I'm building this Login system for my website. Everything seemed to work ok until I came across updating user details stored in database. Every time I try to update dummy details I get thrown an Exception and Can't figure out why.
Could You please scan through quickly and help me find an error if there is one? There are no syntax errors.
update.php
$user = new User();
if(!$user->isLoggedIn()){
Redirect::to('index.php');
}
// Check whether token is submited and user exists
if(Input::exists()){
if(Token::check(Input::get('token'))){
$validate = new Validate();
$validation = $validate->check($_POST, array(
'Name' => array(
'required' => true,
'min' => 4,
'max' => 30
),
'email' => array(
'required' =>true
)
));
if($validation->passed()){
// Update
try{
$user->update(array(
'Name' => Input::get('Name'),
'email' => Input::get('email')
));
Session::flash('home', 'Your details have been updated');
Redirect::to('index.php');
}catch(Exception $e) {
die($e->getMessage());
}
} else {
foreach($validation->errors() as $error){
echo ('<p>' . $error . '</p>');
}
}
}
}
User.php class
class User{
private $_db,
$_data,
$_sessionName,
$_cookieName,
$_isLoggedIn;
public function __construct($user = null){
$this->_db = DB::getInstance();
$this->_sessionName = Config::get('session/session_name');
$this->_cookieName = Config::get('remember/cookie_name');
if(!$user){
if(Session::exists($this->_sessionName)){
$user = Session::get($this->_sessionName);
if($this->find($user)){
$this->_isLoggedIn = true;
} else {
// Process Log out
}
}
} else {
$this->find($user);
}
}
public function update($fields = array(), $id = null){
if(!$id && $this->isLoggedIn()){
$id = $this->data()->id;
}
if(!$this->_db->update('user', $id, $fields)){
throw new Exception('Sorry, there was problem updating. Please try again later.');
}
}
public function create($fields = array()){
if(!$this->_db->insert('user', $fields)){
throw new Exception('There was a problem creating new account.');
}
}
public function find($user = null){
if($user){
$field = (is_numeric($user)) ? 'id' : 'Username';
$data = $this->_db->get('user', array($field, '=', $user));
if($data->count()){
$this->_data = $data->first();
return true;
}
}
return false;
}
public function login($Username = null, $password = null, $remember = false){
if(!$Username && !$password && $this->exists()){
// Log User in
Session::put($this->_sessionName, $this->data()->id);
} else {
$user = $this->find($Username);
if($user){
if($this->data()->Password === Hash::make($password, $this->data()->salt)){
Session::put($this->_sessionName, $this->data()->id);
if($remember){
$hash = Hash::unique();
$hashCheck = $this->_db->get('users_session', array('user_id', '=', $this->data()->id));
if(!$hashCheck->count()){
$this->_db->insert('users_session', array(
'user_id' => $this->data()->id,
'hash' => $hash
));
} else {
$hash = $hashCheck->first()->hash;
}
Cookie::put($this->_cookieName, $hash, Config::get('remember/cookie_expiry'));
}
return true;
}
}
}
return false;
}
public function exists(){
return (!empty($this->_data)) ? true : false;
}
public function logout(){
$this->_db->delete('users_session', array('user_id', '=', $this->data()->id));
Session::delete($this->_sessionName);
Cookie::delete($this->_cookieName);
}
public function data(){
return $this->_data;
}
public function isLoggedIn(){
return $this->_isLoggedIn;
}
}
(if(!$this->_db->update('user', $id, $fields)){
throw new Exception('Sorry, there was problem updating. Please try again later.');
})
This is the exception i get.. Thanks a million
If it helps update() is the method I get the error from
This is my DB class:
class DB{
private static $_instance = null;
private $_pdo,
$_query,
$_error = false,
$_results,
$_count = 0;
private function __construct(){
try {
$this->_pdo = new PDO('mysql:host=' .
Config::get('mysql/host') . ';dbname=' .
