Simple Blog Development Log

trying to keep pace with robyn, on the evening of february 15th

write user stories (green is done, red isn't)
start: 7:04, end: 7:11
1. As a developer, I want to have PHP, MySQL, and some server installed so that I can serve PHP.
2. As a developer, I want to have a MySQL database, user, and tables so that I can store and retrieve data.
3. As a user, I want to be able to view posts so that I can get any value out of the app at all.
4. As a user, I want to be able to create new posts so that I can get my message out to people.
5. As a user, I want to be able to delete posts so that I can retract my ill-chosen words.
6. As a user, I want to be able to edit posts so that I can appear to always be right.
7. As a user, I want to be able to log into the application, so that my posting rights are not shared with every joe passerby.
8. As a logged-in user, I want to be able to view, post, edit, and delete entries.
9. As a non-logged-in-user, I should only be allowed to view entries, so that I can trust their authorship.
10. As a logged-in user, I want to be able to log out of the application, so that I can leave my computer and not be overcome by fearful anxiety.
11. As a logged-in user, I want to be able to change my password and details.
12. As a non-logged-in user, I want to be able to view some data about who the author is.
13. As a user, I want posts to look prettier.
put log on internet and write as html
start: 7:12, end:7:22

start on installing php, mysql, and nginx to get a php echo running
start: 7:22, end: 8:07

log of installations:

19:23:28 wcarss@vm:~$ php -V
The program 'php' is currently not installed. You can install it by typing:
sudo apt-get install php5-cli
19:23:32 wcarss@vm:~$ sudo apt-get install php5-cli
[sudo] password for wcarss: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  php5-common php5-json php5-readline
Suggested packages:
  php-pear php5-user-cache
The following NEW packages will be installed:
  php5-cli php5-common php5-json php5-readline
0 upgraded, 4 newly installed, 0 to remove and 479 not upgraded.
Need to get 2,654 kB of archives.
After this operation, 10.5 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
[more apt things showing installation]
19:24:09 wcarss@vm:~$ php -v
PHP 5.5.9-1ubuntu4.14 (cli) (built: Oct 28 2015 01:34:46) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
    with Zend OPcache v7.0.3, Copyright (c) 1999-2014, by Zend Technologies
19:24:13 wcarss@vm:~$ php -a
Interactive mode enabled

php > echo "y helo thar\n";
y helo thar
php > ^D19:24:28 wcarss@vm:~$ 
19:24:34 wcarss@vm:~$ mysql -V
mysql  Ver 14.14 Distrib 5.5.41, for debian-linux-gnu (x86_64) using readline 6.3
19:24:36 wcarss@vm:~$ nginx -V
The program 'nginx' can be found in the following packages:
 * nginx-core
 * nginx-extras
 * nginx-full
 * nginx-light
 * nginx-naxsi
Try: sudo apt-get install <selected package>
19:24:45 wcarss@vm:~$ sudo apt-get install nginx-core
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  nginx-common
Suggested packages:
  fcgiwrap nginx-doc
The following NEW packages will be installed:
  nginx-common nginx-core
0 upgraded, 2 newly installed, 0 to remove and 479 not upgraded.
Need to get 343 kB of archives.
After this operation, 1,202 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
[more apt things showing installation]
19:25:22 wcarss@vm:~$ nginx -v
nginx version: nginx/1.4.6 (Ubuntu)

configure nginx to serve php and read about what other things are required to do this
reading https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-ubuntu-12-04

installing php5-fpm -- it seems to be an alternative to "fastcgi" which seems to be a service that starts php processes up to serve request, acting as the bridge between something like nginx and the php interpreter. People say fpm is better, so that's what we'll use.

