So i have this OOP Login & register system which gives a user the ability to change his/her name.
When a user is pressing "Update" button his/her name is changed in the DB the problem is that tho it changes the name in DB instead of redirecting the user where i want him/her to be redirected i get the error that should appear only when that name couldn't be changed.
User.php
<?php
class User{
private $_db,
$_data,
$_sessionName,
$_cookieName,
$_isLoggedIn;
public function __construct($user = null){
$this->_db = DB::getInstance();
$this->_sessionName = Config::get('session/session_name');
$this->_cookieName = Config::get('remember/cookie_name');
if(!$user){
if(Session::exists($this->_sessionName)){
$user = Session::get($this->_sessionName);
if($this->find($user)){
$this->_isLoggedIn = true;
} else{
//process logout
}
}
} else{
$this->find($user);
}
}
public function update($fields = array(), $id = null){
if(!$id && $this->isLoggedIn()){
$id = $this->data()->id;
}
if(!$this->_db->update('users', $id, $fields)){
throw new Exception('There was a problem updating your profile.');
}
}
public function create($fields = array()){
if(!$this->_db->insert('users', $fields)){
throw new Exception('There was a problem creating an account');
}
}
public function find($user = null){
if($user){
$field = (is_numeric($user)) ? 'id' : 'username';
$data = $this->_db->get('users', array($field, '=', $user));
if($data->count()){
$this->_data = $data->first();
return true;
}
}
return false;
}
public function login($username = null, $password = null, $remember = false){
if(!$username && !$password && $this->exists()){
Session::put($this->_sessionName, $this->data()->id);
} else{
$user = $this->find($username);
if($user){
if($this->data()->password === Hash::make($password, $this->data()->salt)){
Session::put($this->_sessionName, $this->data()->id);
if($remember){
$hash = Hash::unique();
$hashCheck = $this->_db->get('users_session', array('user_id', '=', $this->data()->id));
if(!$hashCheck->count()){
$this->_db->insert('users_session',array(
'user_id' => $this->data()->id,
'hash' => $hash
));
} else{
$hash = $hashCheck->first()->hash;
}
Cookie::put($this->_cookieName, $hash, Config::get('remember/cookie_expiry'));
}
return true;
}
}
}
return false;
}
public function exists(){
return(!empty($this->_data)) ? true : false;
}
public function logout(){
$this->_db->delete('users_session', array('user_id', '=', $this->data()->id));
Session::delete($this->_sessionName);
Cookie::delete(Config::get('remember/cookie_name'));
}
public function data(){
return $this->_data;
}
public function isLoggedIn(){
return $this->_isLoggedIn;
}
}
edit-profile.php
<?php
$user = new User();
if(!$user->isLoggedIn()){
Redirect::to('login');
}
if(Input::exists()){
if(Token::check(Input::get('token'))){
$validate = new Validate();
$validation = $validate->check($_POST, array(
'name' => array(
'required' => true,
'min' => 2,
'max' => 50
)
));
if($validation->passed()){
try{
$user->update(array(
'name' => Input::get('name')
));
Session::flash('flash', 'Your profile has been edited with success!');
Redirect::to('flash');
} catch(Exception $e){
die($e->getMessage());
}
} else{
foreach($validation->errors() as $error){
echo $error . '<br />';
}
}
}
}
?>
<form action="" method="post">
<div class="field">
<input type="text" name="name" value="<?php echo escape($user->data()->name); ?>">
</div>
<input type="submit" value="Update">
<input type="hidden" name="token" value="<?php echo Token::generate(); ?>">
</form>
I have no clue why that is happening
This is the update() method in my DB.class
public function update($table, $id, $fields){
$set = '';
$x = 1;
foreach ($fields as $name => $value) {
$set .= "{$name} = ?";
if($x < count($fields)){
$set .= ', ';
}
$x++;
}
$sql = "UPDATE {$table} SET {$set} WHERE id = {$id}";
if($this->query($sql, $fields)->error()){
return true;
}
return false;
}
For your update function
public function update($table, $id, $fields){
$set = '';
$x = 1;
foreach ($fields as $name => $value) {
$set .= "{$name} = ?";
if($x < count($fields)){
$set .= ', ';
}
$x++;
}
$sql = "UPDATE {$table} SET {$set} WHERE id = {$id}";
if($this->query($sql, $fields)->error()){
return true;
}
return false;
}
Instead do
public function update($table, $id, $fields){
$set = [];
foreach ($fields as $name => $value) {
$set[] = "{$name} = ?";
}
$set = implode(', ', $set);
$sql = "UPDATE {$table} SET {$set} WHERE id = ?";
$fields[] = $id; //id should always be the last ?
if($this->query($sql, $fields)->error()){
return true;
}
return false;
}
Also there is the potential for the table and id and even the keys of $fields to be used as a vector for SQL injection. You may be entering it where ever you use them. But it's possible because you are not checking the table against a white list and anytime you concatenate values into SQL there is the potential for them to be exploited. All it takes is one mistake, you class should not allow coding errors in other places to compromise it's security.
