-1

I've created a website and I want to have certain users who are able to log in and edit the content if they see something that needs changed. I'm using password_hash for the passwords.

But now I'm confused on how to let these users edit content on the website, say for example I have this bit of code:

<div class="-container-white" style="padding:128px 16px" id="charities">
  <h3 class="-center">SUPPORTING CHARITIES</h3>

  <p>Over the years we have been helping raise money for a number of charities.</p>
  <p>These include:</p>
  <ul>
    <li>Cash For Kids</li>
    <li>Cancer Research</li>
</ul>

<p>We also have helped numerous organisations out by donating products they can use in their raffles</p>
<p> If you know of any charities or would like to discuss having products donated for raffles please do not hesitate to get in touch</p>


<p>We are proud to to support these charities and can not thank you, customers, enough for helping us do this</p>


  <div class="-row-padding -center" style="margin-top:64px">

  </div>
</div>

Now the point of having these users is to make it easier for updating the website so if they find something wrong they can easily change it without having to ask me to go into the code and change it. What would I need to change in order to allow this to happen, i.e make this editable once one of the admin users are logged in.

This is my login page with the sql code if this helps:

<?php
// Initialize the session
session_start();

// Check if the user is already logged in, if yes then redirect him to welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
    header("location: welcome.php");
    exit;
}

// Include config file
require_once "config.php";

// Define variables and initialize with empty values
$username = $password = "";
$username_err = $password_err = "";

// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){

    // Check if username is empty
    if(empty(trim($_POST["username"]))){
        $username_err = "Please enter username.";
    } else{
        $username = trim($_POST["username"]);
    }

    // Check if password is empty
    if(empty(trim($_POST["password"]))){
        $password_err = "Please enter your password.";
    } else{
        $password = trim($_POST["password"]);
    }

    // Validate credentials
    if(empty($username_err) && empty($password_err)){
        // Prepare a select statement
        $sql = "SELECT id, email, password, last_name, first_name username, FROM admin_users WHERE username = ?";

        if($stmt = mysqli_prepare($link, $sql)){
            // Bind variables to the prepared statement as parameters
            mysqli_stmt_bind_param($stmt, "s", $param_username);

            // Set parameters
            $param_username = $username;

            // Attempt to execute the prepared statement
            if(mysqli_stmt_execute($stmt)){
                // Store result
                mysqli_stmt_store_result($stmt);

                // Check if username exists, if yes then verify password
                if(mysqli_stmt_num_rows($stmt) == 1){                    
                    // Bind result variables
                    mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
                    if(mysqli_stmt_fetch($stmt)){
                        if(password_verify($password, $hashed_password)){
                            // Password is correct, so start a new session
                            session_start();

                            // Store data in session variables
                            $_SESSION["loggedin"] = true;
                            $_SESSION["id"] = $id;
                            $_SESSION["username"] = $username;                            

                            // Redirect user to welcome page
                            header("location: welcome.php");
                        } else{
                            // Display an error message if password is not valid
                            $password_err = "The password you entered was not valid.";
                        }
                    }
                } else{
                    // Display an error message if username doesn't exist
                    $username_err = "No account found with that username.";
                }
            } else{
                echo "Oops! Something went wrong. Please try again later.";
            }
        }

        // Close statement
        mysqli_stmt_close($stmt);
    }

    // Close connection
    mysqli_close($link);
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Login</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <style type="text/css">
        body{ font: 14px sans-serif; }
        .wrapper{ width: 350px; padding: 20px; }
    </style>
</head>
<body>
    <div class="wrapper">
        <h2>Login</h2>
        <p>Please fill in your credentials to login.</p>
        <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
            <div class="form-group <?php echo (!empty($username_err)) ? 'has-error' : ''; ?>">
                <label>Username</label>
                <input type="text" name="username" class="form-control" value="<?php echo $username; ?>">
                <span class="help-block"><?php echo $username_err; ?></span>
            </div>    
            <div class="form-group <?php echo (!empty($password_err)) ? 'has-error' : ''; ?>">
                <label>Password</label>
                <input type="password" name="password" class="form-control">
                <span class="help-block"><?php echo $password_err; ?></span>
            </div>
            <div class="form-group">
                <input type="submit" class="btn btn-primary" value="Login">
            </div>
        </form>
    </div>    
</body>
</html>

The welcome.php page is just standard page in place at the moment until I can get this working properly.

halfer
  • 19,824
  • 17
  • 99
  • 186
l15
  • 65
  • 1
  • 7
  • 1
    Sha1 is a hashing method not encryption, and it is not suitable for passwords. Use the native PHP password_hash function. – Dharman May 27 '19 at 19:17
  • Okay thanks, one of the tutorials i found said sha1 was a good thing to use. how is this done in an sql statement for inserting users? Is it like the example I gave but with password_hash instead of sha1? – l15 May 27 '19 at 19:40
  • https://stackoverflow.com/q/30279321/1839439 – Dharman May 27 '19 at 19:48
  • https://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely/1581919#1581919 – Dharman May 27 '19 at 19:49
  • I get how to verify the password and create passwords through a php file. That's not what I'm asking, unless I'm not just not seeing it on the links you provided. I've got a database and table already created in my phpmyadmin and I'm doing the sql statements in there to create the users. Not using php files to create them, I'm not wanting to allow users to register. The users are already created by me – l15 May 27 '19 at 20:52

1 Answers1

1

Allowing logged in users to edit the HTML of your website so that it is changed for all other users of the website is a fairly complex thing to do.

You have a long way to go from where you are now to deliver that solution if that is what you are after.

Some of the things you would need to implement:

  • You need to identify which text on your site is editable and which not
  • Editable sections would need to be abstracted out of the HTML, either into flat-file storeage, or more likely a database, you are already using a sql database so that would make most sense, I'll assume this.
  • When building the page you would need to look-up the real text content from the database and embed it in your returned page.
  • You would need to identify on each page whether the viewer is a logged-in user or not and enable edit of text (i.e. dynamically switch from a standard div to a form textarea, or div editable="true" or something).
  • You would need to capture that text had been changed in some way for any given section (either a form submit, or more cleanly some javascript with ajax call to the server).
  • Validate the content changes on the server side and store them into the database.

Here's a reference as a starting point: https://css-tricks.com/php-for-beginners-building-your-first-simple-cms/

AntG
  • 1,291
  • 2
  • 19
  • 29