SESSION['sc']);
      $_SESSION['sc'][$new] = array("id" => $_GET['p'], "amount" => 1);

 }

}

?>

We used an if loop which checks if $_GET['act'] == ‘add’ and $_GET['p'] exists, which is the case when you go to the url like ‘cart.php?act=add&p=product_id’. So when you link the user there, the product_id will be added to the shoppingcart.

Example link:

<a href='cart.php?act=add&p=1'>Add product #1</a>

Function – Clear Shopping Cart

Function to clear the shopping cart

Allright, now we’ll create a function to clear the shopping cart. Which just unsets the whole session ’sc’:

if($_GET['act'] == 'clear') {

   unset($_SESSION['sc']);

}

We use the function unset to unset the session shopping cart. We’ll do this when the user requests the url cart.php?act=clear, as in that case the GET variable ‘act’ has = ‘clear’ ($_GET['act'] = ‘clear’). Which it checks in the if loop. So you can make a link to that url to make it clear the shopping cart. Like:

<a href='cart.php?act=clear'>Empty Shopping Cart</a>

Function – Update Products

Function to update the amount of each product of the shopping cart

Allright, now we’ve came to the last function which is to change the amount of a product. Which is just changing the sub-variable ‘amount’ of the array $_SESSION['sc'][product_array_id]. For example:

$_SESSION['sc'][0]['amount'] = 10;
//changes the product with array index 0 - sets the amount sub-variable of the product to 10.

We’ll need a form to make the user fill in an amount for a product. For each product we’ll need to make this form ( so the user can added the amount for each product ). So we’ll need to add this form inside the loop where it retrieves all products in the shopping cart. Which was the following code ( remember? ) :

   for($curr=0;$curr<$products;$curr++) {

      foreach( $_SESSION['sc'][$curr] as $key => $value ) {

           echo $key.":".$value." <br />";

       }

   }

Which we created in the beginning of the tutorial. We’re going to add this form to it:

    echo "<form method='POST' action='cart.php?aid=".$curr."'><p>
Change amount: <input type='text' name='amount' value='".$_SESSION['sc'][$curr]['amount']."'>
<input type='submit' name='submit' value='update'>
</form>";

Let’s have a look at that form. It uses the method POST, which means it puts all user input into $_POST['form_field_name'] variables when the form is submitted. It goes to the page ‘cart.php?aid=”.$curr.”‘ which means it creates the GET variable $_GET['aid'] and sets it equal to $curr, which contains the array index of the current product that’s been updated/changed the amount of. Then we’ve got one field named ‘amount’ which has the value of $_SESSION['sc'][$curr]['amount'], which is the amount of the current product ($_SESSION['sc'][$curr] is the current product sub-array containing amount and ID index, we take the ['amount'] sub-variable).

Put it together:

   for($curr=0;$curr<$products;$curr++) {

       foreach( $_SESSION['sc'][$curr] as $key => $value ) {

            echo $key.":".$value." <br />";

        }

    echo "<form method='POST' action='cart.php?aid=".$curr."'><p>
Change amount: <input type='text' name='amount' value='".$_SESSION['sc'][$curr]['amount']."'>
<input type='submit' name='submit' value='update'>
</form>";

     }

Let’s update the old for loop and put it all together:

 <php
    session_start();

   if(!isset($_SESSION['sc']))
      $_SESSION['sc'] = array();

  $products = count($_SESSION['sc']);
  if($products > 0) { //if there are more than 0 products in the shopping cart

####UPDATED####

    for($curr=0;$curr<$products;$curr++) {

        foreach( $_SESSION['sc'][$curr] as $key => $value ) {

             echo $key.":".$value." <br />";

         }

    echo "<form method='POST' action='cart.php?aid=".$curr."'><p>
 Change amount: <input type='text' name='amount' value='".$_SESSION['sc'][$curr]['amount']."'>
 <input type='submit' name='submit' value='update'>
 </form>";