You can get a list of tables from the database itself.
$statement = 'SELECT `TABLE_NAME` FROM `information_schema`.`TABLES` WHERE `TABLE_SCHEMA` LIKE "'.$database.'"';
So when you connect to the DB you could set a list of acceptable tables then check when a table is put in ( with in_array or such ). Just a thought.
It may also be possible to comprise the keys of the $fields array, for that you can do something similar to the table. but with this query
SHOW COLUMNS FROM {table}
For example, imagine a post request that has inputs matching your array $fields. All someone would have to do is send your server a request with the SQL Attack part in the key instead of the value and you are unprotected. Something like this ( don't drop your DB without a backup, feel i should say that.)
$_POST['1=1; DROP DATABASE --'] = true;
When you construct your query you would have
INSERT INTO table SET 1=1; DROP DATABASE -- = ?, {field} = ? .. rest of query
The -- starts a comment in SQL so nothing after the -- matter to the DB this prevents an error from happening.. So be careful of just dumping post keys into your SQL I'm not sure 1=1 would work but they could use a field out of the input list just as easily. this is just for example purposes.
To me this line
if($this->query($sql, $fields)->error()){
return true;
}else{
return false;
}
Says if there is an error return true not sure if that is the case as i don't know what $this->query or ->error() is but I imagine $this->query must return $this or some object that would contain the error. It's just confusing worded that way.
Related
I'm after some advice...
Currently we have an Ubuntu Server through Vultr.com running a MySQL database, this is connected to a php site sitting on a Windows Server 2012 VM, this all works great no issues. We want to get away from having 2 servers and put the MySQL db on to the Windows Server VM, the MySQL is set up in exactly the same way as on the Ubuntu, db is a backup copy of the live, created replica php site for testing. All remote connections are established, tested using MySQL Workbench. Everything is the same, but for some reason I can't work out why the site connected to the local MySQL db on the Windows Server VM doesn't run through the code. I've put a copy of section of the query.log files for both machines, and the Windows log Quits running the code, but doesn't error. I've used the same code, Is there something in Windows Server that MySQL may not like or something I have maybe missed off on Installation.
I have used the site previously on a Windows Server VM but that had Plesk running and that was problem free also.
Vultr.Log - Ubuntu
160720 21:36:30 34489 Connect mysqluser#mail.MyDomain on MyDB
34489 Query CALL sp_pages('login.php')
34489 Query SELECT * FROM user WHERE email = 'me#me.com'
34489 Query INSERT INTO userhist (`UserID`, `DateOfAction`, `ActionType`) VALUES ('1', '2016-07-20 21:34:12', 'LogIn')
34489 Quit
34490 Connect mysqluser#mail.MyDomain on
34490 Init DB MyDB
34491 Connect mysqluser#mail.spagetti.uk on sirps
34491 Query SELECT * FROM user WHERE id = '1'
34491 Query SELECT * FROM usergroups WHERE id = '3'
34491 Query INSERT INTO usershist (`UserID`, `DateOfAction`, `ActionType`) VALUES ('1', '2016-07-20 21:34:13', 'index.php')
34491 Query CALL sp_pages('index.php')
34491 Quit
Windows Server Log
2016-07-20T21:33:57.151901Z 2023 Connect mysqluser#localhost on MyDB using TCP/IP
2016-07-20T21:33:57.151901Z 2023 Query CALL sp_pages('login.php')
2016-07-20T21:33:57.151901Z 2023 Query SELECT * FROM user WHERE email = 'me#me.com'
2016-07-20T21:33:57.151901Z 2023 Quit
I thought there maybe a connection issue, but tested and tested that and it connects, looked at the firewall and 3306 is established as a port on the server.
Has anyone an idea as to where I could look next?
