I seem to have an error I don't really understand. The process works fine, the connection to database is fine, but for some reason it doesn't update. There are no visible errors for me, or that php recognizes. Here is the code: (note that the last missing) on class I know about, and that happened when I copy pasted it, it's fine in the code
public function change_password($user, $pass) {
if($user) {
$password = md5($pass);
$this->_query = $this->_pdo->prepare("UPDATE users SET password = ? WHERE ? = ?");
if($this->_query->execute(array($pass, Check::data($user), $user))) {
return true;
}
}
return false;
}
class Check {
public static function data($data) {
if($data) {
if(is_numeric($data)) {
$_id = 'id';
} else if(filter_var($data, FILTER_VALIDATE_EMAIL)) {
$_id = 'email';
} else {
$_id = 'username';
}
return $_id;
}
return false;
}
}
If anyone is intressed, I resolved the problem, and for future simular problems , I found a way around..
public function change_password($user, $pass) {
if($user) {
$pass = md5($pass);
$id = $this->id($user);
$this->_query = $this->_pdo->prepare("UPDATE users SET password = ? WHERE id = ?");
if($this->_query->execute(array($pass, $id))) {
return true;
}
}
return false;
}
public function id($user) {
if($user) {
$params = $this->fetch($user);
foreach($params as $param) {
if($param['id']) {
return $param['id'];
}
}
}
return false;
}
public function fetch($user) {
if($user) {
if(Check::data($user) === 'id') {
$this->_query = $this->_pdo->prepare("SELECT * FROM users WHERE id = :user");
}
if(Check::data($user) === 'email') {
$this->_query = $this->_pdo->prepare("SELECT * FROM users WHERE email = :user");
}
if(Check::data($user) === 'username') {
$this->_query = $this->_pdo->prepare("SELECT * FROM users WHERE username = :user");
}
$this->_query->execute(array(':user' => $user));
return $this->_query->fetchAll();
}
return false;
}`class Check {
public static function data($data) {
if($data) {
if(is_numeric($data)) {
$_id = 'id';
} else if(filter_var($data, FILTER_VALIDATE_EMAIL)) {
$_id = 'email';
} else {
$_id = 'username';
}
return $_id;
}
return false;
} }
Related
I am trying to give access to a user according to their role, I have 2 type one Administrator with id 1 and Client with id 2, so far the valid username and password. so the Client can enter the administrative part, and I want him to only have access to the Client's view
This is my function verify of the model:
public function Verify($usuario, $contrasena) {
try {
$sql = "SELECT * FROM usuarios WHERE usuario = ? AND contrasena = ?" ;
$stm = $this->pdo->prepare($sql);
$stm->execute(array($usuario, $contrasena));
$UsuarioDatos = $stm->fetch(PDO::FETCH_OBJ);
if ($UsuarioDatos == NULL) {
return FALSE;
} else {
return TRUE;
}
} catch (Exception $ex) {
die($ex->getMessage());
}
}
And this is my login.controller:
public function Authenticate() {
$usuario = $_REQUEST['usuario'];
$contrasena = ($_REQUEST[('contrasena')]);
$validar = $this->model->Verify($usuario, $contrasena);
if ($validar) {
$_SESSION['usuario']=$usuario;
$_SESSION['idCategoriaUsu']=$validar['idCategoriaUsu'];
$_SESSION['Iniciada']='true';
if($_SESSION['idCategoriaUsu'] == 1){
header('Location:index.php?c=Home');
}
else {
header('Location:index.php?c=ClienteNormal');
}
} else {
header('Location: index.php?c=Login&error=true');
}
}
Is going directly to this:
else {
header('Location:index.php?c=ClienteNormal');
}
your function "Verify" returns a boolean.
Except here:
$_SESSION['idCategoriaUsu']=$validar['idCategoriaUsu']
you try to access a array.
