Web Database Applications - PHP 4.2 Examples

PHP 4.2 Update of the Source Code from Web Database Applications with PHP and MySQL

The release of PHP 4.1 brought about significant changes to the default techniques used to access external variables from within PHP. In short, the register_globals option in the php.ini file is now by default set to off, which means that GET, POST, session, and environment variables are no longer automatically registered as global variables of the same name. Instead, these variables must be accessed as elements of several "super globals". In addition, many PHP installs now have the short_open_tag=Off setting, meaning that the use of <? is not allowed and that <?php should be used instead. A good, short treatment of these changes can be found here.

In response to these changes, we have updated the source code for our book. Detailed changes for each chapter are listed below; most changes are as the direct result of variable access changes or because of short tag requirements. In addition, there are selected bug fixes in response to reader feedback. Please contact Hugh Williams at hugh @ hughwilliams.com with any suggestions or corrections.

Global and Miscellaneous Changes

Changed all short open tags <? to long tags <?php in all PHP source and .inc files (the list of changes is long, so I have omitted it here)

In source.php, changed:

     $page_url = clean($page_url, 30);

     $page_url = clean($_GET["page_url"], 30);

In new/source.php, changed and fixed bugs. Changed:

include "include.inc";
$page_url = clean($page_url, 30);

include "../db.inc";
$page_url = clean($_GET["page_url"], 30);

Chapter 5 Changes

In example.5-1.php, updated for new GET variable access style:

echo "RegionName is " . $regionName . "\n";

   
echo "RegionName is " . $_GET["regionName"] . "\n";

In example.5-4.php, updated for new GET variable access style:

$regionName  = clean($regionName, 30);
$wineType    = clean($wineType, 10);

$regionName  = clean($_GET["regionName"], 30);
$wineType    = clean($_GET["wineType"], 10);

In example.5-5.php, updated for new GET variable access style:

$regionName = clean($regionName, 30);

$regionName = clean($_GET["regionName"], 30);

In example.5-6.php, updated for new GET variable access style:

if (empty($regionName))

if (empty($_GET["regionName"]))

and

} // end of if empty($regionName) body

} // end of if empty($_GET["regionName"]) body

and

$regionName = clean($regionName, 30);

$regionName = clean($_GET["regionName"], 30);

In example.5-8.php, updated for new GET variable access style:

if (!empty($wineId) && !empty($qty))

if (!empty($_GET["wineId"]) && !empty($_GET["qty"]))

In example.5-8.php, fixed server variable access for new style:

// and the PHP environment variable $HTTP_REFERER
header("Location: $HTTP_REFERER");

// and the PHP server environment variable $_SERVER["HTTP_REFERER"]
header("Location: {$_SERVER["HTTP_REFERER"]}");

Fixed two bugs in example.5-9.php/example.5-10.php by adding:

   
$offset = clean($_GET["offset"], 6);

and changing:

"&" . $browseStriang .

"&" . $browseString .

In example.5-9.php/example.5-10.php/example.5-11.php, updated for new GET variable access style:

$regionName = clean($regionName, 30);

$regionName = clean($_GET["regionName"], 30);

Fixed a bug in example.5-11.php by adding:

   
$offset = clean($_GET["offset"], 6);

Chapter 6 Changes

Fixed a bug in example.6-1.php by adding:

$regionName = clean($_GET["regionName"], 30);
$description = clean($_GET["description"], 2048);

In example.6-1.php, changed for new GET variable access style:

if (empty($regionName) || empty($description))

if (empty($_GET["regionName"]) || empty($_GET["description"]))

In customer_receipt.php, fixed a bug by adding:
```
$custID = clean($_GET["custID"], 4);
```

In example.6-2.php, changed for new POST and FILES variable access style:

if (empty($regionName) || empty($description))

if (empty($_POST["regionName"]) || empty($_POST["description"]))

and

$regionName = clean($regionName, 50);
$description = clean($description, 2048);

$regionName = clean($_POST["regionName"], 50);
$description = clean($_POST["description"], 2048);

and

if (is_uploaded_file($userfile))

if (is_uploaded_file($_FILES["userfile"]))

and

$file = fopen($userfile, "r");