19:47:54 wcarss@vm:/etc/nginx/sites-available$ sudo apt-get install php5-fpm
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  ax25-node libax25 openbsd-inetd
Use 'apt-get autoremove' to remove them.
Suggested packages:
  php-pear
The following NEW packages will be installed:
  php5-fpm
0 upgraded, 1 newly installed, 0 to remove and 479 not upgraded.
Need to get 2,193 kB of archives.
After this operation, 9,248 kB of additional disk space will be used.
[more apt things showing installation]

edited a copy of nginx default configuration in /etc/nginx/sites-available/default to this (as /etc/nginx/sites-available/blog):

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        root /usr/share/nginx/blog;
        index index.html index.htm index.php;

        # Make site accessible from http://localhost/
        server_name localhost;

        location / {
                try_files $uri $uri/ /index.html;
        }

        error_page 404 /404.html;

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
                root /usr/share/nginx/html;
        }

        # pass the PHP scripts to FastCGI server listening on the php-fpm socket
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
#               fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }
}

(I'm not sure if I need the split_path_info, so it's commented for now)

symlinked a new directory in my home to the one I specified in nginx, symlinked the sites-available entry above into sites-enabled, removed the default entry from sites-enabled, and restarted nginx

19:56:00 wcarss@vm:/etc/nginx/sites-available$ cd
19:56:05 wcarss@vm:~$ mkdir blog
19:56:07 wcarss@vm:~$ cd /usr/share/nginx
19:56:30 wcarss@vm:/usr/share/nginx$ sudo ln -sT /home/wcarss/blog blog
19:58:55 wcarss@vm:/usr/share/nginx$ sudo ln -sT /etc/nginx/sites-available/blog /etc/nginx/sites-enabled/blog
20:03:06 wcarss@vm:~/blog$ cd /etc/nginx/sites-enabled/
20:03:16 wcarss@vm:/etc/nginx/sites-enabled$ ls
blog  default
20:03:19 wcarss@vm:/etc/nginx/sites-enabled$ sudo rm default
20:03:26 wcarss@vm:/etc/nginx/sites-enabled$ sudo service nginx restart
 * Restarting nginx nginx                                                                                        [ OK ]

added the following code to ~/blog/index.php and looked in browser at http://localhost
```
<?php
php_info();
?>
```
Success! the info page is shown!

Create a database, user, and tables
start: 8:07, end: 8:45

mysql was already configured to have a root user

add database and user


20:15:31 wcarss@vm:~$ mysql -u root -p
Enter password: 
[... some mysql jibber-jabber ...]
mysql> create database blog_app;
Query OK, 1 row affected (0.00 sec)

mysql> create user blog_app_user identified by 'sekret';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on blog_app.* to 'blog_app_user'@'localhost';
Query OK, 0 rows affected (0.21 sec)

mysql> flush_privileges;

mysql> Bye

create posts and users tables

20:18:41 wcarss@vm:~$ mysql -u blog_app_user -p
Enter password: 
[... mysql tellin' you how it is ...]
mysql> CREATE TABLE `posts` (
    ->   `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
    ->   `title` varchar(1024) DEFAULT NULL,
    ->   `author_id` int(10) unsigned DEFAULT NULL,
    ->   `body` text,
    ->   `created_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
    ->   `modified_at` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
    ->   PRIMARY KEY (`id`)
    -> ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE TABLE `users` (
    ->   `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
    ->   `email` varchar(1024) DEFAULT NULL,
    ->   `username` varchar(128) DEFAULT NULL,
    ->   `password` varchar(2048) DEFAULT NULL,
    ->   `description` text,
    ->   `created_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
    ->   `modified_at` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
    ->   PRIMARY KEY (`id`)
    -> ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Query OK, 0 rows affected (0.01 sec)

mysql> show tables;
+--------------------+
| Tables_in_blog_app |
+--------------------+
| posts              |
| users              |
+--------------------+
2 rows in set (0.00 sec)

mysql> Bye

Viewing posts
start: 8:45, end: 9:30

populating the users and posts table with a little bit of sample data

mysql> use blog_app;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> insert into users (email, username, password, description, created_at, modified_at) values ("carss.w@gmail.com", "wcarss", "sekret", "some dude", NOW(), NOW());
Query OK, 1 row affected (0.22 sec)

mysql> insert into posts (title, author_id, body, created_at, modified_at) values ("so it begins", 1, "this is a silly bunch of body text to begin with, but we've got to have SOMETHING now don't we??!!?!", NOW(), NOW());
Query OK, 1 row affected (0.00 sec)

mysql> insert into posts (title, author_id, body, created_at, modified_at) values ("post 2", 1, "yes, this is another sample post I've written. Shocking to say the least.", NOW(), NOW());
Query OK, 1 row affected (0.00 sec)

mysql> Bye

php5-mysql wasn't installed, so I have apt-get-installed it

simple viewing code:

<?php
$db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');

echo "<h1>bloggggg</h1>\n\n";
foreach($db->query('select * from posts') as $row) {
  echo "<h2>${row['title']}</h2>\n\n<p>${row['body']}</p>\n\n";
}
?>

Creating New Posts
start: 9:40, end: 9:55

adding new post form to main page; code now is:

<?php
$db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');

echo '<html><body>';
echo '<h1>bloggggg</h1>';
foreach($db->query('select * from posts') as $row) {
  echo "<h2>${row['title']}</h2><p>${row['body']}</p>";
}
echo '<form method="POST" action="/new.php">';
echo '<input type="text" name="title">';
echo '<input type="text" name="body">';
echo '<input type="submit" name="submit" value="submit">';
echo '</form>';
echo '</body></html>';
?>

the form-handling code is in a new file, new.php:

<?php
$db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');

$title = $_POST['title'];
$body = $_POST['body'];

$sql = "insert into posts (title, body, author_id) values (?, ?, 1);";

$db->prepare($sql)->execute([$title, $body]);

header('Location: http://localhost/index.php');
?>

that last location bit just redirects back to the main page.

Going to work on login/logout instead of delete/edit, since login/logout are the most interesting bits that I've not done much of.
start: 9:55, end: 12:21

going to write a login page that, on GET, shows the form, and on POST, looks up a user and checks if the submitted password is valid. Then I'm going to add sessions around it, so that if the submitted password was valid, I'll specify "the user with this session is logged in", basically. And on a visit to logout, I'll destroy the session. Then, any route I have that you have to be logged in for, like new.php, I'll check if the session is logged in. If it isn't, I'll fail out early.

that login page, without sessions, looks like this:

<?php

if (isset($_POST['username']) && isset($_POST['password'])) {
  $db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');

  $username = $_POST['username'];
  $password = $_POST['password'];

  $stmt = $db->prepare("select * from users where username = ?");
  
  $stmt->execute([$username]);

  $results = $stmt->fetchAll(PDO::FETCH_ASSOC);

  if (count($results) === 1 && $results[0]['password'] === $password) {
      echo "you logged in! yeahhhhhh!";
  } else {
      echo "wrong username or password!";
  }
} else {
  echo '<form method="POST" action="/login.php">';
  echo '  <input type="text" name="username">';
  echo '  <input type="password" name="password">';
  echo '  <input type="submit" name="submit" value="submit">';
  echo '</form>';
}
?>

Note that it's super vulnerable to every attack ever. And doesn't log you in yet.

okay, login/logout works and redirects you intelligently if you try to do something you ought not to. Here are the files:
index.php:

<?php
session_start();

if (isset($_SESSION['user'])) {
  echo "<small>hello, {$_SESSION['user']}! <a href='/logout.php'>logout</a></small>";
} else {
  echo "<small>hello, unregistered user! <a href='/login.php'>login</a></small>";
}

$db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');

echo '<html><body>';
echo '<h1>bloggggg</h1>';
foreach($db->query('select * from posts') as $row) {
  echo "<h2>${row['title']}</h2><p>${row['body']}</p>";
}
echo '<form method="POST" action="/new.php">';
echo '<input type="text" name="title">';
echo '<input type="text" name="body">';
echo '<input type="submit" name="submit" value="submit">';
echo '</form>';
echo '</body></html>';
?>

new.php:

<?php
session_start();

if (!isset($_SESSION['user'])) {
  header('Location: http://localhost/login.php?not_logged=1');
  exit;
}

$db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');

$title = $_POST['title'];
$body = $_POST['body'];

if ($title !== "" and $body !== "") {
  $sql = "insert into posts (title, body, author_id) values (?, ?, 1);";
  $db->prepare($sql)->execute([$title, $body]);
}

header('Location: http://localhost');
?>

<?php
session_start();

if (isset($_SESSION['user'])) {
  header('Location: http://localhost');
}

if (isset($_POST['username']) && isset($_POST['password'])) {
  $db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');

  $username = $_POST['username'];
  $password = $_POST['password'];

  $stmt = $db->prepare("select * from users where username = ?");

  $stmt->execute([$username]);