Quentin Geenens answer is correct,
modify your Verify function:
public function Verify($usuario, $contrasena) {
try {
$sql = "SELECT * FROM usuarios WHERE usuario = ? AND contrasena = ?";
$stm = $this->pdo->prepare($sql);
$stm->execute(array($usuario, $contrasena));
$UsuarioDatos = $stm->fetch(PDO::FETCH_OBJ);
if ($UsuarioDatos == NULL) {
return FALSE;
} else {
return TRUE;
}
} catch (Exception $ex) {
die($ex->getMessage());
}
}
to this:
public function Verify($usuario, $contrasena) {
try {
$sql = "SELECT * FROM usuarios WHERE usuario = ? AND contrasena = ?";
$stm = $this->pdo->prepare($sql);
$stm->execute(array($usuario, $contrasena));
$UsuarioDatos = $stm->fetch(PDO::FETCH_OBJ);
if ($UsuarioDatos == NULL) {
return FALSE;
} else {
return $UsuarioDatos;
}
} catch (Exception $ex) {
die($ex->getMessage());
}
}
if $UsuarioDatos is not NULL it returns the query result.
then modify your Authenticate function:
public function Authenticate() {
$usuario = $_REQUEST['usuario'];
$contrasena = ($_REQUEST[('contrasena')]);
$validar = $this->model->Verify($usuario, $contrasena);
if ($validar) {
$_SESSION['usuario']=$usuario;
$_SESSION['idCategoriaUsu']=$validar['idCategoriaUsu'];
$_SESSION['Iniciada']='true';
if($_SESSION['idCategoriaUsu'] == 1){
header('Location:index.php?c=Home');
}
else {
header('Location:index.php?c=ClienteNormal');
}
} else {
header('Location: index.php?c=Login&error=true');
}
}
to this:
public function Authenticate() {
$usuario = $_REQUEST['usuario'];
$contrasena = ($_REQUEST[('contrasena')]);
$validar = $this->model->Verify($usuario, $contrasena);
if ($validar === FALSE) {
header('Location: index.php?c=Login&error=true');
} else {
$_SESSION['usuario'] = $usuario;
$_SESSION['idCategoriaUsu'] = $validar['idCategoriaUsu'];
$_SESSION['Iniciada']='true';
if($_SESSION['idCategoriaUsu'] == 1){
header('Location:index.php?c=Home');
}
else {
header('Location:index.php?c=ClienteNormal');
}
}
}
I hope this answer helps you
I am attempting to do an if statement to populate the correct navigation menu for different levels of permission users.
I have a class called users, which has the following function called 'hasPermission':
public function hasPermission($key) {
$group = $this->_db->get('groups', array('id', '=', $this->data()->group));
if($group->count()) {
$permissions = json_decode($group->first()->permissions, true);
if($permissions[$key] == true) {
return true;
}
}
return false;
}
Which works off the following groups in my database:
Then in a different file, I am trying to get the current user's signed in permission with $permission (I think the error is in here) and then use the if statement to populate the correct file.
$permission = $user->hasPermission($group);
if($permission == 'User') {
include 'nav/userNav.php';
} else if ($permission == 'Admin') {
include 'nav/adminNav.php';
}
Does anyone see what I am doing wrong?
EDIT:
User class full code:
<?php
class User {
private $_db,
$_data,
$_sessionName,
$_cookieName,
$_isLoggedIn;
public function __construct($user = null) {
$this->_db = DB::getInstance();
$this->_sessionName = Config::get('session/session_name');
$this->_cookieName = Config::get('remember/cookie_name');
if(!$user) {
if(Session::exists($this->_sessionName)) {
$user = Session::get($this->_sessionName);
if($this->find($user)) {
$this->_isLoggedIn = true;
} else {
// process Logout
}
}
} else {
$this->find($user);
}
}
public function update($fields = array(), $id = null) {
if(!$id && $this->isLoggedIn()) {
$id = $this->data()->id;
}
if(!$this->_db->update('users', $id, $fields)) {
throw new Exception('There was a problem updating!');
}
}
public function create($fields = array()) {
if(!$this->_db->insert('users', $fields)) {
throw new Exception('There was a problem creating an account:' . $this->_db->errorMessage());
}
$this->lastId = $this->_db->lastInsertId();
}
public function find($user = null) {
if($user) {
$field = (is_numeric($user)) ? 'id' : 'username';