$file = fopen($_FILES["userfile"], "r");

and

fread($file, filesize($userfile));

fread($file, filesize($_FILES["userfile"]));

In example.6-3.php, changed for new GET variable access style:

$regionId = clean($regionId, 3);
$status = clean($status, 1);

$regionId = clean($_GET["regionId"], 3);
$status = clean($_GET["status"], 1);

In example.6-4.php, changed for new GET variable access style:

$region_id = clean($region_id, 4);

$region_id = clean($_GET["region_id"], 4);

In example.6-6.php, changed for new POST variable access style:

foreach($HTTP_POST_VARS as $varname => $value)

foreach($_POST as $varname => $value)

In example.6-7.php, changed for new GET variable access style:

$custID = clean($custID, 5);

$custID = clean($_GET["custID"], 5);

In example.6-8.php, changed for new POST variable access style:

$custID = clean($custID, 5);

$custID = clean($_POST["custID"], 5);

and

foreach($HTTP_POST_VARS as $varname => $value)

foreach($_POST as $varname => $value)

In example.6-10.php, changed for new POST variable access style:

if (empty($regionId))

if (empty($_POST["regionId"]))

and

$regionId = clean($regionId, 3);
$regionName = clean($regionName, 20);
$description = clean($description, 255);

$regionId = clean($_POST["regionId"], 3);
$regionName = clean($_POST["regionName"], 30);
$description = clean($_POST["description"], 2048);

Chapter 7 Changes

In example.7-2.php, changed for new GET variable access style:

$custID = clean($custID, 5);

$custID = clean($_GET["custID"], 5);

In example.7-7.php, fixed server variable access for new style:

printf("%s", $HTTP_USER_AGENT);

printf("%s", $_SERVER["HTTP_USER_AGENT"]);

Chapter 8 Changes

In example.8-1.php, updated all session variables to the new syntax. Changed:

if(!isset($count)) {

if(!isset($_COOKIE["count"])) 
{

Added:

$_COOKIE["start"] = $start;

and changed:

$count++;

$count = $_COOKIE["count"] + 1;

and

$duration = time() - $start;

$duration = time() - $_COOKIE["start"];

In example.8-2.php, updated all session variables to the new syntax::

   $count  = 0;
   $start = time();
}
else
{
   $count++;

   $_SESSION["count"] = 0;
   $_SESSION["start"] = time();
}
else
{
   $_SESSION["count"]++;

and

$duration = time() - $start;

$duration = time() - $_SESSION["start"];

In example.8-4.php, changed for new POST variable access style:

foreach($HTTP_POST_VARS as $varname => $value)

foreach($_POST as $varname => $value)

In example.8-4.php, changed for new SESSION variable access style by adding:

$_SESSION["formVars"] = $formVars;

and

// Is CustID a session variable? If so, initialise
if (session_is_registered("custID"))
   $custID = $_SESSION["custID"];

and

// Store the errors in the session variable
$_SESSION["errors"] = $errors;

In example.8-5.php, made extensive changes for new SESSION variable access style:

Changed:

if (!empty($HTTP_GET_VARS["custID"]))
   $custID = clean($HTTP_GET_VARS["custID"], 5);

// Retrieve the custID from the session variable (if set)
if (session_is_registered("custID"))
   $custID = $_SESSION["custID"];

if (!empty($_GET["custID"]))
   $custID = clean($_GET["custID"], 5);

// Initialise $formVars from the $_SESSION["formVars"] (if set)
if (session_is_registered("formVars"))
{
   $row = $_SESSION["formVars"];
   $formVars["surname"] = $row["surname"];
   $formVars["firstName"] = $row["firstName"];
   $formVars["address1"] = $row["address1"];
   $formVars["city"] = $row["city"];
   $formVars["email"] = $row["email"];
   $formVars["dob"] = $row["dob"];
}

Changed:

if (!empty($custID) && empty($errors))

if (!empty($custID) && empty($_SESSION["errors"]))

Added:
```
$_SESSION["custID"] = $custID;
```

Simplified:

$formVars["dob"] = $row["birth_date"];
$formVars["dob"] = substr($formVars["dob"], 8, 2) . "/" .
                   substr($formVars["dob"], 5, 2) . "/" .   
                   substr($formVars["dob"], 0, 4);

$formVars["dob"] = substr($row["birth_date"], 8, 2) . "/" .
                   substr($row["birth_date"], 5, 2) . "/" .   
                   substr($row["birth_date"], 0, 4);

Changed all accesses to $errors to $_SESSION["errors"] in the HTML <form>

Chapter 9 Changes

In example.9-3.php, changed for new server variable access style:

<h2>Hi there <?=$PHP_AUTH_USER?></h2>

<h2>Hi there <?php echo $_SERVER["PHP_AUTH_USER"]; ?></h2>

and

'<?=$PHP_AUTH_PW?>'!

'<?php echo $_SERVER["PHP_AUTH_PW"]; ?>'!

In example.9-4.php, changed for new server variable access style:

if(!authenticated($PHP_AUTH_USER, $PHP_AUTH_PW))

if(!authenticated($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]))

In example.9-5.php, updated for new server variable access style:

if(strncmp("141.190.17", $REMOTE_ADDR, 10) != 0)

if(strncmp("141.190.17", $_SERVER["REMOTE_ADDR"], 10) != 0)

In example.9-8.php, updated for new session variable access. Changed:

if (isset($HTTP_SESSION_VARS["authenticatedUser"]))

if (isset($_SESSION["authenticatedUser"]))

and

logged_on_page($HTTP_SESSION_VARS["authenticatedUser"]);

logged_on_page($_SESSION["authenticatedUser"]);

and

login_page($HTTP_SESSION_VARS["loginMessage"]);

login_page($_SESSION["loginMessage"]);

In example.9-9.php, updated for new session and POST variable access. Changed (and bug fixed the username length):

$appUsername = 
   clean($HTTP_POST_VARS["formUsername"], 10);
$appPassword = 
   clean($HTTP_POST_VARS["formPassword"], 15);

$appUsername = clean($_POST["formUsername"], 50);
$appPassword = clean($_POST["formPassword"], 10);

and

$authenticatedUser = $appUsername;

$_SESSION["authenticatedUser"] = $appUsername;

and

$loginIpAddress = $REMOTE_ADDR;

$_SESSION["loginIpAddress"] = $_SERVER["REMOTE_ADDR"];

and

$loginMessage =

$_SESSION["loginMessage"] =

In example.9-10.php, updated for new session variable access style. Changed:

  $appUsername =
     $HTTP_SESSION_VARS["authenticatedUser"];

  $loginMessage = 
    "User \"$appUsername\" has logged out";
  
  session_register("loginMessage");

  $appUsername = $_SESSION["authenticatedUser"];
  
  session_register("loginMessage");

  $_SESSION["loginMessage"] =  "User \"$appUsername\" has logged out";

In example.9-11.php, updated for new session variable access style. Changed:

  // Set a boolean flag to check if 
  // a user has authenticated
  $notAuthenticated = 
    !isset($HTTP_SESSION_VARS["authenticatedUser"]);

  // Set a boolean flag to true if this request
  // originated from the same IP address
  // as the one that created this session
  $notLoginIp = 
    isset($HTTP_SESSION_VARS["loginIpAddress"]) 
    && ($HTTP_SESSION_VARS["loginIpAddress"] !=
        $REMOTE_ADDR);

  // Check that the two flags are false
  if($notAuthenticated)
  {
    // The request does not identify a session
    session_register("loginMessage");
    $loginMessage = 
      "You have not been authorized to access the " .
      "URL $REQUEST_URI";

    // Re-locate back to the Login page
    header("Location: " . $loginScript);
    exit;
  }
  else if($notLoginIp)
  {
    // The request did not originate from the machine
    // that was used to create the session. 
    // THIS IS POSSIBLY A SESSION HIJACK ATTEMPT

    session_register("loginMessage");
    $loginMessage = 
      "You have not been authorized to access the " .
      "URL $REQUEST_URI from the address $REMOTE_ADDR";

  // Set a boolean flag to check if 
  // a user has authenticated
  $notAuthenticated = !isset($_SESSION["authenticatedUser"]);

