<<

. 53
( 132 .)



>>

return $answers;
}




Interesting Code Flow
There are a few pages in this application that could stand some explanation.
However, you should be able to follow most of them if you understand the func-
tions in the previous section.

admin/questions.php
This is a fairly lengthy page, and for good reason: it is used for adding, editing, and
deleting questions in the database. The portion of the page to be run will be deter-
mined by the values passed by forms or links. The first time through, there will be
no variables passed, so a list of the current questions will be presented along with a
form for entering a new question. Each of the links to questions that already exist
in the database looks like this:

<a href=”questions.php?question_id=2” >
Chapter 9: Survey 299

When a link like this is clicked, and the questions.php script is run again, the
very last of the initial if-else tests in the setup code at the top of the file run, as
shown here:

else
{
// if the ID of a question is passed in, retrieve its
information
// from the database for editing.
extract(fetch_question($question_id));

// set the form title to indicate the action the user can
perform
$qform_title = ˜Edit A Question : #™.$question_id;
}

print subtitle($qform_title);

print start_form(˜questions.php™);



print paragraph(
˜<b>Question:</b>™
, text_field(array(
˜name™=>™question™,™value™=>$question,™size™=>60
))
, hidden_field(array(
˜name™=>™question_id™, ˜value™=>$question_id
))
);

Notice how you can get all the information associated with $question_id with
one function call (fetch_question()). Since fetch_question() is returning an
associative array, we can use extract() to create variables from the values in the
array.
Next, go into this loop:

$lines = array(˜<b>Answers:</b><br>™);

// print form elements for answers to the question.
$acount = 0;
if ($question_id > 0)
{
$query = “select answer_id, answer from answers
300 Part III: Simple Applications

where question_id = $question_id order by answer_id
“;
$result = my_query($query);
while (list($aid,$atxt) = mysql_fetch_row($result))
{
// we increment the count first because we want the
// first key value to be 1, not 0, to make sure that
// the key will test as non-empty.
$acount++;
$lines[] = text_field(array(
˜name™=>”answer_text[$acount]”
, ˜value™=>$atxt
, ˜size™=>60
));
$lines[] = hidden_field(array(
˜name™=>”answer_id[$acount]”
, ˜value™=>$aid
));
$lines[] = “ ($aid)<br>\n”;
}
mysql_free_result($result);
}

This block gets the answers for the selected question and prints them out inside
text fields. Additional information is put inside hidden fields. When printed out the
result for one answer will look like this:

<input type=”text” name=”answer_text[1]” value=”Answer” size=”60” >
<input type=”hidden” name=”answer_id[1]” value=”10”>

When this form is submitted, $answer_text will be an array. $acount will see
that the key of the array is incremented by one for each additional form field. Note
that we need to make use of a hidden form element here, because each answer
requires three pieces of information: the answer number (1“10), the answer text,
and, if the answer came from the database, the primary key of the row the answer
came from. The hidden field will create an array named $answer_id. The value in
each element of that array will be the primary key of the row storing the answer.
The index of that array will be the match for the index of $answer_text. In code
the technique looks like this:

$i = 1;
$answer_text[$i];
$answer_id[$i];
Chapter 9: Survey 301

You™d know, when receiving and processing the information from this screen,
that $answer_id[$i] contains the primary key of a row, and $answer_text[$i] is
the answer text that belongs in that row.
The previous section of code will print out form elements only where an answer
exists. But you should offer blank form elements so the administrator can enter
new answers:

// print out blank fields to bring us up to at least 10 answers
while ($acount < 10)
{
$acount++;
$lines[] = text_field(array(
˜name™ => “answer_text[$acount]”
, ˜value™ => ˜™
, ˜size™ => 60
));
$lines[] = hidden_field(array(
˜name™ => “answer_id[$acount]”
, ˜value™ => 0
));
$lines[] = “<br>\n”;
}
print paragraph($lines);

This will complete the form and display it, giving all the blank elements you need.
For these blank answers, the form will contain the following:

<input type=”text” name=”answer_text[8]” value=”” size=”60” >
<input type=”hidden” name=”answer_id[8]” value=”0”><br>

In these form elements, the value of the hidden field is set to 0. That way, when
it comes time to process these form elements, the script will have something to
evaluate: If $answer_id[$i] is equal to 0, this is a new element.
If the user clicks the Save Changes button to submit this form, the preceding
chunk of code will run after handling the update of the database record for the
question itself. There will always be 10 elements to be looped through, so a for
loop works nicely.