  $results = $stmt->fetchAll(PDO::FETCH_ASSOC);

  if (count($results) === 1 && $results[0]['password'] === $password) {
      echo "you logged in! yeahhhhhh!";
      $_SESSION['user'] = $username;
      header('Location: http://localhost');
  } else {
      header('Location: http://localhost/login.php?wrong=1');
  }
} else {
  if (isset($_GET['wrong'])) {
    echo "<h3>wrong username or password!</h3>";
  }
  if (isset($_GET['not_logged'])) {
    echo "<h3>you need to be logged in to post!</h3>";
  }

  echo '<form method="POST" action="/login.php">';
  echo '  <input type="text" name="username">';
  echo '  <input type="password" name="password">';
  echo '  <input type="submit" name="submit" value="submit">';
  echo '</form>';
  echo '<p>Back to <a href="/">home</a></p>';
}
?>

and logout.php:

<?php
session_start();

if (isset($_SESSION['user'])) {
  session_unset();
  session_destroy();
}

header('Location: http://localhost');
?>

picking back up a few days later in the morning

Going to implement delete
start: 17 feb, 10:22 am, end: 11:24

gonna make a new delete.php file and a link on each post to hit it
spent 15 minutes making coffee / buying milk for it :) yum
the problem is: either I put in a new form for every single post with a delete on it, and do some like, manual route munging, or I go with GET for delete (ewwwww) or I put it _all_ in one form and do something weird with fields to choose the one I want? ack
no, I'm silly. I can put in a form on every single post, and have *that form* include a hidden field with the post's identity, which will be passed through in the POST data. No route-munging to figure out. Cool.
got super distracted by quora. wow.
I feel like there's enough code here that I don't want to start messing it up without a save-point, so it's time to initialize a git repo and start saving things.
done! deleting each post by clicking a button near that post now works, you can only delete if you're logged in, and you can now no longer even see the new post submit/delete post buttons if you aren't logged in.

here's what the delete.php code looks like:

<?php
session_start();

if (!isset($_SESSION['user'])) {
  header('Location: http://localhost/login.php?not_logged=1');
  exit;
}

$db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');

$id = $_POST['delete_post_id'];
$sql = "delete from posts where id=?";
$db->prepare($sql)->execute([$id]);

header('Location: http://localhost');
?>

and here's what the index.php code looks like now:

<?php
session_start();

$logged_in = false;
if (isset($_SESSION['user'])) {
  $username = $_SESSION['user'];
  $logged_in = true;
}

if ($logged_in) {
  echo "<small>hello, {$username}! <a href='/logout.php'>logout</a></small>";
} else {
  echo "<small>hello, unregistered user! <a href='/login.php'>login</a></small>";
}

$db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');

echo '<html><body>';
echo '<h1>bloggggg</h1>';

foreach($db->query('select * from posts') as $row) {
  echo "<h2>${row['title']}</h2><p>${row['body']}</p>";
  if ($logged_in) {
    echo "<form method='POST' action='/delete.php'>";
    echo "  <input type='hidden' name='delete_post_id' value='${row['id']}'>";
    echo "  <input type='submit' name='submit' value='delete'>";
    echo "</form>";
  }
}

if ($logged_in) {
  echo '<form method="POST" action="/new.php">';
  echo '<input type="text" name="title">';
  echo '<input type="text" name="body">';
  echo '<input type="submit" name="submit" value="submit">';
  echo '</form>';
}

echo '</body></html>';
?>

this completes story 5.