$data = $this->_db->get('users', array($field, '=', $user));
if($data->count()) {
$this->_data = $data->first();
return true;
}
}
return false;
}
public function login($username = null, $password = null, $remember = false) {
if(!$username && !$password && $this->exists()) {
Session::put($this->_sessionName, $this->data()->id);
} else {
$user = $this->find($username);
if($user) {
if($this->data()->password === Hash::make($password, $this->data()->salt)) {
//if(Auth::check($this->data()->password, $password)){
Session::put($this->_sessionName, $this->data()->id);
if($remember) {
$hash = Hash::unique();
$hashCheck = $this->_db->get('users_session', array('user_id', '=', $this->data()->id));
if(!$hashCheck->count()) {
$this->_db->insert('users_session', array(
'user_id' => $this->data()->id,
'hash' => $hash
));
} else {
$hash = $hashCheck->first()->hash;
}
Cookie::put($this->_cookieName, $hash, Config::get('remember/cookie_expiry'));
}
return true;
}
}
}
return false;
}
public function hasPermission($key) {
$group = $this->_db->get('groups', array('id', '=', $this->data()->group));
if($group->count()) {
$permissions = json_decode($group->first()->permissions, true);
if($permissions[$key] == true) {
return true;
}
}
return false;
}
public function exists() {
return (!empty($this->_data)) ? true : false;
}
public function logout() {
$this->_db->delete('users_session', array('user_id', '=', $this->data()->id));
Session::delete($this->_sessionName);
Cookie::delete($this->_cookieName);
}
public function data() {
return $this->_data;
}
public function isLoggedIn() {
return $this->_isLoggedIn;
}
}
?>
EDIT #2 - Trying to create a new function for this:
public function getGroup($groupkey) {
$group_name = $this->_db->get('groups', array('name'));
}
Then in the other file where I am trying to call this:
$permission = $user->getGroup($group_name);
if($permission == 'User') {
include 'nav/userNav.php';
} else if ($permission == 'Admin') {
include 'nav/adminNav.php';
}
Edit #3
With this code:
public function getGroup($groupkey) {
$group_name = $this->_db->get('groups', array('name'));
return $group_name;
}
I get this erorr:
Fatal error: Uncaught ArgumentCountError: Too few arguments to function User::getGroup(), 0 passed in /home/house/public_html/admin/index.php on line 322 and exactly 1 expected in /home/house/public_html/classes/User.php:116 Stack trace: #0 /home/house/public_html/admin/index.php(322): User->getGroup() #1 {main} thrown in
Action function in DB class.
public function action($action, $table, $where = array()){
if(count($where) === 3){
$operators = array('=', '>', '<', '>=', '<=');
$field = $where[0];
$operator = $where[1];
$value = $where[2];
if(in_array($operator, $operators)) {
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ?";
$date = new DateTime();
file_put_contents('debug_log', "\n[{$date->format('Y-m-d H:i:s')}] $sql", FILE_APPEND);
$results = $this->query($sql, array($value));
file_put_contents('debug_log1', "\n[{$date->format('Y-m-d H:i:s')}] $sql" . print_r($results, 1), FILE_APPEND);
return $this;
}
}
return false;
}
EDIT - FULL DB CLASS
<?php
class DB {
private static $_instance = null;
private $_pdo,
$_query,
$_error = false,
$_results,
$_count = 0,
$_errmsg = "";
private function __construct(){
try {
$this->_pdo = new PDO('mysql:host=' . Config::get('mysql/host') . ';dbname=' . Config::get('mysql/db'), Config::get('mysql/username'), Config::get('mysql/password'));
/*$host = config::get('mysql/host');
$database = config::get('mysql/db');
$username = config::get('mysql/user');
$password = config::get('mysql/password');
$dbh = new PDO('mysql:host='.$host.';dbname='.$database.', $username, $password);*/
} catch(PDOException $e) {
die($e->getMEssage());
}
}
//**********LastID
public function lastInsertId () {
return $this->_pdo->lastInsertId();
}
public static function getInstance() {
if(!isset(self::$_instance)) {
self::$_instance = new DB();
}
return self::$_instance;
}