I've been searching and trying so many different things through the day to no avail
init.php
<?php
session_start();
error_reporting (E_ALL);
ini_set('display_errors', 'true');
date_default_timezone_set("Europe/London");
ini_set('session.save_path', 'J:\PHPSessions');
$GLOBALS['config'] = array(
'mysql' => array(
'host' => 'localhost',
'username' => 'MyUser',
'password' => 'MyPwd',
'db' => 'MyDB'
),
'remember' => array(
'cookie_name' => 'hash',
'cookie_expiry' => 604800
),
'session' => array(
'session_name' => 'user',
'token_name' => 'token'
)
);
// Autoload classes
function autoload($class) {
require_once 'classes/' . $class . '.php';
}
spl_autoload_register('autoload');
// Include functions
require_once 'functions/sanitize.php';
// Check for users that have requested to be remembered
if(Cookie::exists(Config::get('remember/cookie_name'))) {
$hash = Cookie::get(Config::get('remember/cookie_name'));
$hashCheck = DB::getInstance()->get('userssession', array('hash', '=', $hash));
if($hashCheck->count()) {
$user = new User($hashCheck->first()->userid);
$user->login();
}
}
db.php
<?php
class DB {
public static $instance = null;
private $_pdo = null,
$_query = null,
$_error = false,
$_results = null,
$_count = 0;
private function __construct() {
try {
$this->_pdo = new PDO('mysql:host=' . Config::get('mysql/host') . ';dbname=' . Config::get('mysql/db'), Config::get('mysql/username'), Config::get('mysql/password'));
} catch(PDOExeption $e) {
die($e->getMessage());
}
}
public static function getInstance() {
// Already an instance of this? Return, if not, create.
if(!isset(self::$instance)) {
self::$instance = new DB();
}
return self::$instance;
}
public function query($sql, $params = array()) {
$this->_error = false;
if($this->_query = $this->_pdo->prepare($sql)) {
$x = 1;
if(count($params)) {
foreach($params as $param) {
$this->_query->bindValue($x, $param);
$x++;
}
}
if($this->_query->execute()) {
$this->_results = $this->_query->fetchAll(PDO::FETCH_OBJ);
$this->_count = $this->_query->rowCount();
} else {
$this->_error = true;
}
}
return $this;
}
public function get($table, $where) {
return $this->action('SELECT *', $table, $where);
}
public function delete($table, $where) {
return $this->action('DELETE', $table, $where);
}
public function action($action, $table, $where = array()) {
if(count($where) === 3) {
$operators = array('=', '>', '<', '>=', '<=');
$field = $where[0];
$operator = $where[1];
$value = $where[2];
if(in_array($operator, $operators)) {
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ?";
if(!$this->query($sql, array($value))->error()) {
return $this;
}
}
return false;
}
}
public function insert($table, $fields = array()) {
$keys = array_keys($fields);
$values = null;
$x = 1;
foreach($fields as $value) {
$values .= "?";
if($x < count($fields)) {
$values .= ', ';
}
$x++;
}
$sql = "INSERT INTO {$table} (`" . implode('`, `', $keys) . "`) VALUES ({$values})";
if(!$this->query($sql, $fields)->error()) {
return true;
}
return false;
}
public function update($table, $id, $fields = array()) {
$set = null;
$x = 1;
foreach($fields as $name => $value) {
$set .= "{$name} = ?";
if($x < count($fields)) {
$set .= ', ';
}
$x++;
}
$sql = "UPDATE users SET {$set} WHERE id = {$id}";
if(!$this->query($sql, $fields)->error()) {
return true;
}
return false;
}
public function results() {
// Return result object
return $this->_results;
}
public function first() {
return $this->_results[0];
}
public function count() {
// Return count
return $this->_count;
}
public function error() {
return $this->_error;
}
}
user.php
<?php
class User {
private $_db,
$_sessionName = null,
$_cookieName = null,
$_data = array(),
$_isLoggedIn = false;
public function __construct($user = null) {
$this->_db = DB::getInstance();
$this->_sessionName = Config::get('session/session_name');
$this->_cookieName = Config::get('remember/cookie_name');
// Check if a session exists and set user if so.
