I've been working on a website, and currently at the stage of login/session handling.
I want to know what is a better design in your opinion. (this website will be available to the public, so it should be user-friendly too).
P.S. sorry if this is not the correct php 'conventions', I am used to c/c++ programming.
Design #1:
define("LOGGED_IN", false);
define("USERNAME", "Guest");
define("PASSWORD", "");
define("PLAYER_ID", -1);
...
if (!LOGGED_IN) {
header("Location: login.php");
} else {
...
}
...
if ({condition for successful login}) {
define("LOGGED_IN", true);
define("USERNAME", "AJ");
define("PASSWORD", "nottellingu");
define("PLAYER_ID", 1);
}
...
printf("Hi, %s. Have a nice day.", USERNAME);
Design #2:
class user {
private $id;
private $logged_in;
private $username;
private $password;
public function __construct($id, $username, $password, $logged_in = false) {
$this->id = $id;
... blablabla
}
public function get_id() {
return $this->id;
}
... blablabla (pretend i declared all needed functions)
}
...
if ({condition for successful login}) {
$id = get_userid($_SESSION['USERNAME']]);
$user = new user($id, $_SESSION['USERNAME'], $_SESSION['PASSWORD'], true);
}
...
printf("Hi, %s. Have a nice day.", $user->get_username());
You can give me your designs aswell.
Thanks
I think either way is okay. It really just depends on what you are trying to accomplish. If you are going to be consistently pulling user info, a class might be better. If you are going to just need a few basic things like ID and name and whether or not they are logged in, the first option is simpler and will work fine for that purpose.
There is no point to over complicating something when you can do it a simple way and be done with it.
IMO, design approach #2 is better. Not only do you get encapsulation for anything user related, but it is also modular, so you can refer to any of the attributes anywhere throughout your codebase.
You may also want to do some googling and see if there is a stand-alone user login system you can use, vs. re-inventing the wheel.
Related
Usually I use a voter on the user who is connected (me) to see if I can do an action or not.
if ($this->isGranted('TRAVEL', $city)) {
$this->goToCity($this->getUser(), $city);
}
But this time I would like to use my voter on a user that I will search in the database, to check if this user can or can't do this same action.
$another_user = $doctrineStuff->getRepo(Foo:bar)->getUser(123);
if ($this->isGranted('TRAVEL',$city, $another_user)) {
$this->goToCity($another_user, $city);
}
Is this possible?
How to go about it, I can't find anything about this problem. Maybe except simulating a home-made voter that doesn't check a user from his token but from his instance.
The basic idea is to create your own security token for the user and then use the AccessDecisionManager::decide method instead of the AuthorizationChecker::isGranted method.
class SomeController {
public function someAction(
AccessDecisionManagerInterface $adm,
EntityManagerInterface $em)
{
$user = $em->find(User::class,123);
$token = new UsernamePasswordToken($user,'firewall',$user->getRoles());
if ($adm->decide($token,['TRAVEL'],$city) {
whatever;
Don't worry about the firewall name. It won't be used by the voter system unless you have a very unusual voter. It's used in this example because the TokenInterface is surprisingly complex (13 methods!) so it easiest to use an existing implementation. You could refine things a bit by making your own token class:
class UserToken extends AbstractToken {
public function __construct(User $user) {
parent::__construct($user->getRoles());
$this->setUser($user);
It's also worth noting that the suggestion to directly use the access decision manager comes from the isGranted code:
# AuthorizationChecker
final public function isGranted(mixed $attribute, mixed $subject = null): bool
{
$token = $this->tokenStorage->getToken();
if (!$token || !$token->getUser()) {
$token = new NullToken();
}
return $this->accessDecisionManager->decide($token, [$attribute], $subject);
}
}
As time goes by you might want to keep an eye on any tweaks here. Tweaking the Security component seems to be a bit of a hobby for some of the core Symfony developers. But I don't expect any breaking changes.
I was recently experimenting with a "User.class" which handles login and logout (and some other functions). Login was easy to get to work, but logout was worse, because i didnt maintain the $user - object which i had declared in the beginning. Which took me way to long to understand.