      }

  }else{

     echo "Empty";

  }

if($_GET['act'] == 'add' AND $_GET['p']) {

for($index=0;$index<$products;$index++) {

     if($_GET['p'] == $_SESSION['sc'][$index]['id']) {

         $index_exists = true;

     }

 }

if(isset($index_exists)) {

      echo "<p>Product already added </p>";

  }else{

      ///... else - product was not added earlier already -> add the product
     $new = count($_SESSION['sc']);
       $_SESSION['sc'][$new] = array("id" => $_GET['p'], "amount" => 1);

  }

}

###########ADDED############

if($_GET['act'] == 'clear') {

   unset($_SESSION['sc']);

}

?>

Ok, so when the user tries to update the amount of a product, the variable $_GET['aid'] will be containing the array index of the product and $_POST['amount'] will contain the user filled in amount in the form field ‘amount’.

To check if the user tried to change the amount of a product, we simply check if $_POST['amount'] exists and if not empty:

if(!empty($_POST['amount'])) {

   //update amount

}

Let’s put the array id ($_GET['aid']) inside a variable $array_id and the amount the user filled in for that product ($_POST['amount']) inside a variable $amount:

    $array_id = $_GET['aid'];

    $amount = $_POST['amount'];

Now we need to change the amount of the product with the index $array_id. As all products are in the array $_SESSION['sc'], the product is $_SESSION['sc'][$array_id]. And to change the amount of that product we need to change the sub-variable ‘amount’. So it becomes: $_SESSION['sc'][$array_id]['amount'].
We’ll set it equal to the user input = $amount, so:

if(!empty($_POST['amount'])) {

   //update amount

    $array_id = $_GET['aid'];

     $amount = $_POST['amount'];

    $_SESSION['sc'][$array_id]['amount'] = $amount;

}

Shopping Cart System – End Result

We put it all together and we’re done with our “basic ” shopping cart system!

File: cart.php

  <php
session_start();

if(!isset($_SESSION['sc']))
   $_SESSION['sc'] = array();

$products = count($_SESSION['sc']);

###########RETRIEVE PRODUCTS FUNCTION############

if($products > 0) { //if there are more than 0 products in the shopping cart

   for($curr=0;$curr<$products;$curr++) {

    foreach( $_SESSION['sc'][$curr] as $key => $value ) {

        echo $key.":".$value." <br />";

    }

    echo "<form method='POST' action='cart.php?aid=".$curr."'><p>
Change amount: <input type='text' name='amount' value='".$_SESSION['sc'][$curr]['amount']."'>
<input type='submit' name='submit' value='update'>
</form>";

   }

}else{

   echo "Empty";

}

###########ADD FUNCTION############
if($_GET['act'] == 'add' AND $_GET['p']) {

for($index=0;$index<$products;$index++) {

    if($_GET['p'] == $_SESSION['sc'][$index]['ID']) {

        $index_exists = true;

    }

}

if($index_exists) {

    echo "<p>Product already added </p>";

}else{

    ///... else - product was not added earlier already -> add the product
    $new = count($_SESSION['sc']);
    $_SESSION['sc'][$new] = array("ID" => $_GET['p'], "amount" => 1);
    echo "<p>".$_GET['p']." ID added for index ".$new."</p>";

}

}

###########CLEAR FUNCTION############

if($_GET['act'] == 'clear') {

   unset($_SESSION['sc']);

}

###########ADDED - UPDATE FUNCTION############

if(!empty($_POST['amount'])) {

   //update amount

    $array_id = $_GET['aid'];

    $amount = $_POST['amount'];

    echo "<p>array id:".$array_id." and amount: ".$amount." and product id: ".$_SESSION['sc'][$array_id]['ID']."</p>";

    $_SESSION['sc'][$array_id]['amount'] = $amount;
    echo $_SESSION['sc'][$array_id]['amount'];

}

?>

This system was more complicated to explain because of the arrays and sub-arrays and because of it’s somewhat longer size ( script ). But hope you learnt something!