  // Set a boolean flag to true if this request
  // originated from the same IP address
  // as the one that created this session
  $notLoginIp = isset($_SESSION["loginIpAddress"]) && ($_SESSION["loginIpAddress"] != $_SERVER["REMOTE_ADDR"]);

  // Check that the two flags are false
  if($notAuthenticated)
  {
    // The request does not identify a session
    session_register("loginMessage");
    $_SESSION["loginMessage"] = "You have not been authorized to access the " .
                                "URL {$_SERVER["REQUEST_URI"]}";

    // Re-locate back to the Login page
    header("Location: " . $loginScript);
    exit;
  }
  else if($notLoginIp)
  {
    // The request did not originate from the machine
    // that was used to create the session. 
    // THIS IS POSSIBLY A SESSION HIJACK ATTEMPT

    session_register("loginMessage");
    $_SESSION["loginMessage"] = "You have not been authorized to access the " .
      "URL {$_SERVER["REQUEST_URI"]} from the address {$_SERVER["REMOTE_ADDR"]}";

1c1

Chapter 10 Changes

In example.customer.1.php, updated for new POST and session variable access style. Changed:

foreach($HTTP_POST_VARS as $varname => $value)

foreach($_POST as $varname => $value)

Added:

$_SESSION["formVars"] = $formVars;

Added:

// Store the errors in the session variable
$_SESSION["errors"] = $errors;

Changed:

$loginUsername = $formVars["email"];

$_SESSION["loginUsername"] = $formVars["email"];

and

$custID = getCustomerID($loginUsername, $connection);

$custID = getCustomerID($_SESSION["loginUsername"], $connection);

In example.customer.2.php, updated SESSION variable access. Added:

// Initialise $formVars from the $_SESSION["formVars"] (if set)
if (session_is_registered("formVars"))
{
   $row = $_SESSION["formVars"];
   $formVars["title"] = $row["title"];
   $formVars["surname"] = $row["surname"];
   $formVars["firstName"] = $row["firstName"];
   $formVars["initial"] = $row["initial"];
   $formVars["address1"] = $row["address1"];
   $formVars["address2"] = $row["address2"];
   $formVars["address3"] = $row["address3"];
   $formVars["city"] = $row["city"];
   $formVars["state"] = $row["state"];
   $formVars["zipcode"] = $row["zipcode"];
   $formVars["country"] = $row["country"];
   $formVars["phone"] = $row["phone"];
   $formVars["fax"] = $row["fax"];
   $formVars["email"] = $row["email"];
   $formVars["dob"] = $row["dob"];
}

Changed:

if (session_is_registered("loginUsername") && empty($errors))

if (session_is_registered("loginUsername") && empty($_SESSION["errors"]))

and

$custID = getCustomerID($loginUsername, $connection);

$custID = getCustomerID($_SESSION["loginUsername"], $connection);

Deleted:

// Reset the errors
$errors = array();

Neatened:

   $formVars["dob"] = $row["birth_date"];
   $formVars["dob"] = substr($formVars["dob"], 8, 2) . "/" .
                      substr($formVars["dob"], 5, 2) . "/" .   
                      substr($formVars["dob"], 0, 4);

   $formVars["dob"] = substr($row["birth_date"], 8, 2) . "/" .
                      substr($row["birth_date"], 5, 2) . "/" .   
                      substr($row["birth_date"], 0, 4);

Replaced all references in the HTML <form> to $errors with $_SESSION["errors"]

In example.customer.3.php, updated session, GET, and environment variable access. Changed:

$message = "You must login to view your customer receipt.";

$_SESSION["message"] = "You must login to view your customer receipt.";

and

if (!isset($custID))

if (!isset($_GET["custID"]))

and

$message = "Incorrect parameters to example.customer.3.php";

$_SESSION["message"] = "Incorrect parameters to example.customer.3.php";

and

header("Location: $HTTP_REFERER");

header("Location: {$_SERVER["HTTP_REFERER"]}");

Added:

// Initialise the $custID from the GET method request
$custID = $_GET["custID"];

and changed:

 
   // Check this customer matches the custID
   if ($custID != getCustomerID($loginUsername, NULL))
   {
      session_register("message");

      $message = "You can only view your own customer receipt!";

      $custID = getCustomerID($loginUsername, NULL);
   }

   // Check this customer matches the custID
   if ($custID != getCustomerID($_SESSION["loginUsername"], NULL))
   {
      session_register("message");

      $SESSION["message"] = "You can only view your own customer receipt!";

      $custID = getCustomerID($_SESSION["loginUsername"], NULL);
   }

In example.order.1.php, updated session and POSt variable access. Added:

$_SESSION["loginUsername"] = $loginUsername;

Changed:

$message = "Username or password incorrect. Login failed.";

$_SESSION["message"] = "Username or password incorrect. Login failed.";

Removed:

global $message;

Changed:

if (isset($HTTP_POST_VARS["loginUsername"]))
   $loginUsername = clean($HTTP_POST_VARS["loginUsername"], 30);

if (isset($_POST["loginUsername"]))
  $loginUsername = clean($_POST["loginUsername"], 30);

and

if (isset($HTTP_POST_VARS["loginPassword"]))
   $loginPassword = clean($HTTP_POST_VARS["loginPassword"], 8);

if (isset($_POST["loginPassword"]))
   $loginPassword = clean($_POST["loginPassword"], 8);

and

if ((empty($HTTP_POST_VARS["loginUsername"]) &&
    !empty($HTTP_POST_VARS["loginPassword"])) ||
   (!empty($HTTP_POST_VARS["loginUsername"]) &&
    empty($HTTP_POST_VARS["loginPassword"])))

if ((empty($loginUsername) && !empty($loginPassword)) ||
   (!empty($loginUsername) && empty($loginPassword)))

and

    $message = "Both a username and password must be supplied.";

    $_SESSION["message"] = "Both a username and password must be supplied.";

In example.order.2.php, updated session variable access. Changed:

  else
  {
     // Register a message to show the user
     session_register("message");
     $message = "Error: you are not logged in!";
  }

  // Redirect the browser back to the calling page
  if (session_is_registered("referer"))
  {  
     // Delete the redirection session variable
     session_unregister("referer");

     // Then, use it to redirect to the calling page
     header("Location: $referer");
     exit;

  else
  {
     // Register a message to show the user
     session_register("message");
     $_SESSION["message"] = "Error: you are not logged in!";
  }

  // Redirect the browser back to the calling page
  if (session_is_registered("referer"))
  {  
     // Then, use it to redirect to the calling page
     header("Location: {$_SESSION["referer"]}");

     // Delete the redirection session variable
     session_unregister("referer");
     exit;

In include.inc, updated session variable access. Removed:

global $order_no;

Added:

$order_no = $_SESSION["order_no"];

Removed:

global $message;

Changed:

echo "<h3><font color=\"red\">$message</font></h3>";

echo "<h3><font color=\"red\">{$_SESSION["message"]}</font></h3>";

Removed:

$message = "";

and

global $loginUsername;

Changed:

echo "<p align=\"right\">You are currently logged in as <b>$loginUsername</b></p>\n";

echo "<p align=\"right\">You are currently logged in as <b>{$_SESSION["loginUsername"]}</b></p>\n";

In error.inc, stopped you sending me email:

error_log($errorString, 1, "hugh");

error_log($errorString, 1, "youremail@youraddress.com");

Chapter 11 Changes

In example.cart.2.php, fixed session variables. Deleted:

global $order_no;

and changed:

"AND order_id = " . $order_no;

"AND order_id = " . $_SESSION["order_no"];

In example.cart.3.php, updated GET, session, and environment variables. Changed:

if (empty($wineId) && empty($qty))

if (empty($_GET["wineId"]) && empty($_GET["qty"]))

and

$message = "Incorrect parameters to example.cart.3.php";

$_SESSION["message"] = "Incorrect parameters to example.cart.3.php";

and

header("Location: $HTTP_REFERER");

header("Location: {$_SERVER["HTTP_REFERER"]}");

and

$wineId = clean($wineId, 5);
$qty = clean($qty, 3);