Config::get('mysql/db'),
Config::get('mysql/username'),
Config::get('mysql/password'));
} catch(PDOException $e){
die($e -> getMessage());
}
}
public static function getInstance(){
if(!isset(self::$_instance)) {
self::$_instance = new DB();
}
return self::$_instance;
}
public function query($sql, $params = array()){
$this->_error = false;
// Check if query has been prepared properly
if($this->_query = $this->_pdo->prepare($sql)){
$x = 1;
if(count($params)){
foreach($params as $param){
$this->_query->bindValue($x, $param);
$x++;
}
}
// If the query has been prepared successfuly, store the result
if($this->_query->execute()){
$this->_results = $this->_query->fetchAll(PDO::FETCH_OBJ);
$this->_count = $this->_query->rowCount();
} else {
$this->_error = true;
}
}
return $this;
}
public function action($action, $table, $where = array()){
if(count($where) === 3){
$operators = array('=', '>', '<', '>=', '<=');
$field = $where[0];
$operator = $where[1];
$value = $where[2];
if(in_array($operator, $operators)){
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ?";
if(!$this->query($sql, array($value))->error()){
return $this;
}
}
}
return false;
}
// QUERYING DATA FROM DATABASE
public function get($table, $where){
return $this->action('SELECT *', $table, $where);
}
// DELETING DATA FROM DATABASE
public function delete($table, $where){
return $this->action('DELETE', $table, $where);
}
// INSERTING DATA INTO DATABASE
public function insert($table, $fields = array()){
$keys = array_keys($fields);
$values = '';
$x = 1;
foreach($fields as $field){
$values .= "?";
if($x < count($fields)){
$values .= ', ';
}
$x++;
}
$sql = "INSERT INTO {$table} (`" . implode('`, `', $keys) . "`) VALUES({$values})";
if(!$this->query($sql, $fields)->error()){
return true;
}
return false;
}
public function results(){
return $this->_results;
}
public function update($table, $userID, $fields){
$set = '';
$x = 1;
foreach($fields as $name => $value){
$set .= "{$name} = ?";
if($x < count($fields)){
$set .= ', ';
}
$x++;
}
$sql = "UPDATE {$table} SET {$set} WHERE userID = {ID}";
if(!$this->query($sql, $fields)->error()){
return true;
}
return false;
}
public function first(){
return $this->results()[0];
}
public function error(){
return $this->_error;
}
public function count(){
return $this->_count;
}
}
If you tried to return the sql you will find that it is not valid, such as:
function update($table, $userID, $fields){
$set = '';
$x = 1;
foreach($fields as $name => $value){
$set .= "{$name} = ?";
if($x < count($fields)){
$set .= ', ';
}
$x++;
}
$sql = "UPDATE {$table} SET {$set} WHERE userID = {ID}";
return $sql;
}
echo update('table',1,array('f1'=>'v1','f2'=>'v2','f3'=>'v3','f4'=>'v4'));
Results would look like:
UPDATE table SET f1 = ?, f2 = ?, f3 = ?, f4 = ? WHERE userID = {ID}
so your ID is not the actual integer that I passed.
but if you changed your statement to be:
//some code
$sql = "UPDATE {$table} SET {$set} WHERE userID = {$userID}";
return $sql;
the result would be:
UPDATE table SET f1 = ?, f2 = ?, f3 = ?, f4 = ? WHERE userID = 1
Related
So my code was working perfectly fine, until I tried to insert to the database..
my DB.php (The problem seems to be here, I checked all the other files and nothing is causing any problems, the function I used was the Insert function and I got an error on line 37:
<?php
class DB
{
private static $_instance = null;
private $_pdo,
$_query,
$_error = false,
$_result,
$_count = 0;
private function __construct()
{
try {
$this->_pdo = new PDO('mysql:host=' . Config::get('mysql/host') . ';dbname=' . Config::get('mysql/db') . '', Config::get('mysql/username'), Config::get('mysql/password'));
} catch (PDOException $e) {
die($e->getMessage());
}
}
public static function getInstance()
{
if (!isset(self::$_instance)) {
self::$_instance = new DB();
}
return self::$_instance;
}
public function query($sql, $params = array())
{
$this->_error = false;
if ($this->_query = $this->_pdo->prepare($sql)) {
$x = 1;
if (count($params)) {
foreach ($params as $param) {
$this->_query->bindValue($x, $param);
$x++;
}
}
if ($this->_query->execute()) {
$this->_results = $this->_query->fetchAll(PDO::FETCH_OBJ);
$this->_count = $this->_query->rowCount();
} else {
$this->_error = true;
}
}
return $this;
}
public function action($action, $table, $where = array())
{
if (count($where) == 3) {
$operators = array('=', '>', '<', '>=', '<=');
$field = $where[0];