public function query($sql, $params = array()){
"DEBUG DB::query called<br>SQL: $sql<br><br>PARAMS: " . implode("<br>", $params) . "<hr>\n";
$this->_error = false;
if($this->_query = $this->_pdo->prepare($sql)) {
"DEBUG: prepared statement created ok<hr>\n";
$x = 1;
if(count($params)){
foreach($params as $param){
$this->_query->bindValue($x, $param);
$x++;
}
}
if($this->_query->execute()){
$this->_results = $this->_query->fetchALL(PDO::FETCH_OBJ);
$this->_count = $this->_query->rowCount();
"DEBUG: query succeeded, rowcount was: " . $this->_count . "<hr>\n";
} else {
"DEBUG: query failed to execute, reason:<br>" . implode( "<br>", $this->_query->errorInfo() ) . "<hr>\n";
$this->_error = true;
}
} else {
"DEBUG: Failed to create prepared statement<hr>\n";
}
return $this;
}
public function action($action, $table, $where = array()){
if(count($where) === 3){
$operators = array('=', '>', '<', '>=', '<=');
$field = $where[0];
$operator = $where[1];
$value = $where[2];
if(in_array($operator, $operators)) {
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ?";
$date = new DateTime();
file_put_contents('debug_log', "\n[{$date->format('Y-m-d H:i:s')}] $sql", FILE_APPEND);
$results = $this->query($sql, array($value));
file_put_contents('debug_log1', "\n[{$date->format('Y-m-d H:i:s')}] $sql" . print_r($results, 1), FILE_APPEND);
return $this;
}
}
return false;
}
public function get($table, $where){
return $this->action('SELECT *', $table, $where);
}
public function delete($table, $where){
return $this->action('DELETE', $table, $where);
}
public function insert($table, $fields = array()) {
$keys = array_keys($fields);
$values = '';
$x = 1;
foreach($fields as $field) {
$values .= '?';
if($x < count($fields)) {
$values .= ', ';
}
$x++;
}
$sql = "INSERT INTO {$table} (`" . implode('`, `', $keys) . "`) Values ({$values})";
return ! $this-> query($sql, $fields)->error();
}
public function update($table, $id, $fields) {
$set = '';
$x = 1;
foreach($fields as $name => $value) {
$set .= "{$name} = ?";
if($x < count($fields)) {
$set .= ', ';
}
$x++;
}
$sql = "UPDATE {$table} SET {$set} WHERE id = {$id}";
return ! $this-> query($sql, $fields)->error();
}
public function results() {
return $this->_results;
}
public function first() {
return $this->results()[0];
}
public function error() {
return $this->_error;
}
public function errorMessage() {
return $this->_errmsg;
}
public function count(){
return $this->_count;
}
}
?>
Based on the updated information, I can see that you're using PDO and executing fetchALL and returning results as an array of stdClass objects (FETCH_OBJ). Not sure why you're storing permission at all, let alone as a JSON object but thankfully, we don't need that column in this case. We can simply look up name based on id.
It is important to realize that $this->_db->get(... returns an instance of your DB class (or false) so you should name your variable appropriately, $db. Let me know if you run into any issues and I'll try to help out.
<?php
/**
* Returns the role name of the currently logged in user. If no role can be
* determined, an empty string will be returned.
* #return string
*/
public function getGroup()
{
$role = '';
// I really can't tell what `$this->data()->group` is but
// I'm making the assumption that it is the logged in user's role ID.
$db = $this->_db->get('groups', array('id', '=', $this->data()->group));
if($db->count() > 0) {
// `first()` returns the first element of the results as a stdClass object.
// https://www.geeksforgeeks.org/what-is-stdclass-in-php/
$role = $db->first()->name;
}
return $role;
}
...
public function hasPermission($key) {
$group = $this->_db->get('groups', array('id', '=', $this->data()->group));
if($group->count()) {
$permissions = json_decode($group->first()->permissions, true);
if($permissions[$key] == true) {
return $key;//change true here to the role
}
}
return false;
}
...
I'm trying to do a login class what checks if all fields are correct, and if is it then proccess.