I have a button for "log out", and i wanted to use my class to "do stuff" when i logged out. One way could be to do a classic one :
if(isset($_GET["logout"])) {
//do stuff in db
session_destroy();
header("Location: index.php");
}
but since i was using class and functions in that class, i wanted to call
if(isset($_GET["logout"])) {
$user->logOut();
}
But this didnt work. As said.
I found out that i could, after login, save the object in a serialized sessionvariable.
if(isset($_GET["login"])) {
$user = new User($dbh, $_POST["uid"], $_POST["key"]);
$r = $user->login();
$_SESSION["userObj"] = serialize($user);
}
if(isset($_GET["logout"])) {
$user = unserialize($_SESSION["userObj"]);
$user->logOut();
}
And, this is working.
But i think, i am handling this quite, bad on the "User.class" page, where i have this code:
public function __sleep() {
return array("login_id", "uid");
}
public function __wakeup() {
include_once("conn.php");
global $dbh;
$this->db = $dbh;
unset($dbh);
}
As you see, i have my database connection in another file, and during __wakeup(), i need to reinitialize the database conneciton.
Question is, is this good or bad practice?
This is totally new for me... :)
Currently I have the code below which registers a user.
It doesn't check to see if the username currently exists or anything like that, that is something that I want to implement.
I've never known how to use php objects and forms together. Any help will be much appreciated.
register.php
The page checks to see if a user is already logged in, either way the form is still displayed and submits to itself. The database access details are stored in config.php as constants.
<?php
session_start();
include("includes/config.php");
if(isset($_SESSION['username'])) {
echo "You are currently logged in as: " . $_SESSION['username'];
echo "<br />";
include("nav.php");
echo "<hr />";
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Register</title>
</head>
<body>
<?php
$odb = new PDO("mysql:host=" . DB_SERVER . ";dbname=" . DB_NAME, DB_USER, DB_PASS);
if (isset($_POST['firstName'])) {
$firstName = $_POST['firstName'];
$lastName = $_POST['lastName'];
$username = $_POST['username'];
$password = $_POST['password'];
$password = md5(DB_SALT.$password);
$type = $_POST['type'];
$date=date("Y-m-d");
$time=date("H:i:s");
$sql = "INSERT INTO tblMembers (firstName, lastName, username, passwordHash, type, joinedDate, joinedTime, lastActiveDate, lastActiveTime) VALUES (:firstName, :lastName, :username, :passwordHash, :type, :joinedDate, :joinedTime, :lastActiveDate, :lastActiveTime);";
$query = $odb->prepare($sql);
$results = $query->execute(array(
":firstName" => $firstName,
":lastName" => $lastName,
":username" => $username,
":passwordHash" => $password,
":type" => $type,
":joinedDate" => $date,
":joinedTime" => $time,
":lastActiveDate" => $date,
":lastActiveTime" =>$time
));
}
?>
<form method="post" action="">
Name: <input type="text" id="firstName" name="firstName" value="Michael" /><br />
Last Name: <input type="text" id="lastName" name="lastName" value="Norris" /><br />
Username: <input type="text" id="username" name="username" value="mstnorris" /><br />
Password: <input type="password" id="password" name="password" value="password" /><br />
Type: <input type="text" id="type" name="type" value="4" /><br />
<input type="submit" value="Add" />
</form>
</body>
</html>
I know how to write php objects using classes. This is what I had previously although I have been told that the methods I used are outdated. If anyone can shed any light on how to update it, it sure would help.
