I am creating a contest website on my localhost using PHP. The project works as follows:
The user can log in and is directed to a page level.php?n=getUserData()['level'] , the logic is that if the user submits the right answer the user is redirected to the next level and the level field in the database must be updated so that the user can redirected to the next level level.php?n=2 and so on...., during login the users credentials are being stored in a session variable.(user_id,level,email ..etc).
My login controller:
include 'core/init.php';
$id = isset($_GET['n']) ? $_GET['n'] : null;
$validate = new Validator;
$template = new Template("templates/question.php");
$template->title = $validate->getQuestion($id)->body;
//$template->answer = $validate->getQuestion($id)->answer;
$userid = getUserData()['user_id'];
if(isset($_POST['submit']))
{
// echo getUserData()['level']; die();
$data = array();
$data['answer'] = $_POST['answer'];
$required_fields = array("answer");
if($validate->isRequired($required_fields))
{
if($validate->check_answer($_POST['answer']))
{
if($validate->update_level($userid))
{
redirect("level.php?n=".getUserData()['level'],"Correct Anwser","success");
}
}
else
{
redirect("level.php?n=".getUserData()['level'],"Incorrect","error");
}
}
else
{
redirect("level.php?n=".getUserData()['level'],"Empty","error");
}
}
echo $template;
?>
`
My Validation class:
<?php
class Validator
{
private $db;
public function __construct()
{
$this->db = new Database;
}
public function isrequired($field_array)
{
foreach($field_array as $field)
{
if(empty($_POST[''.$field.'']))
{
return false;
}
}
return true;
}
public function login($username,$password)
{
$this->db->query("SELECT * FROM users WHERE username=:username AND password=:password");
$this->db->bind(":username",$username);
$this->db->bind(":password",$password);
$result = $this->db->single();
$row = $this->db->rowCount();
if($row>0)
{
$this->getData($result);
return true;
}
else
{
return false;
}
}
public function getData($row)
{
$_SESSION['is_logged_in'] = true;
$_SESSION['user_id'] = $row->id;
$_SESSION['username'] = $row->username;
$_SESSION['email'] = $row->email;
$_SESSION['level'] = $row->level;
}
public function getQuestion($id)
{
$this->db->query("SELECT * FROM question WHERE question_id = :id");
$this->db->bind(":id",$id);
$result = $this->db->single();
return $result;
}
public function logout()
{
unset($_SESSION['is_logged_in']);
unset($_SESSION['username']);
unset($_SESSION['user_id']);
unset($_SESSION['email']);
return true;
}
public function update_level($id)
{
$level = getUserData()['level']+1;
$this->db->query("UPDATE users SET level = :level WHERE id = :id");
$this->db->bind(":level",$level);
$this->db->bind(":id",getUserData()['user_id']);
$this->db->execute();
return true;
}
function check_answer($answer)
{
$this->db->query("SELECT * FROM question WHERE correct = :answer");
$this->db->bind(":answer",$answer);
$row = $this->db->single();
return $row;
}
}
?>
The getUserData() function:
function getUserData()
{
$userarray = array();
$userarray['username'] = $_SESSION['username'];
$userarray['user_id'] = $_SESSION['user_id'];
$userarray['email'] = $_SESSION['email'];
$userarray['level'] = $_SESSION['level'];
return $userarray;
}
I believe your problem is in your update portion when the user gets the answer correct. You need to update your session. I suggest you rework your script to convert the getUserData() into a User class or similar:
include('core/init.php');
$id = (isset($_GET['n']))? $_GET['n'] : null;
$validate = new Validator;
$template = new Template("templates/question.php");
# Create User class
$User = new User();
# Create make sure you set the files to internal array
$User->init();
# Start template
$template->title = $validate->getQuestion($id)->body;
# Fetch the id here
$userid = $User->getUserId();
# Check post
if(isset($_POST['submit'])) {
$data = array();
$data['answer'] = $_POST['answer'];
$required_fields = array("answer");
if($validate->isRequired($required_fields)) {
if($validate->check_answer($_POST['answer'])) {
# Update the database
if($validate->update_level($userid)) {
# Increment the init() here to push the level up
redirect("level.php?n=".$User->init(1)->getLevel(),"Correct Anwser","success");
}
}
else {
# Since you are not updating, don't need the init() here
redirect("level.php?n=".$User->getLevel(),"Incorrect","error");
}
}
else {
# Since you are not updating, don't need the init() here
redirect("level.php?n=".$User->getLevel(),"Empty","error");
}
}
echo $template;
Create a user class
User Class
<?php
class User
{
private $userData;
public function init($increment = 0)
{
# Get the current level
$level = $_SESSION['level'];
# If there is an increment
if($increment > 0) {
# Increment the level
$level += $increment;