if(Session::exists($this->_sessionName) && !$user) {
$user = Session::get($this->_sessionName);
if($this->find($user)) {
$this->_isLoggedIn = true;
} else {
$this->logout();
}
} else {
$this->find($user);
}
}
public function exists() {
return (!empty($this->_data)) ? true : false;
}
public function find($user = null) {
// Check if user_id specified and grab details
if($user) {
$field = (is_numeric($user)) ? 'id' : 'username';
$data = $this->_db->get('user', array($field, '=', $user));
if($data->count()) {
$this->_data = $data->first();
return true;
}
}
return false;
}
public function create($fields = array()) {
if(!$this->_db->insert('user', $fields)) {
throw new Exception('There was a problem creating an account.');
}
}
public function update($fields = array(), $id = null) {
if(!$id && $this->isLoggedIn()) {
$id = $this->data()->id;
}
if(!$this->_db->update('user', $id, $fields)) {
throw new Exception('There was a problem updating.');
}
}
public function login($username = null, $password = null, $remember = false) {
if(!$username && !$password && $this->exists()) {
Session::put($this->_sessionName, $this->data()->id);
} else {
$user = $this->find($username);
if($user) {
if($this->data()->password === Hash::make($password, $this->data()->salt)) {
Session::put($this->_sessionName, $this->data()->id);
if($remember) {
$hash = Hash::unique();
$hashCheck = $this->_db->get('users_session', array('user_id', '=', $this->data()->id));
if(!$hashCheck->count()) {
$this->_db->insert('users_session', array(
'user_id' => $this->data()->id,
'hash' => $hash
));
} else {
$hash = $hashCheck->first()->hash;
}
Cookie::put($this->_cookieName, $hash, Config::get('remember/cookie_expiry'));
}
return true;
}
}
}
return false;
}
public function hasPermission($key) {
$group = $this->_db->query("SELECT * FROM groups WHERE id = ?", array($this->data()->group));
if($group->count()) {
$permissions = json_decode($group->first()->permissions, true);
if($permissions[$key] === 1) {
return true;
}
}
return false;
}
public function isLoggedIn() {
return $this->_isLoggedIn;
}
public function data() {
return $this->_data;
}
public function logout() {
$this->_db->delete('users_session', array('user_id', '=', $this->data()->id));
Cookie::delete($this->_cookieName);
Session::delete($this->_sessionName);
}
}
simple index.php version of my code
<?php
require 'core/init.php';
$user = new User();
if(Session::exists('home')) {
echo '<p>', Session::flash('home'), '</p>';
}
if($user->isLoggedIn()) {
?>
<p>Hello <?php echo escape($user->data()->username); ?>!</p>
<ul>
<li>Log out</li>
<li>Change password</li>
<li>Update details</li>
</ul>
<?php
if($user->hasPermission('admin')) {
?>
<p>You're also an administrator!</p>
<?php
}
} else {
echo 'You need to log in or register!';
}
Simple version of login.php
<?php
require 'core/init.php';
if(Input::exists()) {
if(Token::check(Input::get('token'))) {
$user = new User();
$remember = (Input::get('remember') === 'on') ? true : false;
$login = $user->login(Input::get('username'), Input::get('password'), $remember);
if($login) {
Redirect::to('index.php');
} else {
echo '<p>Sorry, that username and password wasn\'t recognised.</p>';
}
}
}
?>
<form action="" method="post">
<div class="field">
<label for="username">Username:</label>
<input type="text" name="username" id="username">
</div>
<div class="field">
<label for="password">Password:</label>
<input type="password" name="password" id="password">
</div>
<div class="field">
<label for="remember">
<input type="checkbox" name="remember" id="remember"> Remember me
</label>
</div>
<input type="submit" value="Log in">
<input type="hidden" name="token" value="<?php echo Token::generate(); ?>">
</form>
hash.php
<?php
class Hash {
public static function make($string, $salt = '') {
return utf8_encode(hash('sha256', $string . $salt));
}
public static function salt($length) {
return mcrypt_create_iv($length);
}
public static function unique() {
return self::make(uniqid());
}
}
Thanks
I'm currently having trouble with inserting data into my database. I have this code to start inserting the query:
if (Input::exists()) {
$validate = new Validate();
$link = new Link();
$validation = $validate->check($_POST, array(
'name' => array(
'related' => 'hyperlink'
),
'hyperlink' => array(
'related' => 'name'
)
));
if ($validation->passed()) {
try {
$link->create(array(
'uid' => $user->data()->id,
'name' => Input::get('name'),
'hyperlink' => Input::get('hyperlink')
));
} catch (PDOException $e) {
die($e->getMessage());
}
} else {
echo '<div class="error">';
echo '<ol>';
foreach ($validation->errors() as $error) {
echo '<li>' . $error . '</li>';
}
echo '</div>';
echo '</ol>';
}
}
When running this code, the create method is called:
public function create($fields = array()) {
if (!$this->_db->insert('user_links', $fields)) {
echo 'Something went wrong';
}
}
Now the script will run the insert method:
public function insert($table, $fields = array()) {
if (count($fields)) {
$value_list = implode(", ", array_values($fields));
$keys = array_keys($fields);
$sql = "INSERT INTO `$table` (`" . implode('`, `', $keys) . "`) VALUES ({$value_list})";
if (!$this->query($sql, $fields)->error()) {
return true;
}
}
return false;
}
Everything goes fine, but then when it goes to the query() method, it appears there are 2 queries saved in it. I already heard about __destruct, so I'm wondering if it has anything to do with that.