Cheers,
Admin.

Again we start with a form:

... form login fields ...

The form method we use is the same as for the register system: POST. We use the same page to handle the login attempt so we make it go to ( action ) $_SERVER['PHP_SELF'] which equals the current page/file. So all user data will be send into $_POST['field_name'] variables to the same page ( itself ).

Now we’ll add the form fields, which for the login system are just the username and password fields and a submit button.

So once the user submits the form by clicking the submit button, the $_POST array will be created containing:

$_POST['username'] which equals the username filled in
$_POST['password'] which equals the password filled in
($_POST['submit'] which equals ‘log me in!’)

As we’re going to make it handle the login in the same page, we’ll need to make an if loop. This if loop will check if the form has been submitted already ( does $_POST exist? ). If so, it will handle the user filled in data which is stored in this $_POST array as explained above. If not, it will show the form as the user has not submitted it yet.

 <?php

 if($_POST) {

 ... handle the login attempt ...

 }else{

 ... show the form ...

 }

 ?>
 

We can already fill in the form in the else part of the loop ( when $_POST does not exist yet ).

<?php

if($_POST) {

... handle the login attempt ...

}else{

?>





<?php

}

?>

We nicely seperate the HTML code from the PHP code by first closing the php tag ( ?> ) and then re-opening it after the HTML code ( <?php ) when the php code goes on. Do this rather than echoing the whole form.

Move on to the part of the if loop that occurs when the user did submit the form. First we need to make it connect to the database. We’ll take as example the database and table we created in the register system tutorial.

mysql_connect('localhost', 'root'); //like: 'host','user','pasword'
mysql_select_db('test'); //'database'

Let’s check whether there the login was valid. To do this we use a mysql_query and a mysql function. We assume there’s a table called ‘accounts’ with the fields id, username, password. It could be called anyhow as long as you’ve created it correctly in the database as well. Have a look at the query first:

"SELECT id FROM accounts WHERE username = '".$_POST['username']."' AND password = '".$_POST['password']."' "

What it simply does ( well, tries to do ) is select a row ( to be exact the field ‘id’, doesn’t really matter what field though ) from the table ‘accounts’ that has the same value for the field ‘username’ and ‘password’ as the user filled in ( $_POST['username'] and $_POST['password'] ). In other words: it tries to select an account with the same username and password the user filled in. We’ll put it into a variable and make it a query using the mysql_query function. Also we’ll use mysql_real_escape_string again to secure the user input.

$check_account = mysql_query("SELECT id FROM accounts WHERE username = '".mysql_real_escape_string($_POST['username'])."' AND password = '".mysql_real_escape_string($_POST['password'])."' ");

Now we aren’t going to actually retrieve the data the mysql query returned ( we aren’t even sure if the account actually exists ). We’ll instead use mysql_num_rows to check if there was any row returned by the query.

$check_account = mysql_query("SELECT id FROM accounts WHERE username = '".mysql_real_escape_string($_POST['username'])."' AND password = '".mysql_real_escape_string($_POST['password'])."' ");

$check_account1 = mysql_num_rows($check_account);
 

$check_account1 now contains a number indicating the amount of rows it found with the query. When it found any rows ( so when $check_account1 contains a number greater than 0 ) the account exists. It found a row that has the same username and password as the user filled in. If not: there wasn’t any row ( any account in this case ) with the same username and password as the user filled in. So we can just make another if loop which checks if the account exists ( $check_account > 0 ).

 $check_account = mysql_query("SELECT id FROM accounts WHERE username = '".mysql_real_escape_string($_POST['username'])."' AND password = '".mysql_real_escape_string($_POST['password'])."' ");

$check_account1 = mysql_num_rows($check_account);

if ( $check_account > 0 ) {

    echo "Logged in!"; //account exists, show logged in message

}else{

   echo "Invalid login."; //account doesn't exist, show error message

}

Great, now it checks whether an account with the user filled in data exists. But we also want it to remember the user’s login, in a session. We’ll make it create a session called ‘logged’ to do that.

