Add Controls to Create, Edit, and Delete Events

To edit an event or add new events to the calendar, you need to use a form. You do this by adding a method called displayForm() that generates a form for editing and creating events to the Calendar class. This simple method accomplishes the following tasks:

1. Checks for an integer passed as the event ID.
2. Instantiates empty variables for the different fields used to describe events.
3. Loads event data if an event ID was passed.
4. Stores event data in the variables instantiated earlier if it exists.
5. Outputs a form.

Note By explicitly sanitizing the event ID passed in the $_POST superglobal, you ensure that the ID is safe to use since any non-integer values will be converted to 0.

You build the displayForm() method by adding the following bold code to the Calendar class:

  <?php
  class Calendar extends DB_Connect
  {
  private $_useDate;
  private  $_m;
  private  $_y;
  private  $_daysInMonth;
  private  $_startDay;
  public function__construct($dbo=NULL,$useDate=NULL) {...}
  public  function buildCalendar() {...}
  public  function displayEvent($id) {...}
  /**
  *  Generates a form to edit or create events
  *
  *  @return string the HTML markup for the editing form
  */
  public  function displayForm()
  {
  /*
  *  Check if an ID was passed
  */
  if (  isset($_POST['event_id']) )
  {
  $id = (int) $_POST['event_id'];
  // Force integer type to sanitize data
  }
  else
  {
  $id  = NULL;
  }
  /*
  *  Instantiate the headline/submit button text
  */
  $submit = "Create a New Event";
  /*
  * If an ID is passed, loads the associated event
  */
  if ( !empty($id) )
  {
  $event = $this->_loadEventById($id);
  /*
  * If no object is returned, return NULL
  */
  if ( !is_object($event) ) { return NULL; }
  $submit = "Edit This  Event";
  }
  /*
  *  Build the markup
  */
  return  <<<FORM_MARKUP
  <form action="assets/inc/process.inc.php" method="post">
  <fieldset>
  <legend>$submit</legend>
  <label for="event_title">Event Title</label>
  <input type="text" name="event_title"
  id="event_title"  value="$event->title" />
  <label for="event_start">Start Time</label>
  <input type="text" name="event_start"
  id="event_start"  value="$event->start" />
  <label for="event_end">End Time</label>
  <input type="text" name="event_end"
  id="event_end"  value="$event->end" />
  <label for="event_description">Event Description</label>
  <textarea name="event_description"
  id="event_description">$event->description</textarea>
  <input type="hidden" name="event_id"  value="$event->id" />
  <input type="hidden" name="token" value="$_SESSION[token]" />
  <input type="hidden" name="action" value="event_edit"  />
  <input  type="submit" name="event_submit" value="$submit"  />
  or <a href="./">cancel</a>
  </fieldset>
  </form>
  FORM_MARKUP;
  }
  private function _loadEventData($id=NULL) {...}
  private function _createEventObj() {...}
  private function _loadEventById($id) {...}
  }
  ?>

Adding a Token to the Form

If you look at the preceding form, there’s a hidden input named token that holds a session value, also called token. This is a security measure to prevent cross-site request forgeries (CSRF), which are form submissions that are faked by submitting a form to your app’s processing file from somewhere other than the form itself. This is a common tactic used by spammers to send multiple forged entry submissions, which is annoying, potentially harmful, and definitely undesirable.

This token is created by generating a random hash and storing it in the session, and then posting the token along with the form data. If the token in the $_POST superglobal matches the one in the $_SESSION superglobal, then it’s a reasonably sure bet that the submission is legitimate. You add an anti-CSRF token into your application by modifying the initialization file with the code shown in bold:

  <?php
  /*
  *  Enable sessions
  */
  session_start();
  /*
  *  Generate an anti-CSRF token if one doesn't exist
  */
  if (  !isset($_SESSION['token']) )
  {
  $_SESSION['token']  = sha1(uniqid(mt_rand(), TRUE));
  }
  /*
  *  Include the necessary configuration info
  */
  include_once  '../sys/config/db-cred.inc.php'; // DB info
  /*
  *  Define constants for configuration info
  */
  foreach  ( $C as $name => $val )
  {
  define($name,  $val);
  }
  /*
  *  Create a PDO object
  */
  $dsn = "mysql:host=" . DB_HOST . ";dbname=" . DB_NAME;
  $dbo = new PDO($dsn, DB_USER, DB_PASS);
  /*
  * Define the auto-load function for classes
  */
  function  __autoload($class)
  {
  $filename  = "../sys/class/class.". $class. ".inc.php";
  if ( file_exists($filename) )
  {
  include_once  $filename;
  }
  }
  ?>

Caution You may want to include a time limit for tokens to increase security further. Making sure a token is no older than 20 minutes, for instance, helps prevent a user from leaving a computer unattended and having a mischievous user start poking around later. For more information on tokens and preventing CSRF, visit Chris Shiflett’s blog and read his article on the topic

Creating a File to Display the Form

Now that the method exists to display the form, you need to create a file that will call that method. This file will be called admin.php, and it will reside in the root level of the public folder (/public/admin.php). Similar to view.php, this file accomplishes the following:

• Loads the initialization file.
• Sets up a page title and CSS file array.
• Includes the header.
• Creates a new instance of the Calendar class.
• Calls the displayForm() method.
• Includes the footer.