Here's the query method:
public function query($sql, $params = array()) {
$this->_error = false;
echo $sql;
if ($this->_query = $this->_pdo->prepare($sql)) {
$x = 1;
if (count($params)) {
foreach ($params as $param) {
$this->_query->bindValue($x, $param);
$x++;
}
}
if ($this->_query->execute()) {
$this->_results = $this->_query->fetchAll(PDO::FETCH_OBJ);
$this->_count = $this->_query->rowCount();
} else {
$this->_error = true;
}
}
return $this;
}
When I echo the $sql in the query() method, it echo's this:
SELECT * FROM users WHERE id = ?INSERT INTO user_links (uid,name,hyperlink) VALUES (1, test, test)
The SELECT * FROM users WHERE id = ? comes from a get() method. But In the code where I set all data for my query, I'm not using any get() method. Unless to grab the values of the inputfields. (But that's not the problem)
Thanks for help!
EDIT 1:
Select method:
public function get($table, $where) {
return $this->action('SELECT *', $table, $where);
}
EDIT 2:
public function find($user = null) {
if ($user) {
$field = (is_numeric($user)) ? 'id' : 'email';
$data = $this->_db->get('users', array($field, '=', $user));
if ($data->count()) {
$this->_data = $data->first();
return true;
}
}
}
EDIT 3:
public function action($action, $table, $where = array()) {
if (count($where) === 3) {
$operators = array('=', '>', '<', '>=', '<=', '<>');
$field = $where[0];
$operator = $where[1];
$value = $where[2];
if (in_array($operator, $operators)) {
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ?";
if (!$this->query($sql, array($value))->error()) {
return $this;
}
}
}
return false;
}
The problem is that you are not terminating you SQL statement. you need to put ; at end of query string so that both query can run.
Like in insert() method
$sql = "INSERT INTO
`$table` (`" . implode('`, `', $keys) . "`)
VALUES ({$value_list});"; //added semicolon
and in get() method which is calling action do the same
currently your sql is not valid because of two queries are merged, ; will make both valid and it will work.
'uid' => $user->data()->id,
above code is the cause of second query
SELECT * FROM users WHERE id = ?
Note : You should consider a singleton to deal with db and should run one query at a time. currently your $sql property is having two queries concated SELECT * FROM users WHERE id = ?INSERT INTO user_links (uid,name,hyperlink) VALUES (1, test, test). or an array of query will also work.
Update:
add ; in action method like this and try
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ? ;";
Basically what I'm doing is a users class, which executes a MySQL query in the constructor to retrieve all the users data and store it, like so:
public function __construct($data, $type = 'id')
{
$this->details = Beam::$db->row("SELECT * FROM users WHERE $type = :param", ['param' => $data]);
if(!empty($this->details)) $this->exists = true;
}
This is row() method:
public function row($query, $params = null, $fetchmode = PDO::FETCH_ASSOC)
{
$this->init($query, $params);
return $this->statementQuery->fetch($fetchmode);
}
And init(), where the parameters are bound and the query is executed:
public function init($query, $parameters = '')
{
try {
$this->statementQuery = $this->pdo->prepare($query);
if(!empty($parameters))
{
foreach($parameters as $key => $value)
{
$this->bind($key, $value);
}
}
if(!empty($this->parameters))
{
foreach($this->parameters as $key => &$value)
{
$this->statementQuery->bindParam($key, $value);
}
}
$this->success = $this->statementQuery->execute();
}
catch(PDOException $e)
{
throw new SystemException($e->getMessage() . ' in query: ' . $query, (int) $e->getCode());
}
$this->parameters = array();
}
It should work, I've tested everything multiple times, and debugged using dies() everywhere, but it seems as if I instantiate the class more than one time, the error occurs. It's called multiple times in all my code. Is there something I'm missing?
The error:
SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in query: SELECT * FROM users WHERE id = :param
I've also tried debugging printing all the parameters set in PDO by ::debugDumpParams(), and all the parameters are okay, I even var_dump the $this->statementQuery->fetch($fetchmode) from the row() method and it returns everything as it should be...