# !!!***Re-assign the session***!!!
$_SESSION['level'] = $level;
}
# Save the internal array
$userarray['username'] = $_SESSION['username'];
$userarray['user_id'] = $_SESSION['user_id'];
$userarray['email'] = $_SESSION['email'];
# Level will be set by variable now
$userarray['level'] = $level;
# Save to array
$this->userData = (object) $userarray;
# Return object for chaining
return $this;
}
# This will call data from your internal array dynamically
public function __call($name,$args=false)
{
# Strip off the "get" from the method
$name = preg_replace('/^get/','',$name);
# Split method name by upper case
$getMethod = preg_split('/(?=[A-Z])/', $name, -1, PREG_SPLIT_NO_EMPTY);
# Create a variable from that split
$getKey = strtolower(implode('_',$getMethod));
# Checks if there is a key with this split name
if(isset($this->userData->{$getKey}))
$getDataSet = $this->userData->{$getKey};
# Checks if there is a key with the raw name (no get though)
elseif(isset($this->userData->{$name}))
$getDataSet = $this->userData->{$name};
# Returns value or bool/false
return (isset($getDataSet))? $getDataSet : false;
}
}
Related
I want get data from offers table ordered DESC by payout. If offer ID exist in offers_disabled_smart_link table, move to next and display link. What I'm doing wrong? I getting NULL when echo $link.
My DeliverService class is:
class DeliveryService {
protected $user_id;
protected $country;
protected $os;
protected $ip;
protected $referrer;
protected $token;
protected $smart_link;
public function __construct($user_id,$country,$ip,$os,$referrer,$token,$smart_link)
{
$this->user_id = $user_id;
$this->user_country = $country;
$this->user_ip = $ip;
$this->user_os = $os;
$this->user_referrer = $referrer;
$this->user_token = $token;
$this->smart_link_id = $smart_link;
}
public function getStatusOfferSmartLink($offer_id,$smart_link_id,$user_id)
{
global $db;
$sql="SELECT offer_id,smart_link_id,user_id FROM offers_disabled_smart_link WHERE smart_link_id=:smart_link_id AND offer_id=:offer_id and user_id=:user_id";
$stmp = $db->prepare($sql);
$stmp->execute(array(":smart_link_id"=>$smart_link_id,":offer_id"=>$offer_id,":user_id"=>$user_id));
$results = $stmp->fetchAll(PDO::FETCH_OBJ);
if($results)
return true;
else return false;
}
public function deliver()
{
global $db;
$sql="SELECT id, link, payout FROM offers ORDER BY payout DESC";
$stmp = $db->prepare($sql);
$stmp->execute();
while ($row = $stmp->fetch(PDO::FETCH_ASSOC)) {
$id = $row['id'];
$link = $row['link'];
if($this->getStatusOfferSmartLink($id,$this->smart_link_id,$this->user_id)){
continue;
}
break;
$this->localFlag = true;
}
if ($this->localFlag) {
return $link;
}
}
Here I call function deliver() and echo $link
$ad = new DeliveryService(354,$country,$ip,$os,$referrer,$token,$smart_link);
$link = $ad->deliver();
echo $link;
If you want any informations, ask me.
Lets assume that your query return your expected data.
$this->localFlag = true; line will never execute as it's after break statement. (Assume that you didn't set $this->localFlag anywhere else.)
change this:
break;
$this->localFlag = true;
to:
$this->localFlag = true;
break;
and try. Hope it will work.
I'm trying to do a login class what checks if all fields are correct, and if is it then proccess.
My code: (login.php)
<?php
require('sql.php');
class login {
private $user;
private $email;
private $doc;
private $password;
function login($field, $pass){
$user = $field;
$email = $field;
$doc = strtoupper($field);
$password = $pass;
$this->getUser($user, $password, $r) ? $r : $this->getEmail($email, $password, $r) ? $r : $this->getDoc($doc, $password, $r) ? $r : null;
}
private function getUser($u, $p, &$r){
global $sql;
$count = 0;
$check = $sql->query("SELECT ... ");
while($row = $check->fetch_object()){
$count++;
$r = $row;
}
$count == 1 ? true : false;
}
private function getEmail($e, $p, &$r){ same as getUser()... }
private function getDoc($d, $p, &$r){ same as getUser()... }
}
?>
Now in Index (index.php)
<html>
ALL HTML STUFF WITH THE FORM
</html>
<?php
require('login.php');
if(isset($_POST['submit'])){
$login = new login(trim($sql->real_escape_string($_POST['user'])), md5(trim($sql->real_escape_string($_POST['pass']))));
if($login != null){
echo "SUCCESSFUL: ".$login->user;
}else{
echo "INCORRECT PASSWORD";
}
}
?>
The idea is get $login values like $login->user. But show me an error...