$operator = $where[1];
$value = $where[2];
if (in_array($operator, $operators)) {
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ?";
if ($this->query($sql, array($value))) {
return $this;
}
}
}
return false;
}
public function get($table, $where)
{
return $this->action('SELECT *', $table, $where);
}
public function delete($table, $where)
{
return $this->action('DELETE *', $table, $where);
}
public function error()
{
return $this->_error;
}
public function count()
{
return $this->_count;
}
public function insert($table, $fields = array())
{
if (count($fields)) {
$keys = array_keys($fields);
$values = '';
$x = 1;
foreach($fields as $field){
$values .= "?";
if($x < count($fields)){
$values .= ', ';
}
$x++;
}
$sql = "INSERT INTO users (`" . implode('`,`', $keys) . "`) VALUES ({$values})";
echo $sql;
if(!$this->query($sql, $fields)->error()){ //where my error occurred
return true;
}
}
return false;
}
}
(The data's inserted to the table but that error seems crucial and I didn't find anything about it anywhere)
I watched a tutorial on YouTube and the problem occurred here- https://youtu.be/zvXgsouIzVg?t=5258
(The full error):
Fatal error: Uncaught PDOException: SQLSTATE[HY000]: General error in D:\xampp\htdocs\classes\DB.php:37 Stack trace: #0 D:\xampp\htdocs\classes\DB.php(37): PDOStatement->fetchAll(5) #1 D:\xampp\htdocs\classes\DB.php(93): DB->query('INSERT INTO use...', Array) #2 D:\xampp\htdocs\test.php(4): DB->insert('users', Array) #3 {main} thrown in D:\xampp\htdocs\classes\DB.php on line 37
Thanks in advance, that would help me a lot!
I'm learning from a tutorial online, but I can't seem to get my SQL statements to insert into the database. This is my first try at functions. I'm thinking it's the "back-tick" in my SQL statement here:
$sql = "INSERT INTO users (`" . implode('`, `', $keys) . "`) VALUES (".$values.")";`
Anyway here's my code db.php:
class DB
{
private static $_instance = null;
private
$_pdo,
$_query,
$_error = false,
$_results,
$_count = 0;
private function __construct()
{
try
{
$this->_pdo = new PDO('mysql:host=' . Config::get('mysql/host') . ';dbname='.Config::get('mysql/db'), Config::get('mysql/username'), Config::get('mysql/password'));
echo 'Connected<br>';
}
catch(PDOException $e)
{
die($e->getMessage());
}
}
public static function getInstance()
{
if(!isset(self::$_instance))
{
self::$_instance = new DB();
}
return self::$_instance;
}
public function query($sql, $params = array())
{
$this->_error = false;
if($this->_query = $this->_pdo->prepare($sql))
{
$r = 1;
if (count($params))
{
foreach($params as $param)
{
$this->_query->bindValue($r, $param);
$r++;
}
}
if($this->_query->execute())
{
$this->_results = $this->_query->fetchAll(PDO::FETCH_OBJ);
$this->_count = $this->_query->rowCount();
echo 'success<br>';
}
else
{
$this->_error = true;
}
}
return $this;
}
public function action($action, $table, $where = array())
{
if(count($where) === 3)
{
$operators = array('=', '>', '<', '<=', '>=');
$field = $where[0];
$operator = $where[1];
$value = $where[2];
if(in_array($operator, $operators))
{
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ?";
if(!$this->query($sql, array($value))->error())
{
return $this;
}
}
}
return false;
}
public function get($table, $where)
{
return $this->action('SELECT *', $table, $where);
}
public function delete($table, $where)
{
return $this->action('DELETE *', $table, $where);
}
public function insert($table, $fields = array())
{
if(count($fields))
{
$keys = array_keys($fields);
$values = '';
$r = 1;
foreach($fields as $field)
{
$values .= '?';
if($r < count($fields))
{
$values .= ', ';
}
$r++;
}
//die($values);
$sql = "INSERT INTO users (`" . implode('`, `', $keys) . "`) VALUES (".$values.")";
echo $sql;
if(!$this->query($sql, $fields)->error())
{
return true;
}
}
return false;
}
public function error()
{
return $this->_error;
}
public function count()
{
return $this->_count;
}
public function results()
{
return $this->_results;
}
public function first()
{
return $this->results()[0];
}
}
and here's my index.php:
$user = DB::getInstance()->insert('users', array(
'username' => 'Dale',
'password' => 'password',
'salt' => 'salt'
));
if($user){ echo 'true';}
I've tried removing the "back-ticks" (that's what the guy in the tutorial called them, (`), but that didn't work. I'm trying to get the index.php to insert the data into my database. Any help would be appreciated.