$wineId = clean($_GET["wineId"], 5);
$qty = clean($_GET["qty"], 3);

and added:

$_SESSION["order_no"] = $order_no;

and added:

// Initialise a local $order_no
$order_no = $_SESSION["order_no"];

and changed:

$message = "Sorry! We just sold out of this great wine!";

$_SESSION["message"] = "Sorry! We just sold out of this great wine!";

and changed:

header("Location: $HTTP_REFERER");

header("Location: {$_SERVER["HTTP_REFERER"]}");

In example.cart.4.php, updated session variables. Added:

// Initialise a local $order_no
$order_no = $_SESSION["order_no"];

and updated:

$message = "There is nothing in your cart.";

$_SESSION["message"] = "There is nothing in your cart.";

and

header("Location: $referer");

header("Location: {$_SESSION["referer"]}");

and

header("Location: $HTTP_REFERER");

header("Location: {$_SERVER["HTTP_REFERER"]}");

In example.cart.6.php, updated session and GET variables. Changed:

foreach($HTTP_GET_VARS as $varname => $value)
           $parameters[$varname] = clean($value, 4);

foreach($_GET as $varname => $value)
   $parameters[$varname] = clean($value, 4);

Added:

// Register a local $order_no
$order_no = $_SESSION["order_no"];

Changed:

$message = "Incorrect parameters to example.cart.6.php";

$_SESSION["message"] = "Incorrect parameters to example.cart.6.php";

and

header("Location: $HTTP_REFERER");

header("Location: {$_SERVER["HTTP_REFERER"]}");

and

$message = "There was an error updating your quantities. Try again.";

$_SESSION["message"] = "There was an error updating your quantities. Try again.";

and

$message = "There was an error updating quantities. Try again.";

$_SESSION["message"] = "There was an error updating quantities. Try again.";

In example.cart.5.php, updated for session, GET, and environment variables. Changed:

foreach($HTTP_GET_VARS as $varname => $value)

foreach($_GET as $varname => $value)

and

header("Location: example.cart.6.php?$QUERY_STRING");

header("Location: example.cart.6.php?{$_SERVER["QUERY_STRING"]}");

and

header("Location: example.search.1.php?$QUERY_STRING");

header("Location: example.search.1.php?{$_SERVER["QUERY_STRING"]}");

and

$referer = $HTTP_REFERER;

$_SESSION["referer"] = $_SERVER["HTTP_REFERER"];

and

header("Location: example.order.1.php?$QUERY_STRING");

header("Location: example.order.1.php?{$_SERVER["QUERY_STRING"]}");

and

$referer = $HTTP_REFERER;

$_SESSION["referer"] = $_SERVER["HTTP_REFERER"];

and

header("Location: example.order.2.php?$QUERY_STRING");

header("Location: example.order.2.php?{$_SERVER["QUERY_STRING"]}");

and

header("Location: example.order.3.php?$QUERY_STRING");

header("Location: example.order.3.php?{$_SERVER["QUERY_STRING"]}");

Chapter 12 Changes

In example.order.3.php, updated variables for session and environment access. Changed:

$message = "There are no items in your shopping cart!";

$_SESSION["message"] = "There are no items in your shopping cart!";

and

header("Location: $HTTP_REFERER");

header("Location: {$_SERVER["HTTP_REFERER"]}");

and added:

// Initialise a local $order_no
$order_no = $_SESSION["order_no"];

and changed:

$message = "You must login to finalise your purchase.";

$_SESSION["message"] = "You must login to finalise your purchase.";

and

header("Location: $HTTP_REFERER");

header("Location: {$_SERVER["HTTP_REFERER"]}");

and

$custID = getCustomerID($loginUsername, NULL);

$custID = getCustomerID($_SESSION["loginUsername"], NULL);

Deleted:

if (!session_is_registered("message"))
   session_register("message");

and added:

{
   if (!session_is_registered("message"))
      session_register("message");

   $_SESSION["message"] = $message;
}

In example.shipping.1.php, updated for GET and session variables. Changed:

$message = "You must login to finalise your purchase.";

$_SESSION["message"] = "You must login to finalise your purchase.";

and

$message = "Incorrect parameters to example.shipping.1.php";