How can I do this? Where is my mistake?
This give you error because of private $user;
Make it public $user; because private member are not allowed to access from outside
or you can do some like following
public function getUsername(){
return $this->username;
}
and access it via echo $Obj->getusername();
Ok, thanks everyone but i solve the problem!!
in the constructor of login i put one value more.
public function login($field, $pass, &$r)
then in index.php
$login = new login(//user, //pass, $r);
echo "SUCCESSFUL: ".$r->user;
This return me the value from SQL query. This is what i was looking for.
Thanks again.
I m not saying all of this is working. Is just to get an idea of what i mean.
What you want is to get user informations.
For that you have created a class login.
Why dont you just create a User class where you retrieve and store your informations.
If constructor get an error. Just return null.
class User {
private $user;
private $email;
private $doc;
private $password;
private $detail1;
private $detail2;
private $detail3;
private $detail4;
public function __constructfunction login($field, $pass){
$user = $field;
$email = $field;
$doc = strtoupper($field);
$password = $pass;
$error = false;
//Detail for User
$count = 0;
$check = $sql->query("SELECT ... WHERE username='.$this->user.' AND pass = '.$this->password.'");
while($row = $check->fetch_object()){
$count++;
$r = $row;
}
if($count == 1)
{
$this->detail1 = $row['detail1'];
$this->detail2 = $row['detail2'];
}
else
{
$error = true;
}
//Detail for Doc
$count = 0;
$check = $sql->query("SELECT ... WHERE username='.$this->user.' AND pass = '.$this->password.'");
while($row = $check->fetch_object()){
$count++;
$r = $row;
}
if($count == 1)
{
$this->detail3 = $row['detail3'];
$this->detail4 = $row['detail4'];
}
else
{
$error = true;
}
if(true === $error)
return null;
}
public function getUser(){
return $this->user;
}
public function getEmail(){
return $this->doc;
}
public function getDoc(){
return $this->doc;
}
//Maybe not usefull
public function getPassword(){
return $this->password;
}
}
So I've been stuck on this for quite a while, surprisingly the update and delete functions work just fine, however I cannot make the CREATE function work properly. Please have a look at it and tell me what I'm doing wrong
<-------------- Entire model for admin panel-------------->>>>>>>> Connection to DB is working fine---------->>>>>>>>>>>
<?php
include_once "Model.php";
class ModelPages extends Model {
public function get($key) {
$sql = "SELECT * from pages where page_key = '$key'";
$row = '';
$page = Null;
foreach ($this->pdo->query($sql) as $row) {
$page = $row;
}
// echo "<pre>";
// var_dump($page);
// exit;
return $page;
}
public function getAll() {
$statement = $this->pdo->prepare("SELECT * from pages Where Id > 3");
$result = $statement->execute();
$pages = array();
if($result) {
$pages = $statement->fetchAll(PDO::FETCH_ASSOC);
}
return $pages;
}
public function updatePage($params=array()) {
if (!is_array($params)) {
return 'Params should be an array';
}
if (isset($params['table'])) {
$tableName = $params['table'];
} else {
$tableName = 'pages';
}
$pageId = isset($params['page_key']) ? $params['page_key'] : null;
$pageTitle = isset($params['page_title']) ? $params['page_title'] : null;
$pageBody = isset($params['page_body']) ? $params['page_body'] : null;
if ($pageId == null) {
return 'No page id provided';
}
$sql = "UPDATE " . $tableName . " SET
title = :title,
body = :body
WHERE page_key = :page_key";
$statement = $this->pdo->prepare($sql);
$statement->bindParam(':title', $pageTitle, PDO::PARAM_STR);
$statement->bindParam(':body', $pageBody, PDO::PARAM_STR);
$statement->bindParam(':page_key', $pageId, PDO::PARAM_INT);
$result = $statement->execute();
return $result;
}
public function deletePage($pageId) {
// build sql
$sql = "DELETE FROM pages WHERE id = " . intval($pageId);
$statement = $this->pdo->prepare($sql);
$result = $statement->execute();
return $result;
}
public function createPage($params=array()){
if (!is_array($params)) {
return 'Params should be an array';
}
if (isset($params['table'])) {
$tableName = $params['table'];
} else {
$tableName = 'pages';
}
$page_key = isset($params['page_key']) ? $params['page_key'] : 'page_key';
$pageTitle = isset($params['page_title']) ? $params['page_title'] : 'page_title';
$pageBody = isset($params['page_body']) ? $params['page_body'] : 'page_body';
$sql = "INSERT INTO " . $tablename ." SET page_key=:page_key, title=:title, body=:body ";
// prepare query for execution
$statement = $this->pdo->prepare($sql);
// bind the parameters
$statement->bindParam(':page_key', $_POST['page_key']);
$statement->bindParam(':title', $_POST['title']);