My code: (login.php)
<?php
require('sql.php');
class login {
private $user;
private $email;
private $doc;
private $password;
function login($field, $pass){
$user = $field;
$email = $field;
$doc = strtoupper($field);
$password = $pass;
$this->getUser($user, $password, $r) ? $r : $this->getEmail($email, $password, $r) ? $r : $this->getDoc($doc, $password, $r) ? $r : null;
}
private function getUser($u, $p, &$r){
global $sql;
$count = 0;
$check = $sql->query("SELECT ... ");
while($row = $check->fetch_object()){
$count++;
$r = $row;
}
$count == 1 ? true : false;
}
private function getEmail($e, $p, &$r){ same as getUser()... }
private function getDoc($d, $p, &$r){ same as getUser()... }
}
?>
Now in Index (index.php)
<html>
ALL HTML STUFF WITH THE FORM
</html>
<?php
require('login.php');
if(isset($_POST['submit'])){
$login = new login(trim($sql->real_escape_string($_POST['user'])), md5(trim($sql->real_escape_string($_POST['pass']))));
if($login != null){
echo "SUCCESSFUL: ".$login->user;
}else{
echo "INCORRECT PASSWORD";
}
}
?>
The idea is get $login values like $login->user. But show me an error...
How can I do this? Where is my mistake?
This give you error because of private $user;
Make it public $user; because private member are not allowed to access from outside
or you can do some like following
public function getUsername(){
return $this->username;
}
and access it via echo $Obj->getusername();
Ok, thanks everyone but i solve the problem!!
in the constructor of login i put one value more.
public function login($field, $pass, &$r)
then in index.php
$login = new login(//user, //pass, $r);
echo "SUCCESSFUL: ".$r->user;
This return me the value from SQL query. This is what i was looking for.
Thanks again.
I m not saying all of this is working. Is just to get an idea of what i mean.
What you want is to get user informations.
For that you have created a class login.
Why dont you just create a User class where you retrieve and store your informations.
If constructor get an error. Just return null.
class User {
private $user;
private $email;
private $doc;
private $password;
private $detail1;
private $detail2;
private $detail3;
private $detail4;
public function __constructfunction login($field, $pass){
$user = $field;
$email = $field;
$doc = strtoupper($field);
$password = $pass;
$error = false;
//Detail for User
$count = 0;
$check = $sql->query("SELECT ... WHERE username='.$this->user.' AND pass = '.$this->password.'");
while($row = $check->fetch_object()){
$count++;
$r = $row;
}
if($count == 1)
{
$this->detail1 = $row['detail1'];
$this->detail2 = $row['detail2'];
}
else
{
$error = true;
}
//Detail for Doc
$count = 0;
$check = $sql->query("SELECT ... WHERE username='.$this->user.' AND pass = '.$this->password.'");
while($row = $check->fetch_object()){
$count++;
$r = $row;
}
if($count == 1)
{
$this->detail3 = $row['detail3'];
$this->detail4 = $row['detail4'];
}
else
{
$error = true;
}
if(true === $error)
return null;
}
public function getUser(){
return $this->user;
}
public function getEmail(){
return $this->doc;
}
public function getDoc(){
return $this->doc;
}
//Maybe not usefull
public function getPassword(){
return $this->password;
}
}
I'm creating a class in which MySQL queries will be generated automatically , but I've some problem ...
here is my Database class...