So i have this OOP Login & register system which gives a user the ability to change his/her name.
When a user is pressing "Update" button his/her name is changed in the DB the problem is that tho it changes the name in DB instead of redirecting the user where i want him/her to be redirected i get the error that should appear only when that name couldn't be changed.
User.php
<?php
class User{
private $_db,
$_data,
$_sessionName,
$_cookieName,
$_isLoggedIn;
public function __construct($user = null){
$this->_db = DB::getInstance();
$this->_sessionName = Config::get('session/session_name');
$this->_cookieName = Config::get('remember/cookie_name');
if(!$user){
if(Session::exists($this->_sessionName)){
$user = Session::get($this->_sessionName);
if($this->find($user)){
$this->_isLoggedIn = true;
} else{
//process logout
}
}
} else{
$this->find($user);
}
}
public function update($fields = array(), $id = null){
if(!$id && $this->isLoggedIn()){
$id = $this->data()->id;
}
if(!$this->_db->update('users', $id, $fields)){
throw new Exception('There was a problem updating your profile.');
}
}
public function create($fields = array()){
if(!$this->_db->insert('users', $fields)){
throw new Exception('There was a problem creating an account');
}
}
public function find($user = null){
if($user){
$field = (is_numeric($user)) ? 'id' : 'username';
$data = $this->_db->get('users', array($field, '=', $user));
if($data->count()){
$this->_data = $data->first();
return true;
}
}
return false;
}
public function login($username = null, $password = null, $remember = false){
if(!$username && !$password && $this->exists()){
Session::put($this->_sessionName, $this->data()->id);
} else{
$user = $this->find($username);
if($user){
if($this->data()->password === Hash::make($password, $this->data()->salt)){
Session::put($this->_sessionName, $this->data()->id);
if($remember){
$hash = Hash::unique();
$hashCheck = $this->_db->get('users_session', array('user_id', '=', $this->data()->id));
if(!$hashCheck->count()){
$this->_db->insert('users_session',array(
'user_id' => $this->data()->id,
'hash' => $hash
));
} else{
$hash = $hashCheck->first()->hash;
}
Cookie::put($this->_cookieName, $hash, Config::get('remember/cookie_expiry'));
}
return true;
}
}
}
return false;
}
public function exists(){
return(!empty($this->_data)) ? true : false;
}
public function logout(){
$this->_db->delete('users_session', array('user_id', '=', $this->data()->id));
Session::delete($this->_sessionName);
Cookie::delete(Config::get('remember/cookie_name'));
}
public function data(){
return $this->_data;
}
public function isLoggedIn(){
return $this->_isLoggedIn;
}
}
edit-profile.php
<?php
$user = new User();
if(!$user->isLoggedIn()){
Redirect::to('login');
}
if(Input::exists()){
if(Token::check(Input::get('token'))){
$validate = new Validate();
$validation = $validate->check($_POST, array(
'name' => array(
'required' => true,
'min' => 2,
'max' => 50
)
));
if($validation->passed()){
try{
$user->update(array(
'name' => Input::get('name')
));
Session::flash('flash', 'Your profile has been edited with success!');
Redirect::to('flash');
} catch(Exception $e){
die($e->getMessage());
}
} else{
foreach($validation->errors() as $error){
echo $error . '<br />';
}
}
}
}
?>
<form action="" method="post">
<div class="field">
<input type="text" name="name" value="<?php echo escape($user->data()->name); ?>">
</div>
<input type="submit" value="Update">
<input type="hidden" name="token" value="<?php echo Token::generate(); ?>">
</form>
I have no clue why that is happening
This is the update() method in my DB.class
public function update($table, $id, $fields){
$set = '';
$x = 1;
foreach ($fields as $name => $value) {
$set .= "{$name} = ?";
if($x < count($fields)){
$set .= ', ';
}
$x++;
}
$sql = "UPDATE {$table} SET {$set} WHERE id = {$id}";
if($this->query($sql, $fields)->error()){
return true;
}
return false;
}
For your update function
public function update($table, $id, $fields){
$set = '';
$x = 1;
foreach ($fields as $name => $value) {
$set .= "{$name} = ?";
if($x < count($fields)){
$set .= ', ';
}
$x++;
}
$sql = "UPDATE {$table} SET {$set} WHERE id = {$id}";
if($this->query($sql, $fields)->error()){
return true;
}
return false;
}
Instead do
public function update($table, $id, $fields){
$set = [];
foreach ($fields as $name => $value) {
$set[] = "{$name} = ?";
}
$set = implode(', ', $set);
$sql = "UPDATE {$table} SET {$set} WHERE id = ?";
$fields[] = $id; //id should always be the last ?