PS: I bind the array ['param' => $data] afterwards, using this method:
public function bind($param, $value)
{
$this->parameters[':' . $param] = $value;
}
Some examples of where I call the class from:
Login method. Called when the user does login. It fails.
public static function login($user, $password)
{
$user = new User($user, Beam::$con->auth['type']);
if($user->exists == true)
{
$user_ip = $_SERVER['REMOTE_ADDR'];
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$user_id = $user->details["id"];
$username = $user->details["username"];
$user_mail = $user->details["mail"];
$user_password = $user->details["password"];
if(self::verify($password, $user_password))
{
$_SESSION['user_id'] = $user_id;
$_SESSION['username'] = $username;
$_SESSION['user_mail'] = $user_mail;
$_SESSION['user_checksum'] = hash('sha512', $user_password . $user_ip . $user_browser);
Beam::$db->bind("l", time());
Beam::$db->bind("u", $user_id);
Beam::$db->query("UPDATE user_info SET login_timestamp = :l WHERE user_id = :u");
return true;
}
else
{
return false;
}
}
else
{
return false;
}
}
This one checks if the user is logged in. It's called almost in every file for authenticated users only.
public static function status()
{
if(isset($_SESSION["user_id"], $_SESSION["username"], $_SESSION["user_checksum"]))
{
$user = new User($_SESSION["user_id"], "id");
if($user->exists)
{
$user_id = $_SESSION['user_id'];
$user_checksum = $_SESSION['user_checksum'];
$username = $_SESSION['username'];
$user_ip = $_SERVER['REMOTE_ADDR'];
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$user_password = $user->details["password"];
switch($user_checksum)
{
default:
$checksum_verify = hash('sha512', $user_password . $user_ip . $user_browser);
break;
case "facebook":
$checksum_verify = "facebook";
break;
}
if($checksum_verify == $user_checksum)
{
return true;
}
}
else
{
return false;
}
}
else
{
return false;
}
}
You need to use the same name for the parameter that you used in the query. In this case you used ":param" so that's what you need to use when you pass in the array of parameters.
change
['param' => $data]
to
[':param' => $data]
and it should work.
I was following this tutorial on Udemy about building login form. Everything went well.
Now I'm trying to reuse the code. The problem I'm having is when I'm trying to query all entries from a database in order to get a total number of websites. Could you please advise?
Here is my count function (this is where I'm having issues in obtaining a total number of entries to the database for pagination):
function get_all_websites(){
$all = array();
$db = DB::getInstance();
$all = $db->query("SELECT * FROM website");
if(!$all->count()){
echo 'No Websites available. Please check back later.';
} else {
foreach($all->results() as $all){
$all->id = $all;
}
}
return $all;
}
function get_websites_count(){
return count(get_all_websites());
}
if I use this I get all ID's listed.
function get_all_websites(){
$all = array();
$db = DB::getInstance();
$all = $db->query("SELECT * FROM website");
if(!$all->count()){
echo 'No Websites available. Please check back later.';
} else {
foreach($all->results() as $all){
echo $all->id;
}
}
}
Database class.
class DB{
private static $_instance = null;
private $_pdo,
$_query,
$_error = false,
$_results,
$_count = 0;
private function __construct(){
try {
$this->_pdo = new PDO('mysql:host=' .
Config::get('mysql/host') . ';dbname=' .
Config::get('mysql/db'),
Config::get('mysql/username'),
Config::get('mysql/password'));
} catch(PDOException $e){
die($e -> getMessage());
}
}
public static function getInstance(){
if(!isset(self::$_instance)) {
self::$_instance = new DB();
}
return self::$_instance;
}
public function query($sql, $params = array()){
$this->_error = false;
// Check if query has been prepared properly
if($this->_query = $this->_pdo->prepare($sql)){
$x = 1;
if(count($params)){
foreach($params as $param){
$this->_query->bindValue($x, $param);
$x++;
}
}
// If the query has been prepared successfuly, store the result
if($this->_query->execute()){
$this->_results = $this->_query->fetchAll(PDO::FETCH_OBJ);
$this->_count = $this->_query->rowCount();
} else {
$this->_error = true;
}
}
return $this;
}
public function action($action, $table, $where = array()){
if(count($where) === 3){
$operators = array('=', '>', '<', '>=', '<=');
$field = $where[0];
$operator = $where[1];
$value = $where[2];
if(in_array($operator, $operators)){
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ?";
if(!$this->query($sql, array($value))->error()){
return $this;
}
}
}
return false;
}
// QUERYING DATA FROM DATABASE
public function get($table, $where){
return $this->action('SELECT *', $table, $where);
}
// DELETING DATA FROM DATABASE
public function delete($table, $where){
return $this->action('DELETE', $table, $where);
}
// INSERTING DATA INTO DATABASE
public function insert($table, $fields = array()){
$keys = array_keys($fields);
$values = '';
$x = 1;
foreach($fields as $field){
$values .= "?";
if($x < count($fields)){
$values .= ', ';
}
$x++;
}
$sql = "INSERT INTO {$table} (`" . implode('`, `', $keys) . "`) VALUES({$values})";
if(!$this->query($sql, $fields)->error()){
return true;
}
return false;
}
public function results(){
return $this->_results;
}
public function update($table, $id, $fields){
$set = '';
$x = 1;
foreach($fields as $name => $value){
$set .= "{$name} = ?";
if($x < count($fields)){
$set .= ', ';
}
$x++;
}
$sql = "UPDATE {$table} SET {$set} WHERE id = {$id}";
if(!$this->query($sql, $fields)->error()){
return true;
}
return false;
}
public function first(){
return $this->results()[0];
}
public function error(){
return $this->_error;
}
public function count(){
return $this->_count;
}
}
This part doesn't seem right:
} else {
foreach($all->results() as $all){
$all->id = $all;
}
}
return $all;
but I'm not exactly sure what you want.