$statement->bindParam(':body', $_POST['body']);
// specify when this record was inserted to the database
// Execute the query
$result = $statement->execute();
return $result;
}
}
<?php
include 'controllers/controller.php';
include 'models/Model.php';
include 'models/ModelPages.php';
<------------------------ADMIN CONTROller----------------------->>>>>>>>>>>>
class Admin extends Controller {
function __construct() {
// create an instance of ModelPages
$ModelPages = new ModelPages();
if(isset($_POST['page_key'])) {
// TODO: update DB
$tableData['page_body'] = $_POST['body'];
$tableData['table'] = 'pages';
$tableData['page_title'] = $_POST['title'];
$tableData['page_key'] = $_POST['page_key'];
$response = $ModelPages->updatePage($tableData);
if ($response == TRUE) {
header("http://188.166.96.184/workspace/marem/AAAAA/index.php?page=admin&success=true");
}
}
if(isset($_GET['page_key'])) {
// by default we assume that the key_page exists in db
$error = false;
$page = $ModelPages->get($_REQUEST['page_key']);
// if page key does not exist set error to true
if($page === null) {
$error = true;
}
// prepare data for the template
$data = $page;
$data["error"] = $error;
// display
echo $this->render2(array(), 'header.php');
echo $this->render2(array(), 'navbar_admin.php');
echo $this->render2($data, 'admin_update_page.php');
echo $this->render2(array(), 'footer.php');
} else {
// case: delete_page
if(isset($_GET['delete_page'])) {
$response = $ModelPages->deletePage($_GET['delete_page']);
if($response == TRUE) {
header("http://188.166.96.184/workspace/marem/AAAAA/index.php?page=admin&deleted=true");
}
}
}
//Get table name and make connection
if(isset($_POST['submit'])) {
$page_key = $_POST['page_key'];
$page_title = $_POST['title'];
$page_body = $_POST['body'];
$response = $ModelPages->createPage();
if($response=TRUE){
header("http://188.166.96.184/workspace/marem/AAAAA/index.php?page=admin&created=true");
}
}
}
// load all pages from DB
$pages = $ModelPages -> getAll();
// display
echo $this->render2(array(), 'header_admin.php');
echo $this->render2(array(), 'navbar_admin.php');
echo $this->render2(array("pages"=> $pages), 'admin_view.php');
echo $this->render2(array(), 'footer.php');
}
}
?>
Since you have if(isset($_POST['page_key']) on the top:
class Admin extends Controller {
function __construct() {
// create an instance of ModelPages
$ModelPages = new ModelPages();
if(isset($_POST['page_key'])) {
...
if ($response == TRUE) {
header("http://188.166.96.184/workspace/marem/AAAAA/index.php?
}
and it is used to call $response = $ModelPages->updatePage($tableData);
your code never reach the part with good values at the bottom:
if(!isset($_POST['page_key'])) {
...
$response = $ModelPages->createPage($tableData);
So my simple but not the best suggestion is use extra parameter when POST like action. so you can check:
if(isset($_POST['action']) && $_POST['action']=='update') {
...
} elseif (isset($_POST['action']) && $_POST['action']=='create') {
...
} etc...
hope this will help you for now :-)
$sql = "INSERT INTO " . $tablename ." SET page_key=:page_key, title=:title, body=:body ";
$tablename is not in scope when the statement above is executed. And you've got no error handling in the code.
i have a login function in a seperate script(main.php) which is like the below
public function login($username,$password) {
$linkingcon = $this->getConnection();
$sqlquery = "SELECT ac.userID,ac.name,us.usertype FROM users us JOIN accounts ac ON us.userID = ac.userID WHERE us.username='$username' AND us.password='$password';";
$result = mysql_query($sqlquery , $linkingcon);
$this->throwMySQLExceptionOnError($linkingcon);
$row = mysql_fetch_array($result);
$survey = new stdClass();
if($row) {
$res->userID = (int)$row['userID'];
$res->name = $row['name'];
$res->usertype = (int)$row['usertype'];
$string = rand() . 'SurveyLand' . rand() . $username. $password;
$_SESSION['SURVEYLAND_KEY'] = md5($string);
} else {
$res = false;
}
return $res;
}
and im calling the above login function from another script but i am currently unable to call the "usertype" variable of the above function... below is the function that i have written to call the "usertype", can anybody check what is wrong with the below function
function login($parameters) {
$main = new Main();
$log = $main->login($parameters["username"], $parameters["password"]);
if($log != false){
$_SESSION['usertype'] = $res->usertype;
print_r($_SESSION);
}
return $log;
}
Try changing $res to $log in the second method. $res is the variable name you use in the first method, but is out of scope in the second method. However you assign the response of the first method (ie. $res) to $log in the second method.