if($this->query($sql, $fields)->error()){
return true;
}
return false;
}
Also there is the potential for the table and id and even the keys of $fields to be used as a vector for SQL injection. You may be entering it where ever you use them. But it's possible because you are not checking the table against a white list and anytime you concatenate values into SQL there is the potential for them to be exploited. All it takes is one mistake, you class should not allow coding errors in other places to compromise it's security.
You can get a list of tables from the database itself.
$statement = 'SELECT `TABLE_NAME` FROM `information_schema`.`TABLES` WHERE `TABLE_SCHEMA` LIKE "'.$database.'"';
So when you connect to the DB you could set a list of acceptable tables then check when a table is put in ( with in_array or such ). Just a thought.
It may also be possible to comprise the keys of the $fields array, for that you can do something similar to the table. but with this query
SHOW COLUMNS FROM {table}
For example, imagine a post request that has inputs matching your array $fields. All someone would have to do is send your server a request with the SQL Attack part in the key instead of the value and you are unprotected. Something like this ( don't drop your DB without a backup, feel i should say that.)
$_POST['1=1; DROP DATABASE --'] = true;
When you construct your query you would have
INSERT INTO table SET 1=1; DROP DATABASE -- = ?, {field} = ? .. rest of query
The -- starts a comment in SQL so nothing after the -- matter to the DB this prevents an error from happening.. So be careful of just dumping post keys into your SQL I'm not sure 1=1 would work but they could use a field out of the input list just as easily. this is just for example purposes.
To me this line
if($this->query($sql, $fields)->error()){
return true;
}else{
return false;
}
Says if there is an error return true not sure if that is the case as i don't know what $this->query or ->error() is but I imagine $this->query must return $this or some object that would contain the error. It's just confusing worded that way.
I'm after some advice...
Currently we have an Ubuntu Server through Vultr.com running a MySQL database, this is connected to a php site sitting on a Windows Server 2012 VM, this all works great no issues. We want to get away from having 2 servers and put the MySQL db on to the Windows Server VM, the MySQL is set up in exactly the same way as on the Ubuntu, db is a backup copy of the live, created replica php site for testing. All remote connections are established, tested using MySQL Workbench. Everything is the same, but for some reason I can't work out why the site connected to the local MySQL db on the Windows Server VM doesn't run through the code. I've put a copy of section of the query.log files for both machines, and the Windows log Quits running the code, but doesn't error. I've used the same code, Is there something in Windows Server that MySQL may not like or something I have maybe missed off on Installation.
I have used the site previously on a Windows Server VM but that had Plesk running and that was problem free also.
Vultr.Log - Ubuntu
160720 21:36:30 34489 Connect mysqluser#mail.MyDomain on MyDB
34489 Query CALL sp_pages('login.php')
34489 Query SELECT * FROM user WHERE email = 'me#me.com'
34489 Query INSERT INTO userhist (`UserID`, `DateOfAction`, `ActionType`) VALUES ('1', '2016-07-20 21:34:12', 'LogIn')
34489 Quit
34490 Connect mysqluser#mail.MyDomain on
34490 Init DB MyDB
34491 Connect mysqluser#mail.spagetti.uk on sirps
34491 Query SELECT * FROM user WHERE id = '1'
34491 Query SELECT * FROM usergroups WHERE id = '3'
34491 Query INSERT INTO usershist (`UserID`, `DateOfAction`, `ActionType`) VALUES ('1', '2016-07-20 21:34:13', 'index.php')
34491 Query CALL sp_pages('index.php')
34491 Quit
Windows Server Log
2016-07-20T21:33:57.151901Z 2023 Connect mysqluser#localhost on MyDB using TCP/IP
2016-07-20T21:33:57.151901Z 2023 Query CALL sp_pages('login.php')
2016-07-20T21:33:57.151901Z 2023 Query SELECT * FROM user WHERE email = 'me#me.com'
2016-07-20T21:33:57.151901Z 2023 Quit
I thought there maybe a connection issue, but tested and tested that and it connects, looked at the firewall and 3306 is established as a port on the server.