$_SESSION["message"] = "Incorrect parameters to example.shipping.1.php";

and added:

// Clean the GET variables
$custID = clean($_GET["custID"], 5);
$orderID = clean($_GET["orderID"], 5);

and changed:

if ($custID != getCustomerID($loginUsername, NULL))

if ($custID != getCustomerID($_SESSION["loginUsername"], NULL))

and

$message = "You can only view your own receipts!";

$_SESSION["message"] = "You can only view your own receipts!";

In example.shipping.2.php, updated for GET and session variables. Changed:

$message = "You must login to view your receipt.";

$_SESSION["message"] = "You must login to view your receipt.";

and

$message = "Incorrect parameters to example.shipping.2.php";

$_SESSION["message"] = "Incorrect parameters to example.shipping.2.php";

and added:

// Clean the GET variables
$custID = clean($_GET["custID"], 5);
$orderID = clean($_GET["orderID"], 5);

and changed:

if ($custID != getCustomerID($loginUsername, NULL))

if ($custID != getCustomerID($_SESSION["loginUsername"], NULL))

and

$message = "You can only view your own receipts!";

$_SESSION["message"] = "You can only view your own receipts!";

In example.shipping.3.php, updated for GET and session variables. Changed:

$message = "You must login to view your receipt.";

$_SESSION["message"] = "You must login to view your receipt.";

and added:

// Clean the GET variables
$custID = clean($_GET["custID"], 5);
$orderID = clean($_GET["orderID"], 5);

and changed:

$message = "Incorrect parameters to example.shipping.3.php";

$_SESSION["message"] = "Incorrect parameters to example.shipping.3.php";

and

header("Location: $HTTP_REFERER");

header("Location: {$_SERVER["HTTP_REFERER"]}");

and

$message = "You can only view your own receipts!";

$_SESSION["message"] = "You can only view your own receipts!";

In example.search.1.php, updated session and GET variables. Updated:

if (!empty($HTTP_GET_VARS["regionName"]))
   $regionName = clean($regionName, 30);

if (!empty($_GET["regionName"]))
   $regionName = clean($_GET["regionName"], 30);

and

$regionName = $sessionRegionName;

$regionName = $_SESSION["sessionRegionName"];

and

if (!empty($HTTP_GET_VARS["wineType"]))
   $wineType = clean($wineType, 20);

if (!empty($_GET["wineType"]))
   $wineType = clean($_GET["wineType"], 20);

and

$wineType = $sessionWineType;

$wineType = $_SESSION["sessionWineType"];

and

if (!empty($HTTP_GET_VARS["offset"]))
   $offset = clean($offset, 5);

if (!empty($_GET["offset"]))
   $offset = clean($_GET["offset"], 5);

and

// Save the search criteria
$sessionRegionName = $regionName;
$sessionWineType = $wineType;

// Save the search criteria
$_SESSION["sessionRegionName"] = $regionName;
$_SESSION["sessionWineType"] = $wineType;

Appendix D Changes

In example.d-1.php, updated for session variables. Changed:

$count = 0;
$start = time();

$_SESSION["count"] = 0;
$_SESSION["start"] = time();

and

$count++;

$_SESSION["count"]++;

and

(<?=$sessionId ?>)
<br>count = <?=$count ?>.
<br>start = <?=$start ?>.

(<?php  echo $sessionId; ?>)
<br>count = <?php echo $_SESSION["count"]; ?>.
<br>start = <?php echo $_SESSION["start"]; ?>.

and

$duration = time() - $start;

$duration = time() - $_SESSION["start"];

In example.d-10.php, updated for session variable access:

$count = 0;
$start = time();

$_SESSION["count"] = 0;
$_SESSION["start"] = time();

and

$count++;

$_SESSION["count"]++;

and

(<?=$sessionId ?>)
<br>count = <?=$count ?>.
<br>start = <?=$start ?>.

(<?php  echo $sessionId; ?>)
<br>count = <?php echo $_SESSION["count"]; ?>.
<br>start = <?php echo $_SESSION["start"]; ?>.

and

$duration = time() - $start;

$duration = time() - $_SESSION["start"];