$_SESSION['logged'] = true;

Which contains a boolean value indicating the user is logged in. Though this isn’t enough, we also need to make a session that contains the username or userid of the user logged in. I prefer using the user’s ID to determine what account is logged in as each user account has its own unique ID.
To get the user account’s ID, we’ll use our previous query which actually selected it. However we first used it only to check if it existed. We’ll now actually retrieve the data ( user id ) of the query using the mysql_fetch_assoc function. We don’t need to use a while loop because we know it should be only 1 account that the query selects.

 $user = mysql_fetch_assoc($check_account); //get the row data the query returned
  $userid = $user['id']; //get the value of the field 'id' of the row the query returned
$_SESSION['userid'] = $userid; //put it into a session

And we created all our sessions required to make a user loggin! Let’s put it all together now.

File: login.php

 <?php

session_start(); // <-- always on top! needed to use our session

 if($_POST) {

 $check_account = mysql_query("SELECT id FROM accounts WHERE username = '".mysql_real_escape_string($_POST['username'])."' AND password = '".mysql_real_escape_string($_POST['password'])."' ");

 $check_account1 = mysql_num_rows($check_account);

if ( $check_account > 0 ) {

    echo "Logged in!"; //account exists, show logged in message

   $user = mysql_fetch_assoc($check_account); //get the row data the query returned

   $userid = $user['id']; //get the value of the field 'id' of the row the query returned

   $_SESSION['userid'] = $userid; //put it into a session

}else{

   echo "Invalid login."; //account doesn't exist, show error message

}

 }else{

 ?>





 <?php

 }

 ?>
 

Holdon, you might have noticed we did not use the session_start function yet, so we wouldn’t be able to use our sessions! Added it on the top of the page ( always! ).

Now the basic login page is done. We’ve now come to the part of ‘how to use the login?’. Well, we know that if a user is logged in, a session called ‘logged’ is created and set to true ( ALWAYS, for all users that log in ). So we simply check if this session was created and equal to true, to check if a user is logged in:

file: sample_members_area.php

<?php
session_start(); //<--- there it is again

if($_SESSION['logged'] == true) {

    echo "Welcome user!";

}else{

   include("login.php"); //include the login page

}

?>

You could also add this to the login page. Also needed is to use the user id to get all info of the user. To do this we can use another mysql SELECT query just like we done to get the user id, but now for the username, password, email or any other field.

"SELECT username FROM accounts WHERE id = '".$_SESSION['userid']."' "

We now for example select the username of the user account with the id stored in the session ‘userid’, which equals the id of the user logged in.So it selects the username of the logged in user.We can again retrieve the data using mysql_fetch_assoc. Also remember to put the query into the mysql_query function to execute it.

$username = mysql_query("SELECT username FROM accounts WHERE id = '".$_SESSION['userid']."' ");

$username = mysql_fetch_assoc($username);

$username = $username['username']; //yeah bit weird names chosen, I know

So you could greet the user with:

echo "Hi there ".$username."! <br /> Long time no see!";

End results:

File: Login.php

  <?php

session_start(); // <-- always on top! needed to use our session

if($_SESSION['logged'] == true) { //user already logged in?

   include("Members_area.php"); //include members area

}else{

  if($_POST) {

  $check_account = mysql_query("SELECT id FROM accounts WHERE username = '".mysql_real_escape_string($_POST['username'])."' AND password = '".mysql_real_escape_string($_POST['password'])."' ");

  $check_account1 = mysql_num_rows($check_account);

 if ( $check_account > 0 ) {

     echo "Logged in!"; //account exists, show logged in message

   $user = mysql_fetch_assoc($check_account); //get the row data the query returned

   $userid = $user['id']; //get the value of the field 'id' of the row the query returned