Has anyone an idea as to where I could look next?
I've been searching and trying so many different things through the day to no avail
init.php
<?php
session_start();
error_reporting (E_ALL);
ini_set('display_errors', 'true');
date_default_timezone_set("Europe/London");
ini_set('session.save_path', 'J:\PHPSessions');
$GLOBALS['config'] = array(
'mysql' => array(
'host' => 'localhost',
'username' => 'MyUser',
'password' => 'MyPwd',
'db' => 'MyDB'
),
'remember' => array(
'cookie_name' => 'hash',
'cookie_expiry' => 604800
),
'session' => array(
'session_name' => 'user',
'token_name' => 'token'
)
);
// Autoload classes
function autoload($class) {
require_once 'classes/' . $class . '.php';
}
spl_autoload_register('autoload');
// Include functions
require_once 'functions/sanitize.php';
// Check for users that have requested to be remembered
if(Cookie::exists(Config::get('remember/cookie_name'))) {
$hash = Cookie::get(Config::get('remember/cookie_name'));
$hashCheck = DB::getInstance()->get('userssession', array('hash', '=', $hash));
if($hashCheck->count()) {
$user = new User($hashCheck->first()->userid);
$user->login();
}
}
db.php
<?php
class DB {
public static $instance = null;
private $_pdo = null,
$_query = null,
$_error = false,
$_results = null,
$_count = 0;
private function __construct() {
try {
$this->_pdo = new PDO('mysql:host=' . Config::get('mysql/host') . ';dbname=' . Config::get('mysql/db'), Config::get('mysql/username'), Config::get('mysql/password'));
} catch(PDOExeption $e) {
die($e->getMessage());
}
}
public static function getInstance() {
// Already an instance of this? Return, if not, create.
if(!isset(self::$instance)) {
self::$instance = new DB();
}
return self::$instance;
}
public function query($sql, $params = array()) {
$this->_error = false;
if($this->_query = $this->_pdo->prepare($sql)) {
$x = 1;
if(count($params)) {
foreach($params as $param) {
$this->_query->bindValue($x, $param);
$x++;
}
}
if($this->_query->execute()) {
$this->_results = $this->_query->fetchAll(PDO::FETCH_OBJ);
$this->_count = $this->_query->rowCount();
} else {
$this->_error = true;
}
}
return $this;
}
public function get($table, $where) {
return $this->action('SELECT *', $table, $where);
}
public function delete($table, $where) {
return $this->action('DELETE', $table, $where);
}
public function action($action, $table, $where = array()) {
if(count($where) === 3) {
$operators = array('=', '>', '<', '>=', '<=');
$field = $where[0];
$operator = $where[1];
$value = $where[2];
if(in_array($operator, $operators)) {
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ?";
if(!$this->query($sql, array($value))->error()) {
return $this;
}
}
return false;
}
}
public function insert($table, $fields = array()) {
$keys = array_keys($fields);
$values = null;
$x = 1;
foreach($fields as $value) {
$values .= "?";
if($x < count($fields)) {
$values .= ', ';
}
$x++;
}
$sql = "INSERT INTO {$table} (`" . implode('`, `', $keys) . "`) VALUES ({$values})";
if(!$this->query($sql, $fields)->error()) {
return true;
}
return false;
}
public function update($table, $id, $fields = array()) {
$set = null;
$x = 1;
foreach($fields as $name => $value) {
$set .= "{$name} = ?";
if($x < count($fields)) {
$set .= ', ';
}
$x++;
}
$sql = "UPDATE users SET {$set} WHERE id = {$id}";
if(!$this->query($sql, $fields)->error()) {
return true;
}
return false;
}
public function results() {
// Return result object
return $this->_results;
}
public function first() {
return $this->_results[0];
}
public function count() {
// Return count
return $this->_count;
}
public function error() {
return $this->_error;
}
}
user.php
<?php
class User {
private $_db,
$_sessionName = null,
$_cookieName = null,
$_data = array(),
$_isLoggedIn = false;
public function __construct($user = null) {
$this->_db = DB::getInstance();
$this->_sessionName = Config::get('session/session_name');
$this->_cookieName = Config::get('remember/cookie_name');
// Check if a session exists and set user if so.