We could append each id to an array called $allWebsiteIds:
} else {
foreach($all->results() as $all){
$allWebsiteIds[] = $all->id;
}
}
return $allWebsiteIds;
That might give you what you want.
SQL provides built-in support for counting rows in a table.
SELECT COUNT(*) FROM ...
This is highly optimizable and avoids loading every row into PHP's memory.
Additionally, pay close attention to the construct of your loops; specifically what it means to say:
foreach($foo as $foo)
As part of your study, you should be able to say why that expression is almost never the intended one.
There is a broader rule: Never mutate that which you are iterating over.
Why not use the select to count the rows?
SELECT COUNT(1) FROM website;
I'm building this Login system for my website. Everything seemed to work ok until I came across updating user details stored in database. Every time I try to update dummy details I get thrown an Exception and Can't figure out why.
Could You please scan through quickly and help me find an error if there is one? There are no syntax errors.
update.php
$user = new User();
if(!$user->isLoggedIn()){
Redirect::to('index.php');
}
// Check whether token is submited and user exists
if(Input::exists()){
if(Token::check(Input::get('token'))){
$validate = new Validate();
$validation = $validate->check($_POST, array(
'Name' => array(
'required' => true,
'min' => 4,
'max' => 30
),
'email' => array(
'required' =>true
)
));
if($validation->passed()){
// Update
try{
$user->update(array(
'Name' => Input::get('Name'),
'email' => Input::get('email')
));
Session::flash('home', 'Your details have been updated');
Redirect::to('index.php');
}catch(Exception $e) {
die($e->getMessage());
}
} else {
foreach($validation->errors() as $error){
echo ('<p>' . $error . '</p>');
}
}
}
}
User.php class
class User{
private $_db,
$_data,
$_sessionName,
$_cookieName,
$_isLoggedIn;
public function __construct($user = null){
$this->_db = DB::getInstance();
$this->_sessionName = Config::get('session/session_name');
$this->_cookieName = Config::get('remember/cookie_name');
if(!$user){
if(Session::exists($this->_sessionName)){
$user = Session::get($this->_sessionName);
if($this->find($user)){
$this->_isLoggedIn = true;
} else {
// Process Log out
}
}
} else {
$this->find($user);
}
}
public function update($fields = array(), $id = null){
if(!$id && $this->isLoggedIn()){
$id = $this->data()->id;
}
if(!$this->_db->update('user', $id, $fields)){
throw new Exception('Sorry, there was problem updating. Please try again later.');
}
}
public function create($fields = array()){
if(!$this->_db->insert('user', $fields)){
throw new Exception('There was a problem creating new account.');
}
}
public function find($user = null){
if($user){
$field = (is_numeric($user)) ? 'id' : 'Username';
$data = $this->_db->get('user', array($field, '=', $user));
if($data->count()){
$this->_data = $data->first();
return true;
}
}
return false;
}
public function login($Username = null, $password = null, $remember = false){
if(!$Username && !$password && $this->exists()){
// Log User in
Session::put($this->_sessionName, $this->data()->id);
} else {
$user = $this->find($Username);
if($user){
if($this->data()->Password === Hash::make($password, $this->data()->salt)){
Session::put($this->_sessionName, $this->data()->id);
if($remember){
$hash = Hash::unique();
$hashCheck = $this->_db->get('users_session', array('user_id', '=', $this->data()->id));
if(!$hashCheck->count()){
$this->_db->insert('users_session', array(
'user_id' => $this->data()->id,
'hash' => $hash
));
} else {
$hash = $hashCheck->first()->hash;
}
Cookie::put($this->_cookieName, $hash, Config::get('remember/cookie_expiry'));
}
return true;
}
}
}
return false;
}
public function exists(){
return (!empty($this->_data)) ? true : false;
}
public function logout(){
$this->_db->delete('users_session', array('user_id', '=', $this->data()->id));
Session::delete($this->_sessionName);
Cookie::delete($this->_cookieName);
}
public function data(){
return $this->_data;
}
public function isLoggedIn(){
return $this->_isLoggedIn;
}
}
(if(!$this->_db->update('user', $id, $fields)){
throw new Exception('Sorry, there was problem updating. Please try again later.');
})
This is the exception i get.. Thanks a million
If it helps update() is the method I get the error from
This is my DB class:
class DB{
private static $_instance = null;
private $_pdo,
$_query,
$_error = false,
$_results,
$_count = 0;
private function __construct(){
try {
$this->_pdo = new PDO('mysql:host=' .