   $_SESSION['userid'] = $userid; //put it into a session

 }else{

    echo "Invalid login."; //account doesn't exist, show error message

 }

  }else{

  ?>





  <?php

  }

}

  ?>
  

File: Members_area.php

<?php
session_start(); //<--- there it is again

if($_SESSION['logged'] == true) {

    $username = mysql_query("SELECT username FROM accounts WHERE id = '".$_SESSION['userid']."' ");

    $username = mysql_fetch_assoc($username);

    $username = $username['username']; //yeah bit weird names chosen, I know

    echo "Hi there ".$username."! <br /> Long time no see!";

}else{

   include("login.php"); //include the login page

}

?>

Cheers,
Admin.

File: Register.php

<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">

... form felds ...

</form>

We start by creating the form itself. The attributes we set are method and action. Method is used to define how the data (text filled in the form fields) should be transferred. We use the POST method, which will store all data filled in by the user into $_POST variables. The action is set to the page where it should go to when the form is submitted. We set it to $_SERVER['PHP_SELF'], which is equal to the current file. So after the user completes filling in our form fields and submits the form, it will put all filled in data into $_POST variables and send it to itself (go to the same page).

Let’s add some form fields to the form, which the user needs to fill in to complete the registration.

<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">

*Username:
 <br />

*Password  :
 <br />

*Repeat Password: 
 <br />

*Email:
 <br />


</form>

We simply added 4 fields using basic HTML input tags and a submit button to submit the form. These four fields need to be filled in by the user in order to create his/her account. They may not be left empty: the username, password and email. We also created a “repeat password” field, which we use to verify the user filled in password. The name we give each input field is important because for each input field, a POST variable will be created once the user submits the form. The POST variable created for a certain field is $_POST['field_name'] and will contain the value the user gave to that field (filled in for that field). In this way all values of the fields will be submitted using POST variables. We will use these variables to check if the user filled in all fields (if they aren’t empty) and if the form has been submitted at all.

To actually create the account we’ll be storing the filled in values for the fields, into a database. Let’s create a database called “test” and a table called “accounts” which contains 4 fields ( equal to the amount of fields that are filled in for the form plus one ID field which is unique for each member ( password and repeat password should contain one and the same value so are of course just stored in one field: password ) ). If you are not sure how to do this you could also import the SQL code :

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
CREATE DATABASE 'test' DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;
USE 'test';
CREATE TABLE IF NOT EXISTS 'accounts' (
  'id' int(250) NOT NULL AUTO_INCREMENT,
  'username' varchar(20) NOT NULL,
  'password' varchar(20) NOT NULL,
  'email' varchar(50) NOT NULL,
  PRIMARY KEY ('id')
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

Now we’ll create a loop to check if the user has already submitted the form. Which is the case when all fields data have been stored into $_POST variables. In other words: if the $_POST variables exist – the form has been submitted. This doesn’t mean all fields have been filled in though, because the $_POST variables could also be empty, but they are created ( as the user submitted the form).

<?php

If ( ... the form has been submitted ... ) {

    ... check if all fields have been filled in correctly ...

}else{ //form has not been submitted yet

    ... show the form ...

}

?>

This is how our loop looks like. Now we can already fill in our form which we just created and to check if the form has been submitted we just check if $_POST variable exists:

<?php
If ( $_POST  ) {

    ... check if all fields have been filled in correctly - create account if valid ...