next up, edit!
start: 11:24 am, end: 12:55 pm (wow, long)
1. put the code on github, the current commit is 45a9a
2. also putting the code online to show to robyn; but I've got to fix some links to work in a relative path!
3. this is actually maybe getting out of hand... I've used "localhost" all over for the location redirects, and that's clearly not going to work. It's making me think I might have to set a hostname and a root-directory and then construct URLs based on that. But I don't want to do that in every file, so that makes me think I should put the values in a config (I can also put the database credentials there), but then I need to initiate the config in every file! The scope creeps so quickly. I also don't have db stuff set up on the internet yet.
  I think I should abandon trying to get it visibly onto the net until I'm done editing and have done a teensy bit more polish. I'll have to write new user stories soon, and deploying it can be one of those. I'm not in this to do crummy legwork, I'm in this to write a blog.
4. back to editing
5. took an interesting detour down the road of quote-escaping for presentation. My first post has a single quote in it, which I need to emit into the middle of a text input that happens to be in a single-quoted string in HTML. I read a few blog posts and this stackoverflow had some particularly good responses. After reading the htmlspecialchars documentationi, I've used it before emitting my output into HTML, passing in the ENT_HTML5 and ENT_QUOTES arguments, to translate both single and double-quotes into html-entities.
6. but saving my post doesn't seem to work (no visible error, but I end up on the list view with my saves not having taken), so I'll take a dive into /var/logs/nginx/error.log to see what's up.
7. nothing in the logs... going to see if the data I think I'm sending is the data I'm actually sending, by var_dumping ALL the datas just before the update call.
8. nothing looked amiss, all the data was there and nicely formatted! so I took this into mysql -- pasted in the prepared query and inserted all the values var_dump had printed directly, and lo: I was referring to a column "updated_at", instead of "modified_at". Why the hell did I name this column "modified_at"? That's dumb! Anyway, I'll fix this query and then fix the column later.
9. huzzah, it all works! tried modifying the post to display and to submit ' and ", both go just fine. I think I've probably got a js-emitting bug on the main view page though, so we'll fix that soonish. Code for edit.php:
```
<?php
session_start();

if (!isset($_SESSION['user'])) {
  header('Location: http://localhost/login.php?not_logged=1');
  exit;
}

$db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');

if (isset($_POST['title']) && isset($_POST['body']) && isset($_POST['edit_post_id'])) {
  $id = $_POST['edit_post_id'];
  $title = $_POST['title'];
  $body = $_POST['body'];
  $timestamp = (new DateTime())->format('Y-m-d H:i:s');

  $sql = "update posts set title=?, body=?, modified_at=? where id=?";
  $stmt = $db->prepare($sql)->execute([$title, $body, $timestamp, $id]);

  header('Location: http://localhost');
} else if (isset($_GET['edit_post_id'])) {
  $id = $_GET['edit_post_id'];
  $sql = "select * from posts where id=?";
  $stmt = $db->prepare($sql);
  $stmt->execute([$id]);
  $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
  $title = htmlspecialchars($results[0]['title'], ENT_HTML5 | ENT_QUOTES);
  $body = htmlspecialchars($results[0]['body'], ENT_HTML5 | ENT_QUOTES);

  echo "<h2>edit post</h2>";
  echo "<form method='POST' action='edit.php'>";
  echo "  <input type='text' name='title' value='$title'>";
  echo "  <input type='text' name='body' value='$body'>";
  echo "  <input type='hidden' name='edit_post_id' value='$id'>";
  echo "  <input type='submit' name='submit' value='submit'>";
  echo "</form>";
  echo "<p>Go <a href='index.php'>back</a></p>";
} else {
  echo "<h2>no edit_post_id specified! Damnit Jim, I can't edit <em>nothing</em>!</h2>";
  echo "<p>Go <a href='index.php'>home</a>";
}
?>
```
10. snippet of added code for index.php:
```
// ... stuff you've seen before
foreach($db->query('select * from posts') as $row) {
  echo "<h2>${row['title']}</h2><p>${row['body']}</p>";
  if ($logged_in) {
    echo "<a href='edit.php?edit_post_id=${row['id']}'>edit post</a>";
    echo "<form method='POST' action='/delete.php'>";
// ... stuff you've seen before
```
  You can see this state at a98537e on github.
11. this complete stories 6 and 8.
Next up, editing password and details!

start: 1:02 pm, end: 2:42 pm

making a user.php file, starting from a copy of edit.php
lol, an hour and 35 minutes later, it's done! I paid a high price here in taking on all of the edit and display work for users at once, copying/pasting a bunch of stuff, and then running into classic copypasta errors. Go me.