 Next, add the following inside the new admin.php file:

  <?php
  /*
  * Include necessary files
  */
  include_once '../sys/core/init.inc.php';
  /*
  * Output the header
  */
  $page_title = "Add/Edit Event";
  $css_files = array("style.css");
  include_once 'assets/common/header.inc.php';
  /*
  * Load the calendar
  */
  $cal = new Calendar($dbo);
  ?>
  <div id="content">
  <?php echo $cal->displayForm(); ?>
  </div><!--  end #content -->
  <?php
  /*
  *  Output the footer
  */
  include_once 'assets/common/footer.inc.php';
  ?>

 After saving this code, navigate to see the resulting form.

The form before adding any CSS styles

Adding a New Stylesheet for Administrative Features

Obviously, the preceding form needs some visual enhancement to make it more usable. However, this form will ultimately be accessible only to administrators (because you don’t want just anyone making changes to your calendar), so the CSS rules will be separated out to a separate stylesheet called admin.css. You can find this file in the css folder (/public /assets /css/).

Again, since this book is not about CSS, the rules won’t be explained. Essentially, the following CSS makes the form elements look more like what your user expects a form to look like; it also adds a couple rules for elements that will be created shortly.

Now add the following code into admin.css:

  fieldset  {
  border: 0;
  }
  legend  {
  font-size:  24px;
  font-weight:  bold;
  }
  input[type=text],input[type=password],label  {
  display:  block;
  width:  70%;
  font-weight:  bold;
  }
  textarea  {
  width:  99%;
  height:  200px;
  }
  input[type=text],input[type=password],textarea  {
  border:  1px solid #123;
  -moz-border-radius:  6px;
  -webkit-border-radius:  6px;
  border-radius:  6px;
  -moz-box-shadow:  inset 1px 2px 4px #789;
  -webkit-box-shadow:  inset 1px 2px 4px #789;
  box-shadow:  inset 1px 2px 4px #789;
  padding:  4px;
  margin:  0 0 4px;
  font-size:  16px;
  font-family:  georgia, serif;
  }
  input[type=submit]  {
  margin:  4px 0;
  padding:  4px;
  border:  1px solid #123;
  -moz-border-radius:  6px;
  -webkit-border-radius:  6px;
  border-radius:  6px;
  -moz-box-shadow:  inset -2px -1px 3px #345,
  inset  1px 1px 3px #BCF,
  1px  2px 6px #789;
  -webkit-box-shadow:  inset -2px -1px 3px #345,
  inset  1px 1px 3px #BCF,
  1px  2px 6px #789;
  box-shadow:  inset -2px -1px 3px #345,
  inset  1px 1px 3px #BCF,
  1px  2px 6px #789;
  background-color:  #789;
  font-family:  georgia, serif;
  text-transform: uppercase;
  font-weight:  bold;
  font-size:  14px;
  text-shadow:  0px 0px 1px #fff;
  }
  .admin-options  {
  text-align:  center;
  }
  .admin-options  form,.admin-options p {
  display:  inline;
  }
  a.admin  {
  display:  inline-block;
  margin:  4px 0;
  padding:  4px;
  border:  1px solid #123;
  -moz-border-radius:  6px;
  -webkit-border-radius:  6px;
  border-radius:  6px;
  -moz-box-shadow:  inset -2px -1px 3px #345,
  inset  1px 1px 3px #BCF,
  1px  2px 6px #789;
  -webkit-box-shadow:  inset -2px -1px 3px #345,
  inset  1px 1px 3px #BCF,
  1px  2px 6px #789;
  box-shadow:  inset -2px -1px 3px #345,
  inset  1px 1px 3px #BCF,
  1px  2px 6px #789;
  background-color:  #789;
  color:  black;
  text-decoration:  none;
  font-family:  georgia, serif;
  text-transform:  uppercase;
  font-weight:  bold;
  font-size:  14px;
  text-shadow:  0px 0px 1px #fff;
  }

 Save this file, then add admin.css to the $css_files array in admin.php by making the changes shown in bold:

  <?php
  /*
  *  Include necessary files
  */
  include_once  '../sys/core/init.inc.php';
  /*
  *  Output the header
  */
  $page_title  = "Add/Edit Event";
  $css_files  = array("style.css", "admin.css");
  include_once  'assets/common/header.inc.php';
  /*
  *  Load the calendar
  */
  $cal  = new Calendar($dbo);
  ?>
  <div  id="content">
  <?php  echo $cal->displayForm(); ?>
  </div><!--  end #content -->
  <?php
  /*
  *  Output the footer
  */
  include_once  'assets/common/footer.inc.php';
  ?>

After saving the preceding code, reload to see the styled form.

The form to add or edit events after applying CSS styles