if(Session::exists($this->_sessionName) && !$user) {
$user = Session::get($this->_sessionName);
if($this->find($user)) {
$this->_isLoggedIn = true;
} else {
$this->logout();
}
} else {
$this->find($user);
}
}
public function exists() {
return (!empty($this->_data)) ? true : false;
}
public function find($user = null) {
// Check if user_id specified and grab details
if($user) {
$field = (is_numeric($user)) ? 'id' : 'username';
$data = $this->_db->get('user', array($field, '=', $user));
if($data->count()) {
$this->_data = $data->first();
return true;
}
}
return false;
}
public function create($fields = array()) {
if(!$this->_db->insert('user', $fields)) {
throw new Exception('There was a problem creating an account.');
}
}
public function update($fields = array(), $id = null) {
if(!$id && $this->isLoggedIn()) {
$id = $this->data()->id;
}
if(!$this->_db->update('user', $id, $fields)) {
throw new Exception('There was a problem updating.');
}
}
public function login($username = null, $password = null, $remember = false) {
if(!$username && !$password && $this->exists()) {
Session::put($this->_sessionName, $this->data()->id);
} else {
$user = $this->find($username);
if($user) {
if($this->data()->password === Hash::make($password, $this->data()->salt)) {
Session::put($this->_sessionName, $this->data()->id);
if($remember) {
$hash = Hash::unique();
$hashCheck = $this->_db->get('users_session', array('user_id', '=', $this->data()->id));
if(!$hashCheck->count()) {
$this->_db->insert('users_session', array(
'user_id' => $this->data()->id,
'hash' => $hash
));
} else {
$hash = $hashCheck->first()->hash;
}
Cookie::put($this->_cookieName, $hash, Config::get('remember/cookie_expiry'));
}
return true;
}
}
}
return false;
}
public function hasPermission($key) {
$group = $this->_db->query("SELECT * FROM groups WHERE id = ?", array($this->data()->group));
if($group->count()) {
$permissions = json_decode($group->first()->permissions, true);
if($permissions[$key] === 1) {
return true;
}
}
return false;
}
public function isLoggedIn() {
return $this->_isLoggedIn;
}
public function data() {
return $this->_data;
}
public function logout() {
$this->_db->delete('users_session', array('user_id', '=', $this->data()->id));
Cookie::delete($this->_cookieName);
Session::delete($this->_sessionName);
}
}
simple index.php version of my code
<?php
require 'core/init.php';
$user = new User();
if(Session::exists('home')) {
echo '<p>', Session::flash('home'), '</p>';
}
if($user->isLoggedIn()) {
?>
<p>Hello <?php echo escape($user->data()->username); ?>!</p>
<ul>
<li>Log out</li>
<li>Change password</li>
<li>Update details</li>
</ul>
<?php
if($user->hasPermission('admin')) {
?>
<p>You're also an administrator!</p>
<?php
}
} else {
echo 'You need to log in or register!';
}
Simple version of login.php
<?php
require 'core/init.php';
if(Input::exists()) {
if(Token::check(Input::get('token'))) {
$user = new User();
$remember = (Input::get('remember') === 'on') ? true : false;
$login = $user->login(Input::get('username'), Input::get('password'), $remember);
if($login) {
Redirect::to('index.php');
} else {
echo '<p>Sorry, that username and password wasn\'t recognised.</p>';
}
}
}
?>
<form action="" method="post">
<div class="field">
<label for="username">Username:</label>
<input type="text" name="username" id="username">
</div>
<div class="field">
<label for="password">Password:</label>
<input type="password" name="password" id="password">
</div>
<div class="field">
<label for="remember">
<input type="checkbox" name="remember" id="remember"> Remember me
</label>
</div>
<input type="submit" value="Log in">
<input type="hidden" name="token" value="<?php echo Token::generate(); ?>">
</form>
hash.php
<?php
class Hash {
public static function make($string, $salt = '') {
return utf8_encode(hash('sha256', $string . $salt));
}
public static function salt($length) {
return mcrypt_create_iv($length);
}
public static function unique() {
return self::make(uniqid());
}
}
Thanks
I was following this tutorial on Udemy about building login form. Everything went well.
Now I'm trying to reuse the code. The problem I'm having is when I'm trying to query all entries from a database in order to get a total number of websites. Could you please advise?