function login($parameters) {
$main = new Main();
$log = $main->login($parameters["username"], $parameters["password"]);
if($log != false){
$_SESSION['usertype'] = $log->usertype;
print_r($_SESSION);
}
return $log;
}
If (for argument sake) 'admin-access' was granted in php with:
if (isset($_SESSION['admin'])) // this session would be set
{ // grant access; } // after a successful login
else { //redirect ;}
Would this be a particularly easy thing to bypass and fake, if you knew what the name of the session is (in this case it is admin)?
In other words, can someone easily fake a $_SESSION, if all a script calls for is the session to be 'set'?
Using isset() is not bad for security. It depends on your logic that how you use it. It will be good if you not only check isset() but also its value.
For Example:
if( isset($_SESSION['admin']) && $_SESSION['admin'] == true ) {
// grant access
} else {
//redirect
}
Or something like this:
if( isset($_SESSION['admin']) && $_SESSION['admin'] == '1' ) {
// grant access
} else {
//redirect
}
i prefer a more secure way, like this class i used in my old applications :
class auth {
protected $userID;
protected $password;
protected $username;
protected $remember;
protected $userType;
public function checkAuth($username,$password,$remember=0) {
global $db;
$this->password = sha1($password);
$this->username = strtolower($username);
$this->remember = $remember;
$sth = $db->prepare("SELECT `id`,`username`,`password`,`type` FROM `user` WHERE `username` = :username AND `active` = '1' LIMIT 1");
$sth->execute(array(
':username' => $this->username
));
$result = $sth->fetchAll();
$this->userType = $result[0]['type'];
if (#$result[0]['password'] == $this->password) {
$this->userID = $result[0]['id'];
$this->makeLogin();
return true;
} else {
return false;
exit;
}
}
private function makeLogin() {
$securityInformation = $this->username . '|-|' . $this->password . '|-|' . $this->userID . '|-|' . $this->userType;
$hash = $this->encode($securityInformation);
if ($this->remember) {
setcookie('qdata',$hash,time()+604800,'/');
} else {
$_SESSION['qdata'] = $hash;
}
$this->updateStats();
}
public function isLogin() {
global $db, $ua, $cache;
$data = $this->getUserInfo();
if ($data) {
$sth = $db->prepare('SELECT `password`,`last_login_ip` FROM `user` WHERE `id` = :ID LIMIT 1');
$sth->execute(array(
':ID' => $data['userID']
));
$result = $sth->fetchAll();
if ( ($result[0]['password'] == $data['password']) AND ($result[0]['last_login_ip'] == $ua->getIP()) ) {
return true;
} else {
return false;
}
}
}
public function logout() {
if (#isset($_COOKIE['qdata'])) {
setcookie('qdata','',time()-200, '/');
}
if (#isset($_SESSION['qdata'])) {
unset($_SESSION['qdata']);
}
}
private function parseHash($hash) {
$userData = array();
list($userData['username'],$userData['password'],$userData['userID'],$userData['userType']) = explode('|-|',$this->decode($hash));
return $userData;
}
public function getUserInfo() {
if (#isset($_COOKIE['qdata'])) {
$data = $this->parseHash($_COOKIE['qdata']);
return $data;
} elseif (#isset($_SESSION['qdata'])) {
$data = $this->parseHash($_SESSION['qdata']);
return $data;
} else {
return false;
}
}
private function encode($str) {
$chr = '';
$prt = '';
for($i=0;$i < strlen($str);$i++) {
$prt = (chr(ord(substr($str,$i,1)) + 3)) . chr(ord(substr($str,$i,1)) + 2);
$chr = $prt . $chr;
}
return str_rot13($chr);
}
private function decode($str) {
$chr = '';
$prt = '';
$str = str_rot13($str);
for($i=0;$i < strlen($str);$i++) {
if($i % 2 == 0) {
$prt = (chr(ord(substr($str,$i,1)) - 3));
$chr = $prt . $chr;
}
}
return $chr;
}
}
if you dont like this approach, at least store a special key in admin table and use session with that key in value, also check login is validated every time a page loaded.