$answer_texts =
(array)array_key_value($_POST,™answer_text™,array());
$answer_ids =
(array)array_key_value($_POST,™answer_id™,array());

for ($i = 1; $i <= 10; $i++)
302 Part III: Simple Applications

{
$atxt = (string)$answer_texts[$i];
$aid = (int)$answer_ids[$i];
if (empty($atxt))
{
if (!empty($aid))
{

If no text exists for the answer, and a value exists for the answer ID, the user has
blanked out an existing answer. So delete it from the database:

my_query(˜delete from answers where answer_id =
˜.(int)$aid);
}
}
else
{
$answer = mysql_real_escape_string(cleanup_text($atxt));
if (empty($aid))
{
// if we have no ID for the answer,
// it doesn™t exist yet. create a new
// record in the answers table.
$query = “insert into answers (question_id, answer)
values ($question_id,™$answer™)
“;
}

Pay attention to the explicit casting ” (int) ” at the beginning of that passage.
It prevents an error when the value is 0. If the element of $answer_id is not empty
(which means it can™t be equal to 0), an insert statement is run:

else
{
// if we do have an ID, the answer is already
// in the answers table. update it.
$query = “update answers
set question_id = $question_id, answer =
˜$answer™
where answer_id = $aid
“;
}
my_query($query);
}
}
Chapter 9: Survey 303

Otherwise, if an existing answer was present, an update query will do the trick.

admin/get_winner.php
Most of this file is readable by humans. Our goal is to draw a qualified winner at
random from the database. First we use the weekstart() function (discussed earlier
in this chapter in the section “Functions from /book/survey/functions”) to get the
date on which the current week begins:

$weekdate = (string)array_key_value($_REQUEST,™weekdate™,™™);

$result = my_query(˜select ˜.weekstart($weekdate));
list($thisweek) = mysql_fetch_row($result);
mysql_free_result($result);

print subtitle(˜Draw a winner for the week of ˜.$thisweek);

// get a list of qualifying entries for the given week.
$query = “select name, email, user_id from users
where week(create_dt) = week(˜$thisweek™)
and year(create_dt) = year(˜$thisweek™)
and name is not null and name != ˜™
and email is not null and email != ˜™ and email like ˜%@%.%™
and age > 0
and country is not null and country != ˜™
“;

We then create a query that will determine who is qualified. As you can see,
we™ve decided that in addition to having signed in during the last week, participants
need to have entered a name, an email address, and a legitimate age to qualify.

admin/winners.php
We created a few pages to ensure that the winner selected is notified of the exciting
news and that we issue the notification in a way that provides some security. The
security isn™t much, but to make reasonably sure that the person who claims the
prize is the person we intended, we would need to make use of a login system, and
users of a silly little survey may not be interested in keeping track of yet another
password.
The best we can do here is to try to make sure that if some immoral person sees
the claim information one week, that person will not be able to easily spoof our
system in future weeks. When we send the winner notification, we will include an
eight-character claim code. This prize can only be claimed with the code. To make
things as secure as possible, we want to make sure this code is unique and very dif-
ficult to guess.
304 Part III: Simple Applications

mt_srand ((double) microtime() * 1000000);
$claim_code = substr(md5(uniqid(rand())),0,8);

The preceding code uses the uniqueid() and md5() functions to create a string
that is very random. There™s little for a hacker to latch onto in trying to figure out
how the string is constructed. md5() will create a string that is 32 characters long,
but that can be a bit unwieldy. So we™re using substr() to limit the string to eight
characters.
The user_id, the claim code, and the week of during which the contest took
place are inserted into the winners table:

$query = “replace into winners (weekdate, user_id, claim_code,
notify_dt)
values (˜$weekdate™, $user_id, ˜$claim_code™, now())
“;

The winner is sent an email containing a URL that includes a claim code that
matches one in the database: http://mydomain.com/book/survey/claim.

<<

. 53
( 132 .)



>>