<?php
class Database {
var $host="localhost";
var $username="";
Var $password="";
var $database="";
var $fr_query;
var $row= array() ;
public function connect()
{
$conn= mysql_connect($this->host,$this->username,$this->password);
if(! $conn )
{
die('Could not connect: ' . mysql_error());
}
}
public function db()
{
$conn_db = mysql_select_db($this->database);
if(! $conn_db )
{
echo 'Could Not Connect the Database';
}
}
public function run_query($sql)
{
$run = mysql_query($sql);
if(!$run)
{
throw new Exception("!!!!!Invalid query!!!!!!!");
}
$newId = mysql_insert_id();
if($newId)
{
return $newId;
}
return true;
}
public function fetchRow($fr)
{
if($fr)
{
$run = mysql_query($fr);
if($run)
{
return mysql_fetch_assoc($run);
}
}
return null;
}
function fetchAll($fr_query)
{
if($fr_query)
{
$run = mysql_query($fr_query);
if($run)
{
$data=array();
while($row=mysql_fetch_assoc($run))
{
$data[]=$row;
}
return $data;
}
}
return null;
}
}
$n = new Database();
$n->connect();
$n->db();
?>
and this is my test.php
<?php
include("database.php");
class Model_Abstract
{
protected $_data = array();
protected $_tableName = null;
protected $_primaryKey = null;
public function getTableName()
{
return $this->_tableName;
}
public function getPrimaryKey()
{
return $this->_primaryKey;
}
public function __set($key, $value = NULL)
{
$key = trim($key);
if(!$key)
{
throw new Exception('"$key" should not be empty.');
}
$this->_data[$key] = $value;
return $this;
}
public function __get($key)
{
$key = trim($key);
if(!$key)
{
throw new Exception('"$key" should not be empty.');
}
if(array_key_exists($key, $this->_data))
{
return $this->_data[$key];
}
return NULL;
}
public function insert()
{
print_r($this->_data);
$keyString = "`".implode("`,`", array_keys($this->_data))."`";
$valueString = "'".implode("','", array_keys($this->_data))."'";
echo $query = "INSERT INTO `{$this->getTableName()}` ({$keyString}) VALUES ({$valueString})";
$this->adpater()->run_query($query);
echo 'Inserted';
}
public function setData($data)
{
if(!is_array($data))
{
throw new Exception('"$data" should not be empty.');
}
$this->_data = $data;
return $this;
}
public function load($id, $key = null)
{
if(!is_int($id) && $id)
{
throw new Exception('"$id" should not be blank.');
}
if($id)
{
echo $query = "SELECT * FROM `{$this->getTableName()}` WHERE `{$this->getPrimaryKey()}` = '{$id}'";
$data[] = $this->adpater()->fetchRow($query);
$tabelName = $this->getTableName();
foreach($data as &$_data)
{
print_r($_data);
$object = new $tabelName();
$object->setData($_data);
$_data = $object;
}
print_r($data);
return $this;
/*
$query = "SELECT * FROM `{$this->getTableName()}` WHERE `{$this->getPrimaryKey()}` = '{$id}'";
$this->_data = $this->adpater()->fetchRow($query);
return $this; */
}
}
public function loadAll()
{
$query = "SELECT * FROM `{$this->getTableName()}`";
$data[] = $this->adpater()->fetchAll($query);
return $data;
}
public function delete($id, $key = null)
{
if(!is_int($id) && $id)
{
throw new Exception('"$id" should not be blank.');
}
if($id)
{
echo $query = "DELETE FROM `{$this->getTableName()}` WHERE `{$this->getPrimaryKey()}` = '{$id}'";
$data[] = $this->adpater()->run_query($query);
$tabelName = $this->getTableName();
$msg = 'Deleted Successfully....';
return $msg;
}
}
public function update()
{
print_r($this->_data);
$keyString = "`".implode("`,`", array_keys($this->_data))."`";
$valueString = "'".implode("','", array_keys($this->_data))."'";
echo $query = "UPDATE`{$this->getTableName()}` SET ({$keyString}) = ({$valueString}) WHERE `{$this->getPrimaryKey()}` = '{$id}'";
$this->adpater()->run_query($query);
echo 'Updated';
}
public function adpater()
{
return new Database();
}
}
class Product extends Model_Abstract
{
protected $_tableName = 'product';
protected $_primaryKey = 'product_id';
}
$product = new Product();
echo $product->name;
$product->insert();
print_r($product);
$product = new Product();
$product->name = 'Nokia Lumia';
$product->description = 'Windows';
$product->price = '15000';
$product->quantity = '12';
$product->sku = 'x2';
$product->status = '2';
$product->created_date = '0000-00-00 00:00:00';
$product->updated_date = ' ';
?>
So in here my problem is in Insert query, the values are same the column_name ...
I'm having Problem in loadAll();
the browser says "Catchable fatal error: Object of class Product could not be converted to string in"
$keyString = "`".implode("`,`", array_keys($this->_data))."`";
$valueString = "'".implode("','", array_keys($this->_data))."'";
Same lines, same value. Perhaps you meant
$keyString = "`".implode("`,`", array_keys($this->_data))."`";
$valueString = "'".implode("','", $this->_data) ."'";
Which would take the array keys for $keyString and the array values for $valueString.