}else{ //form has not been submitted yet

?>

<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">

*Username:
 <br />

*Password  :
 <br />

*Repeat Password: 
 <br />

*Email:
 <p>


</form>

<?php

}

?>

Only thing last is to check all fields and create the account if valid. As mentioned before, once the form has been submitted, all field values have been stored into $_POST['field_name']. So to check if all fields have been filled in, we just need to check if all $_POST variables aren’t empty. To do this we are going to use a foreach loop to make it easier. We could also just check all $_POST variables like: $_POST['username'] and $_POST['password'], etc.. But this is an inefficient way to do it, as when you add a new form field, you would need to add it to the loop as well ( check that field too ). Beside that it just can be done much easier and faster than checking all fields manually. The foreach loop will check all fields and values the same way. Let’s just have alook at the loop code:

foreach ( $_POST as $key => $value ) {

    if ( empty($value) )

        $errors .= "Field '".$key."' has to be filled in. <br /> ";

    }else{

        ... check if filled in values are valid ...

    }

}

Ok, let’s go through this code. What it basicly does is check all sub-variables of the array $_POST ( which are all fields ) and store the name of them in $key and the value of them in $value. As for each field a sub-variable for the array $_POST has been created, it will check each field. $key will contain the name of the field and $value the value ( filled in by the user ). Then we use an if loop to check if the value of the field is empty: we use the function empty to do this. If it’s empty, we’ll add text to a variable called $errors. This variable we use to store all errors into if any. This way we can also check if there are any errors at all by checking if the variable $errors contains anything: if not, the user filled in all fields correctly and we can create the account. Otherwise it should show the errors ( echo $errors ).

Now there’s one more part of the if loop that needs to be done: the part where it checks if the values filled in are actually valid. This part runs when the $value was not empty. We’ll use a function preg_match for this. What we basicly do is check if it contains the characters that are allowed ( which are basicly: numbers, spaces and alphabetical characters ). The function works like this:

preg_match("/[...pattern that needs to be matched...]/", $value_to_check)

In our case the pattern is equal to all numbers, spaces and alphabetical characters as mentioned above. The value to check is the filled in value of the field, which is stored in $value as as well mentioned above. This makes us end up with the following code:

        If ( !preg_match("/[0-9A-Za-z -_]/", $value) )
            $errors .= "<p> Field '".$key."' has been given an invalid value. </p>";

All numbers are 0-9, all capital alphabetical characters are A-Z and all normal alphabetical characters are a-z, and we also allow the – and _ symbols to be used. Now we check if the value filled in for the current field ( stored in $value ) does NOT match this pattern . Which is the case when it contains any other symbols/characters than the ones given in the pattern. We use the ! symbol for that, which means simply: NOT. In that case we add an error to the $error variable ( the field is not filled in correctly, using inappropriate characters ).

Let’s put it all together.

<?php

If ( $_POST  ) {

foreach ( $_POST as $key => $value ) {

        if ( empty($value) )

            $errors .= "<p> Field '".$key."' has to be filled in. </p>";

        }else{

            If ( !preg_match("/[0-9A-Za-z -_]/", $value) )
                $errors .= "<p> Field '".$key."' has been given an invalid value. </p>";

        }

}

    ...  check if the passwords ( normal and repeated ) matched ...

    ... check if username/email does not already exist ...

    ...  check if there were any errors with the filled in fields ...

}else{ //form has not been submitted yet

?>

<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">

*Username:
 <br />

*Password  :
 <br />

*Repeat Password: 
 <br />

*Email:
 <p>


</form>

<?php

}

?>

There’s one field that needs to be checked in a different way: the ‘password_rep’ field. Which needs to be equal to the password field. We’ll use another if loop for that (already put into the code above):

        If( $_POST['password_rep'] != $_POST['password'])
            $errors .= "<p> Passwords don't match! </p>";

A simple condition checks whether they are not equal to eachother (!=). In that case, an error will be added.

Now there’s a last thing that needs to be checked. We’re going to check if there isn’t already an account on the given username or email. We’ll use a simple mysql SELECT query to do this:

        $check_account = mysql_query("SELECT id
                                                                    FROM accounts
                                                                    WHERE username = '".$_POST['username']."' OR email = '".$_POST['email']."' ");

We select the field ‘id’ from the table ‘accounts’ (we could select any field) from a row where the username or email is equal to what the user filled in as username/email. To make it more secure we can use the mysql_real_escape_string function that escapes all possible harming characters out of the strings.