Config::get('mysql/host') . ';dbname=' .
Config::get('mysql/db'),
Config::get('mysql/username'),
Config::get('mysql/password'));
} catch(PDOException $e){
die($e -> getMessage());
}
}
public static function getInstance(){
if(!isset(self::$_instance)) {
self::$_instance = new DB();
}
return self::$_instance;
}
public function query($sql, $params = array()){
$this->_error = false;
// Check if query has been prepared properly
if($this->_query = $this->_pdo->prepare($sql)){
$x = 1;
if(count($params)){
foreach($params as $param){
$this->_query->bindValue($x, $param);
$x++;
}
}
// If the query has been prepared successfuly, store the result
if($this->_query->execute()){
$this->_results = $this->_query->fetchAll(PDO::FETCH_OBJ);
$this->_count = $this->_query->rowCount();
} else {
$this->_error = true;
}
}
return $this;
}
public function action($action, $table, $where = array()){
if(count($where) === 3){
$operators = array('=', '>', '<', '>=', '<=');
$field = $where[0];
$operator = $where[1];
$value = $where[2];
if(in_array($operator, $operators)){
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ?";
if(!$this->query($sql, array($value))->error()){
return $this;
}
}
}
return false;
}
// QUERYING DATA FROM DATABASE
public function get($table, $where){
return $this->action('SELECT *', $table, $where);
}
// DELETING DATA FROM DATABASE
public function delete($table, $where){
return $this->action('DELETE', $table, $where);
}
// INSERTING DATA INTO DATABASE
public function insert($table, $fields = array()){
$keys = array_keys($fields);
$values = '';
$x = 1;
foreach($fields as $field){
$values .= "?";
if($x < count($fields)){
$values .= ', ';
}
$x++;
}
$sql = "INSERT INTO {$table} (`" . implode('`, `', $keys) . "`) VALUES({$values})";
if(!$this->query($sql, $fields)->error()){
return true;
}
return false;
}
public function results(){
return $this->_results;
}
public function update($table, $userID, $fields){
$set = '';
$x = 1;
foreach($fields as $name => $value){
$set .= "{$name} = ?";
if($x < count($fields)){
$set .= ', ';
}
$x++;
}
$sql = "UPDATE {$table} SET {$set} WHERE userID = {ID}";
if(!$this->query($sql, $fields)->error()){
return true;
}
return false;
}
public function first(){
return $this->results()[0];
}
public function error(){
return $this->_error;
}
public function count(){
return $this->_count;
}
}
If you tried to return the sql you will find that it is not valid, such as:
function update($table, $userID, $fields){
$set = '';
$x = 1;
foreach($fields as $name => $value){
$set .= "{$name} = ?";
if($x < count($fields)){
$set .= ', ';
}
$x++;
}
$sql = "UPDATE {$table} SET {$set} WHERE userID = {ID}";
return $sql;
}
echo update('table',1,array('f1'=>'v1','f2'=>'v2','f3'=>'v3','f4'=>'v4'));
Results would look like:
UPDATE table SET f1 = ?, f2 = ?, f3 = ?, f4 = ? WHERE userID = {ID}
so your ID is not the actual integer that I passed.
but if you changed your statement to be:
//some code
$sql = "UPDATE {$table} SET {$set} WHERE userID = {$userID}";
return $sql;
the result would be:
UPDATE table SET f1 = ?, f2 = ?, f3 = ?, f4 = ? WHERE userID = 1