PRINT_ENTRY( ) This prints the results of a query within a table. function print_entry($row,$preserve=””)

{ $numargs = func_num_args(); for ($i = 2; $i < $numargs; $i++) {

$field = func_get_arg($i); $dbfield = str_replace(“ “, “_”, strtolower($field));

206 Part III: Simple Applications

$dbvalue = cleanup_text($row[$dbfield],$preserve); $name = ucwords($field); print “ <tr>\n”; print “ <td valign=top align=right><b>$name:</b></td>\n”; print “ <td valign=top align=left>$dbvalue</td>\n”; print “ </tr>\n\n”;

The easiest way to see how this function works is to take a look at the line of code that calls a function. This snippet was taken from the view.php file:

print_entry($row,$preserve,”name”,”location”,”email”,”URL”,”entry date”,”comments”);

Notice that the function itself has only two default arguments ($row and $preserve), while the call to the function has nine arguments. The first argument, $row, is a row from a database call. It is expecting that a row was taken from a query using mysql_fetch_array() so that the contents of row are an associative array, the keys of which are equal to the column names of the database table. The second argument, $preserve, is needed for the cleanup_text function, which we have discussed previously. The rest of the arguments are equivalent to associative keys in $row.

The arguments sent to any user-defined function make up an array. The number of the final element in the array can be retrieved with func_num_args() . Using the call to print_entry() seen above, the previous paragraph, func_num_args() would return 8. (There are 9 arguments, the first of which is 0.)

The value of each argument can then be accessed with func_get_arg() . This allows for a structure like the one used here, where a loop accesses and then processes each argument sent to the function. The first time through the for loop, $field is assigned the third element in the array, “name”. You can use the value in $field to access an element in the associative array $row ($row[“name”]).

After you make sure the argument contains no capital letters or spaces, the value is sent to the cleanup_text function and printed. It’s nice to structure a function this way because it allows an arbitrary number of arguments to be sent to the function. You could include one or many fields to print.

PRINT_INPUT_FIELDS( ) This function works much like print_entry() . func_ get_args() makes $field an array, each element of which is an argument sent to the function. The list structure moves through all elements in the array and prints a text field for each. The name of the field will be in one table cell, and the input box will be in an adjoining cell.

function print_input_fields() {

Chapter 8: Guestbook 2000, the (Semi- )Bulletproof Guestbook

$fields =func_get_args(); while (list($index,$field) = each($fields)) {

print “ <tr>\n”; print “ <td valign=top

align=right><b>”.ucfirst($field).”:</b></td>\n”; print “ <td valign=top align=left><input type=text name=$field size=40 value=\””.$GLOBALS[“last_$field”].”\”></td>\n”; print “ </tr>\n\n”; } }

Notice the use of a global variable for the default value of the text field. This is here in the event that the user enters bad information and the information needs to

be re-presented with the values he or she entered. Why would information need to

be printed a second time? That should make perfect sense after you read about the next function, create_entry() .

CREATE_ENTRY We are not going to simply dump user information into the data- base. First it needs to be verified.

function create_entry($name,$location,$email,$url,$comments) {

// remove all HTML tags, and escape any //other special characters $name = cleanup_text($name); $location = cleanup_text($location); $email = cleanup_text($email); $url = cleanup_text($url); $comments = cleanup_text($comments);

// start out with an empty //error message. as validation tests fail, // add errors to it. $errmsg = “”; if (empty($name)) {

$errmsg .= “<li>you have to put in a name, at least!\n”; }

// do a very simple check on the format of the email address // supplied by the user. an email address is required. if (empty($email) || !eregi(“^[A-Za-z0-9\_-]+@[A-Za-z0-9\_

-]+.[A-Za-z0-9\_-]+.*”, $email)) {

208 Part III: Simple Applications

$errmsg .= “<li>$email doesn’t look like a valid email address\n”; } else { // if the format is OK, check to see if this user has already // signed the guestbook. multiple entries are not allowed.

$query = “select * from guestbook where email = ‘$email’”; $result = safe_query($query); if (mysql_num_rows($result) > 0) {

$errmsg .= “<li>$email has already signed this guestbook.\n”;

// perform a very simple check on the format of the url supplied // by the user (if any) if (!empty($url) && !eregi(“^http://[A-Za-z0-9\%\?\_\:\~\/\.

-]+$”,$url)) { $errmsg .= “<li>$url doesn’t look like a valid URL\n”; }

if (empty($errmsg)) {

$query = “insert into guestbook “ .” (name,location,email,url,comments,remote_addr) values “ .”(‘$name’, ‘$location’, ‘$email’, ‘$url’,

‘$comments’,’$REMOTE_ADDR’)” ; safe_query($query);

print “<h2>Thanks, $name!!</h2>\n”; } else {

print <<<EOQ <p> <font color=red> <b> <ul> $errmsg </ul> Please try again

Chapter 8: Guestbook 2000, the (Semi- )Bulletproof Guestbook

</p> EOQ;

} return $errmsg;

} This function is going to make sure that the information entered is moderately

useful. If there are problems with the information, a text string describing the prob- lem will be assigned to the variable $errmsg . If, after the function is executed, $errmsg is empty, the values will be inserted into the database. Otherwise the error message will be printed, and the values the user entered will be assigned to globals so that they can be printed as the default values in the text fields the next time through.

In order, this function checks for the following: ◆ That the name field contains something

◆ That the e-mail address is potentially a proper address (contains text, an @ , and a period ( . )) Note that this is not very strong validation of e-mail. It takes a very long and complicated script to thoroughly validate an email, as you will see in later chapters.

◆ If the e-mail looks okay, that this e-mail address hasn’t been entered in the database already

◆ That the URL is potentially valid

Check Appendix F for more detail on regular expressions.

XREF