        $check_account = mysql_query("SELECT id
                                                                     FROM accounts
                                                                     WHERE username = '".mysql_real_escape_string($_POST['username'])."' OR email = '".mysql_real_escape_string($_POST['email'])."' ");

Next, instead of retrieving the rows/results ( as we aren’t sure if there is any row like this already ) we’ll check if the query selected any rows at all. In other words: we’ll check if there is already an account with this username or email as this is the only thing we need to check with this query. We’ll use the function mysql_num_rows to do this.

        $check_account = mysql_query("SELECT id
                                                                    FROM accounts
                                                                    WHERE username = '".mysql_real_escape_string($_POST['username'])."' OR email = '".mysql_real_escape_string($_POST['email'])."' ");

        $check_account = mysql_num_rows($check_account);

$check_account now contains a number of the rows that have the same username or email as the user filled in for his account to register. So if $check_account contains a number greater than 0, this means there’s already 1 or more accounts with this username or email. In that case an error should be added that the username or email already exists for an account.

        $check_account = mysql_query("SELECT id
                                                                    FROM accounts
                                                                    WHERE username = '".mysql_real_escape_string($_POST['username'])."' OR email = '".mysql_real_escape_string($_POST['email'])."' ");

        $check_account = mysql_num_rows($check_account);

        If($check_account > 0)
            $errors .= "<p> An account with the same username or email already exists. </p>";

Now we need to create a code to check if there were any errors: in other words if $errors contains text. We’ll again use the empty function. If $errors is empty, we can create the account. Otherwise we show the errors.

Now we checked all possible errors for the user filled in data for his/her account to be created. So let’s put it all together.

<?php

If ( $_POST  ) {

foreach ( $_POST as $key => $value ) {

        if ( empty($value) )

            $errors .= "<p> Field '".$key."' has to be filled in. </p>";

        }else{

            If ( !preg_match("/[0-9A-Za-z -_]/", $value) )
                $errors .= "<p> Field '".$key."' has been given an invalid value. </p>";

        }

}
        If( $_POST['password_rep'] != $_POST['password'])
            $errors .= "<p> Passwords don't match! </p>";

        $check_account = mysql_query("SELECT id FROM accounts WHERE username = '".mysql_real_escape_string($_POST['username'])."' OR email = '".mysql_real_escape_string($_POST['email'])."' ");

        $check_account = mysql_num_rows($check_account);

        If($check_account > 0)
            $errors .= "<p> An account with the same username or email already exists. </p>";

    ...  check if there were any errors with the filled in fields ...

}else{ //form has not been submitted yet

?>

<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">

*Username:
 <br />

*Password  :
 <br />

*Repeat Password: 
 <br />

*Email:
 <p>


</form>

<?php

}

?>

If ( empty($errors) OR !isset($errors) ) {

    ... create account ...

}else{

    ... show errors ...

}

Showing the errors is not such a big deal, we just echo the variable $errors which contains all errors. Creating the account isn’t such a big deal either. We’ll be using a few mysql functions & queries. Which we use to insert rows into the database ( create the account ). First we’ll need to connect to the host and database. We’ll use the functions mysql_connect and mysql_select_database.

mysql_connect("host", "user", "pass");
mysql_select_db("database");

We’ll now use a basic mysql_query function to INSERT the values into the database.

mysql_query( ... query ... );

In our case the query is to INSERT all values into the table ‘accounts’.

$query = mysql_query("INSERT INTO accounts(username, password, email)VALUES('".$_POST['username']."', '".$_POST['password']."', '".$_POST['email']."')");

That’s how the query looks like. I think it isn’t that hard so will explain it shortly: we use INSERT INTO to insert data into a table, in our case ‘account’s . Then we need to define which fields we want to insert data into, and put them between brackets after the table: username, password, email in this case. Also we need to give the VALUES for each field, which are stored in $_POST['field_name']. Though, to be sure there won’t be any SQL injections possible, we will still use the mysql_real_escape_string function to handle all filled in values so that they can’t harm the database with any bad codes. Even though we already checked the values, you should never just directly insert user filled in data to the database.