I think this might be beyond pasting code for all the changes in here, but I'll still show the key new file, users.php


<?php
session_start();

$db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');

if (isset($_POST['edit_user_id']) && isset($_POST['edit_email']) && isset($_POST['edit_username']) && isset($_POST['edit_description'])) {
  $id = $_POST['edit_user_id'];

  if (!isset($_SESSION['username'])) {
    header('Location: http://localhost/login.php?not_logged=1');
    exit;
  }

  if ($id !== $_SESSION['user_id']) {
    header('Location: http://localhost');
    exit;
  }

  $email = $_POST['edit_email'];
  $username = $_POST['edit_username'];
  $description = $_POST['edit_description'];
  $timestamp = (new DateTime())->format('Y-m-d H:i:s');

  $sql = "update users set email=?, username=?, description=?, modified_at=? where id=?";
  $params = [$email, $username, $description, $timestamp, $id];
  if (isset($_POST['edit_password']) && $_POST['edit_password'] !== "") {
    $password = $_POST['edit_password'];
    $sql = "update users set email=?, username=?, password=?, description=?, modified_at=? where id=?";
    $params = [$email, $username, $password, $description, $timestamp, $id];
  }

  $stmt = $db->prepare($sql)->execute($params);

  $_SESSION['username'] = $username;
  header('Location: http://localhost');

} else if (isset($_GET['edit_user_id'])) {
  $id = $_GET['edit_user_id'];

  if (!isset($_SESSION['username'])) {
    header('Location: http://localhost/login.php?not_logged=1');
    exit;
  } 
    
  if ($id !== $_SESSION['user_id']) {
    header('Location: http://localhost');
    exit; 
  } 
    
  $sql = "select * from users where id=?";
  $stmt = $db->prepare($sql);
  $stmt->execute([$id]);
  $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
  $email = htmlspecialchars($results[0]['email'], ENT_HTML5 | ENT_QUOTES);
  $username = htmlspecialchars($results[0]['username'], ENT_HTML5 | ENT_QUOTES);
  $description = htmlspecialchars($results[0]['description'], ENT_HTML5 | ENT_QUOTES);
  
  echo "<html><body>";
  echo "<h2>edit post</h2>";
  echo "<form method='POST' action='user.php'>";
  echo "  <p>email: <input type='text' name='edit_email' value='$email'><br>";
  echo "  username: <input type='text' name='edit_username' value='$username'><br>";
  echo "  description: <input type='text' name='edit_description' value='$description'><br>";
  echo "  password: <input type='password' name='edit_password' value=''><br>";
  echo "  <input type='hidden' name='edit_user_id' value='$id'>";
  echo "  <input type='submit' name='submit' value='submit'></p>";
  echo "</form>";
  echo "<p>Go <a href='index.php'>back</a></p>";
  echo "</body></html>";
  
} else if (isset($_GET['user_id'])) {
  $id = $_GET['user_id'];

  $sql = "select * from users where id=?";
  $stmt = $db->prepare($sql);
  $stmt->execute([$id]);
  $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
  
  echo "<html><body>";
  if (count($results) !== 1) {
    echo "<p>Looks like somebody's barking up the wrong bush!</simpsons_reference><br>";
    echo "(that user doesn't seem to exist.)</p>";
  } else {
    $email = htmlspecialchars($results[0]['email'], ENT_HTML5 | ENT_QUOTES);
    $username = htmlspecialchars($results[0]['username'], ENT_HTML5 | ENT_QUOTES);
    $description = htmlspecialchars($results[0]['description'], ENT_HTML5 | ENT_QUOTES);
    echo "<h2>user: $username</h2>";
    echo "<p>$email</p>";
    echo "<p>$description</p>";
  } 
  echo "<p>Go <a href='index.php'>home</a>";
  echo "</body></html>";
} else {
  echo "<html><body>";
  echo "<p>Damnit jim! That's not enough information for me to do any good!</p>";
  echo "<p>Go <a href='index.php'>home</a><br>";
  echo "<small>and don't disappoint bones again</small></p>";
  echo "</body></html>";
} 
?>

this completes user stories 11 and 12.