Here is my count function (this is where I'm having issues in obtaining a total number of entries to the database for pagination):
function get_all_websites(){
$all = array();
$db = DB::getInstance();
$all = $db->query("SELECT * FROM website");
if(!$all->count()){
echo 'No Websites available. Please check back later.';
} else {
foreach($all->results() as $all){
$all->id = $all;
}
}
return $all;
}
function get_websites_count(){
return count(get_all_websites());
}
if I use this I get all ID's listed.
function get_all_websites(){
$all = array();
$db = DB::getInstance();
$all = $db->query("SELECT * FROM website");
if(!$all->count()){
echo 'No Websites available. Please check back later.';
} else {
foreach($all->results() as $all){
echo $all->id;
}
}
}
Database class.
class DB{
private static $_instance = null;
private $_pdo,
$_query,
$_error = false,
$_results,
$_count = 0;
private function __construct(){
try {
$this->_pdo = new PDO('mysql:host=' .
Config::get('mysql/host') . ';dbname=' .
Config::get('mysql/db'),
Config::get('mysql/username'),
Config::get('mysql/password'));
} catch(PDOException $e){
die($e -> getMessage());
}
}
public static function getInstance(){
if(!isset(self::$_instance)) {
self::$_instance = new DB();
}
return self::$_instance;
}
public function query($sql, $params = array()){
$this->_error = false;
// Check if query has been prepared properly
if($this->_query = $this->_pdo->prepare($sql)){
$x = 1;
if(count($params)){
foreach($params as $param){
$this->_query->bindValue($x, $param);
$x++;
}
}
// If the query has been prepared successfuly, store the result
if($this->_query->execute()){
$this->_results = $this->_query->fetchAll(PDO::FETCH_OBJ);
$this->_count = $this->_query->rowCount();
} else {
$this->_error = true;
}
}
return $this;
}
public function action($action, $table, $where = array()){
if(count($where) === 3){
$operators = array('=', '>', '<', '>=', '<=');
$field = $where[0];
$operator = $where[1];
$value = $where[2];
if(in_array($operator, $operators)){
$sql = "{$action} FROM {$table} WHERE {$field} {$operator} ?";
if(!$this->query($sql, array($value))->error()){
return $this;
}
}
}
return false;
}
// QUERYING DATA FROM DATABASE
public function get($table, $where){
return $this->action('SELECT *', $table, $where);
}
// DELETING DATA FROM DATABASE
public function delete($table, $where){
return $this->action('DELETE', $table, $where);
}
// INSERTING DATA INTO DATABASE
public function insert($table, $fields = array()){
$keys = array_keys($fields);
$values = '';
$x = 1;
foreach($fields as $field){
$values .= "?";
if($x < count($fields)){
$values .= ', ';
}
$x++;
}
$sql = "INSERT INTO {$table} (`" . implode('`, `', $keys) . "`) VALUES({$values})";
if(!$this->query($sql, $fields)->error()){
return true;
}
return false;
}
public function results(){
return $this->_results;
}
public function update($table, $id, $fields){
$set = '';
$x = 1;
foreach($fields as $name => $value){
$set .= "{$name} = ?";
if($x < count($fields)){
$set .= ', ';
}
$x++;
}
$sql = "UPDATE {$table} SET {$set} WHERE id = {$id}";
if(!$this->query($sql, $fields)->error()){
return true;
}
return false;
}
public function first(){
return $this->results()[0];
}
public function error(){
return $this->_error;
}
public function count(){
return $this->_count;
}
}
This part doesn't seem right:
} else {
foreach($all->results() as $all){
$all->id = $all;
}
}
return $all;
but I'm not exactly sure what you want.
We could append each id to an array called $allWebsiteIds:
} else {
foreach($all->results() as $all){
$allWebsiteIds[] = $all->id;
}
}
return $allWebsiteIds;
That might give you what you want.
SQL provides built-in support for counting rows in a table.
SELECT COUNT(*) FROM ...
This is highly optimizable and avoids loading every row into PHP's memory.
Additionally, pay close attention to the construct of your loops; specifically what it means to say:
foreach($foo as $foo)
As part of your study, you should be able to say why that expression is almost never the intended one.
There is a broader rule: Never mutate that which you are iterating over.
Why not use the select to count the rows?
SELECT COUNT(1) FROM website;