$query = mysql_query("INSERT INTO accounts(username, password, email)VALUES('".mysql_real_escape_string($_POST['username'])."', '".mysql_real_escape_string($_POST['password'])."', '".mysql_real_escape_string($_POST['email'])."')");

Now we need to check if the query was successfully:

If($query) {

    echo "Success! Account created!";

}else{

    echo "There was an error creating the account. Please try again or contact the web administrator";

}

We just use a basic loop to check if the $query variable, which executes the mysql query, was executed successfully.

Now we put it all together!
 
File: Register.php

<?php

If ( $_POST  ) {

foreach ( $_POST as $key => $value ) {

        if ( empty($value) )

            $errors .= "<p> Field '".$key."' has to be filled in. </p>";

        }else{

            If ( !preg_match("/[0-9A-Za-z -_]/", $value) )
                $errors .= "<p> Field '".$key."' has been given an invalid value. </p>";

        }

    }

        If( $_POST['password_rep'] != $_POST['password'])
            $errors .= "<p> Passwords don't match! </p>";

        $check_account = mysql_query("SELECT id FROM accounts WHERE username = '".mysql_real_escape_string($_POST['username'])."' OR email = '".mysql_real_escape_string($_POST['email'])."' ");

        $check_account = mysql_num_rows($check_account);

        If($check_account > 0)
            $errors .= "<p> An account with the same username or email already exists. </p>";

If ( empty($errors) OR !isset($errors) ) {

mysql_connect(host, user, pass);
mysql_select_db(database);

$query = mysql_query("INSERT INTO accounts(username, password, email)VALUES('".mysql_real_escape_string($_POST['username'])."', '".mysql_real_escape_string($_POST['password'])."', '".mysql_real_escape_string($_POST['email'])."')");

If($query) {

    echo "Success! Account created!";

}else{

    echo "There was an error creating the account. Please try again or contact the web administrator";

}

}else{

    echo $errors;

}

}else{ //form has not been submitted yet

?>

<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">

*Username:
 <br />

*Password  :
 <br />

*Repeat Password: 
 <br />

*Email:
 <p>


</form>

<?php

}

?>

And we’ve got our register system in ONE file!

Note: In queries you might have seen a lot of quotes and double quotes. We use ‘”. and .”‘ to separate an array ( like $_POST[] ) from the rest of the query.

Cheers,
Admin.

Example:

... form fields ...

We simply put method=”POST” to the form tag, to make it use this method. The action here is set to some “handle_file.php”, could as well be set to any file or even the same file. It’s the file it will send the data ( using the POST method, in POST variables so ) to and go to when the form is submitted. Let’s add an example form field and submit button.

Example:

In this case, once the user submits the form by clicking on the submit button, the text filled in in the field ‘username’ ( the first input field with name=’username’ ), will be put into the variable $_POST[‘username']. The same goes for all input fields. All values of the input fields will be stored into a variable $_POST[‘field_name_here'] and sent to the action file. Let’s use this to greet the user when he fills in his username and submits it:

File: form.php

File: handle_file.php

<?php
if(!empty($_POST['username']))
    echo "Hi there ".$_POST['username']."!";
 ?>

What we basicly done here is check if the field username is not empty, as the value of it would be stored into $_POST[‘username'] once the form has been submitted. So we actually check 2 things by checking whether it’s not empty. We check if the form has been submitted at all, and we check whether the input field with the name username has not been left blank. Then we use the value of it ( the username the user filled in ) to greet the user with a simple greeting.
That’s it, if you have any further questions about this chapter ( POST variables ), feel free to ask.

Cheers,
Admin.