last story: make things look prettier
start: 2:43 pm, end: incomplete
1. this one is pretty vague.... I think it might be worth listing out some specific requirements:
  1. use a textarea for posts, not a text input field
  2. add a teensy bit of CSS to center/pad things
  3. include some placeholders in fields
  4. format inputs to look ... less bad. Maybe use bootstrap.
  5. escape displayed posts and usernames on index page
  6. (if I think of anything else I'll add it here)
2. I don't want to get too far into styling this stuff, because I know I'm going to be doing a large-ish refactor soon, trying to introduce a template engine and work through that instead of interleaving php and html.
3. wrote out laundry list of stuff I'm going to do later
Stuff that's obviously going to happen when I'm done the user stories:
start: 12:15 pm, Feb 20th, end: incomplete
1. user signup
2. loading up configuration
3. relative-izing the paths used
4. instantiating an application context e.g. load config, start session, make db connection
5. use a template engine
6. bcrypting passwords
7. investigate symfony component and router options
8. investigate build tools
9. (I may add more)
User Signup
start: 12:15 pm, end: 1:12 pm
1. I'm going to tackle the things I laid out above as individual entries -- but I'll time the whole thing in the above slot's timer, just for aggregatory kicks. :D
2. Started off with a small bugfix on how users are handled -- when Iw as logged out, the user who wrote posts wasn't displaying, because I derped by re-using an earlier variable that would only be set if the user *was* logged in.
3. Moved to a second bugfix-thing, improving the new.php to actually write down the person who posted it, instead of just stuff the number 1 into the table. While I was in there I closed some holes up and made new.php look a little bit more like the other files
4. making signup.php a join display/post file separated by the presence of the correct $_POST variables. I suppose that if you're not logged in and you only post *some* of the variables, you could be dropped at a re-display of what you'd filled out and a message saying to fix what you needed. I'd rather leave that kind of thing for when I implement some sort of flash message thing, which I feel like I'd want to put in the session instead of in POST, so that it can show up regardless of where you go. So for now: all POST vars or you get sent home, davey!
5. realizing all of a sudden that I have no plan for enforcing unique names/emails or for handling non-unique ones if they try to log in ._. problem for tomorrow I guess
6. okay, I've got all this shaped out, added a link to the index and tested 1-2 edge cases and they redirected me properly, then I put in "good" information and it correctly sent me to login.php, where... I couldn't log in. Went to the db and my new user isn't there. Weird!
7. easy fix: a . instead of a , inside of the mysql VALUES clause. Works like a charm now! Here's the signup code: (and I added a link to signup.php in the index)
```
<?php
session_start();

if (isset($_SESSION['username'])) {
  header('Location: http://localhost');
  exit;
}

if (isset($_POST['email']) && isset($_POST['username']) && isset($_POST['password']) && isset($_POST['description'])) {

  # this is the most basic alternative to having a captcha that I could think of
  if (!isset($_POST['access_code']) || $_POST['access_code'] !== 'sekret') {
    header('Location: http://localhost');
    exit;
  }

  $email = $_POST['email'];
  $username = $_POST['username'];
  $password = $_POST['password'];
  $description = $_POST['description'];

  $db = new PDO('mysql:host=localhost;dbname=blog_app;charset=utf8', 'blog_app_user', 'sekret');
  $sql = "insert into users (email, username, password, description) values (?, ?, ?, ?);";
  $db->prepare($sql)->execute([$email, $username, $password, $description]);

  header('Location: http://localhost/login.php');
} else {
  echo '<html><head>';
  echo '  <link href="style.css" rel="stylesheet" type="text/css">';
  echo '</head><body>';

  echo "<h2>new user</h2>";

  echo "<form method='POST' action='signup.php'>";
  echo "  <p>email: <input type='text' name='email' placeholder='email'><br>";
  echo "  username: <input type='text' name='username' placeholder='username'><br>";
  echo "  description: <input type='text' name='description' placeholder='description'><br>";
  echo "  password: <input type='password' name='password' placeholder='password'><br>";
  echo "  access code: <input type='text' name='access_code' placeholder='access code'>";
  echo "  <input type='submit' name='submit' value='submit'></p>";
  echo "</form>";

  echo "<p>Go <a href='index.php'>back</a></p>";
  echo "</body></html>";
}

?>
```
Configuration and loading it before every page
start: not started, end: incomplete
1. this one's a big deal. It's going to hide the passwords and access codes used, it's going to move PDO instantiation outside of each file, it's going to basically be the dawn of the concept of an application-context in this program. Look out for it. It's the bee's thighs. But I'm gonna do some other stuff today -- so I'll be back much later this evening or tomorrow to pick this up. :D