Depreciation warning
mysql_* are deprecated functions. Use mysqli_* or PDO
Warning
This class does not protect you against SQL injections.
If (for argument sake) 'admin-access' was granted in php with:
if (isset($_SESSION['admin'])) // this session would be set
{ // grant access; } // after a successful login
else { //redirect ;}
Would this be a particularly easy thing to bypass and fake, if you knew what the name of the session is (in this case it is admin)?
In other words, can someone easily fake a $_SESSION, if all a script calls for is the session to be 'set'?
Using isset() is not bad for security. It depends on your logic that how you use it. It will be good if you not only check isset() but also its value.
For Example:
if( isset($_SESSION['admin']) && $_SESSION['admin'] == true ) {
// grant access
} else {
//redirect
}
Or something like this:
if( isset($_SESSION['admin']) && $_SESSION['admin'] == '1' ) {
// grant access
} else {
//redirect
}
i prefer a more secure way, like this class i used in my old applications :
class auth {
protected $userID;
protected $password;
protected $username;
protected $remember;
protected $userType;
public function checkAuth($username,$password,$remember=0) {
global $db;
$this->password = sha1($password);
$this->username = strtolower($username);
$this->remember = $remember;
$sth = $db->prepare("SELECT `id`,`username`,`password`,`type` FROM `user` WHERE `username` = :username AND `active` = '1' LIMIT 1");
$sth->execute(array(
':username' => $this->username
));
$result = $sth->fetchAll();
$this->userType = $result[0]['type'];
if (#$result[0]['password'] == $this->password) {
$this->userID = $result[0]['id'];
$this->makeLogin();
return true;
} else {
return false;
exit;
}
}
private function makeLogin() {
$securityInformation = $this->username . '|-|' . $this->password . '|-|' . $this->userID . '|-|' . $this->userType;
$hash = $this->encode($securityInformation);
if ($this->remember) {
setcookie('qdata',$hash,time()+604800,'/');
} else {
$_SESSION['qdata'] = $hash;
}
$this->updateStats();
}
public function isLogin() {
global $db, $ua, $cache;
$data = $this->getUserInfo();
if ($data) {
$sth = $db->prepare('SELECT `password`,`last_login_ip` FROM `user` WHERE `id` = :ID LIMIT 1');
$sth->execute(array(
':ID' => $data['userID']
));
$result = $sth->fetchAll();
if ( ($result[0]['password'] == $data['password']) AND ($result[0]['last_login_ip'] == $ua->getIP()) ) {
return true;
} else {
return false;
}
}
}
public function logout() {
if (#isset($_COOKIE['qdata'])) {
setcookie('qdata','',time()-200, '/');
}
if (#isset($_SESSION['qdata'])) {
unset($_SESSION['qdata']);
}
}
private function parseHash($hash) {
$userData = array();
list($userData['username'],$userData['password'],$userData['userID'],$userData['userType']) = explode('|-|',$this->decode($hash));
return $userData;
}
public function getUserInfo() {
if (#isset($_COOKIE['qdata'])) {
$data = $this->parseHash($_COOKIE['qdata']);
return $data;
} elseif (#isset($_SESSION['qdata'])) {
$data = $this->parseHash($_SESSION['qdata']);
return $data;
} else {
return false;
}
}
private function encode($str) {
$chr = '';
$prt = '';
for($i=0;$i < strlen($str);$i++) {
$prt = (chr(ord(substr($str,$i,1)) + 3)) . chr(ord(substr($str,$i,1)) + 2);
$chr = $prt . $chr;
}
return str_rot13($chr);
}
private function decode($str) {
$chr = '';
$prt = '';
$str = str_rot13($str);
for($i=0;$i < strlen($str);$i++) {
if($i % 2 == 0) {
$prt = (chr(ord(substr($str,$i,1)) - 3));
$chr = $prt . $chr;
}
}
return $chr;
}
}
if you dont like this approach, at least store a special key in admin table and use session with that key in value, also check login is validated every time a page loaded.