<?php
require_once("database.php");
class Member extends DatabaseObject {
protected static $table_name = "tblMembers";
var $firstName = "Mike"; // initiating the $firstName variable
var $lastName = "Norris"; // initiating the $lastName variable
var $username = "mstnorris"; // initiating the $username variable
var $password = "password"; // initiating the $password variable
var $reviews = "0"; // initiating the $reviews variable
var $type = "4"; // initiating the $type variable
function __construct($firstName, $lastName, $username, $password, $reviews, $type) {
$this->firstName = $firstName;
$this->lastName = $lastName;
$this->username = $username;
$this->password = $password;
$this->reviews = $reviews;
$this->type = $type;
//$this->insert($firstName, $lastName, $username, $password, $type);
}
function set_firstName($firstName) {
$this->firstName = $firstName;
}
function get_firstName() {
return $this->firstName;
}
function set_lastName($lastName) {
$this->lastName = $lastName;
}
function get_lastName() {
return $this->lastName;
}
function get_fullName() {
if (isset($this->firstName) && isset($this->lastName)) {
return $this->firstName . " " . $this->lastName;
} else {
return "";
}
}
function set_username($username) {
$this->username = $username;
}
function get_username() {
return $this->username;
}
function set_password($password) {
$this->password = md5(DB_SALT.$password);
}
function get_password() {
return $this->password;
}
public static function authenticate($username="", $password="") {
global $database;
$username = $database->escape_value($username);
$password = $database->escape_value($password);
$passwordHash = md5(DB_SALT.$password);
$sql = "SELECT * FROM tblMembers ";
$sql .= "WHERE username = '{$username}' ";
$sql .= "AND passwordHash = '{$passwordHash}' ";
$sql .= "LIMIT 1";
$result_array = self::find_by_sql($sql);
if (!empty($result_array)) {
//echo "true";
return array_shift($result_array); // Pulling first element from array
} else {
//echo "false";
return false; // Ability to ask whether we return something
}
}
public function insert($firstName, $lastName, $username, $password) {
$database = new Database();
$database->query("INSERT INTO tblMembers VALUES ('','{$firstName}','{$lastName}','{$username}','{$password}','4')");
}
// Common Database Methods
private static function instantiate($record) {
$object = new self;
foreach ($record as $attribute=>$value) {
if ($object->has_attribute($attribute)) {
$object->$attribute = $value;
}
}
return $object;
}
public static function find_all() {
return self::find_by_sql("SELECT * FROM ".self::$table_name);
}
public static function find_by_id($id=0) {
global $database;
$result_array = self::find_by_sql("SELECT * FROM ".self::$table_name." WHERE userID={$id} LIMIT 1");
if (!empty($result_array)) {
return array_shift($result_array); // Pulling first element from array
} else {
return false; // Ability to ask whether we return something
}
}
public static function find_by_sql($sql="") {
global $database;
$result_set = $database->query($sql);
$object_array = array();
while ($row = $database->fetch_array($result_set)) {
$object_array[] = self::instantiate($row);
}
return $object_array;
}
private function has_attribute($attribute) {
$object_vars = get_object_vars($this);
return array_key_exists($attribute, $object_vars);
}
}
?>
Can the MVC approach be used with AJAX? Also, with that in mind, the AJAX code I have used before in other projects use $_GET, is there any problems with this as the data is never being sent to the address bar? If so, how do I use $_POST with AJAX?
Mike:
your set a getter and a setter like this:
class Spam
{
public $attr;
public $var;
public $arg;
/* __construct, __set, and __get
these are all special functions
we know this from the double underscore */
function __construct ()
{
// construction code
}
function __set ( $arg0, $arg1 )
{
$this->$arg0 = $arg1;
}
function __get ( $arg )
{
return $this->$arg;
}
}
and you would call it from your code as follows:
// this calls the __constructor function
$barney = new Spam();
// this calls the __set function
$barney->attr = "garnished with spam & eggs";
// this calls the __get function
$attrValue = $barney->attr;
This reduces the need to call a different method to set/get the values of your variable. This will only work on public variables as private and protected variables cannot be accessed from outside of your class.
Also, it is a good idea to have separate views, models, and controllers. Your controller is the script that the form submits to, your model is the class that is instantiated, and your view is where the user sends the information from. This will make your code easier to understand, rather than having your controller and view together.
Are you restricted to PHP4 for some reason? Or did you download some really old code and you're now trying to get it to work?
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[ UPDATE 2.27.2013 ]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
OOP PHP Programming in Conjunction with JavaScript AJAX technology
Model-View-Controller:
MVC is not specific to PHP. MVC is a software design pattern that aims to solve a maintainability problem in code that combines separate
components of the code in ways that make the code less readable and
hard to maintain, which in the end is also a security risk.
Model-View-Controller is typically implemented via frameworks. In
regards to PHP there are frameworks available such as Zend,
CodeIgniter, CakePHP, etc. There frameworks implement the model view
controller through the document tree, although you can create your own
PHP framework (which isn't a good idea given your new to the
language), its probably better to use one that has already been
around. These frameworks may also enforce their own standards that result
in better code.
To understand a maintainable MVC framework you should be familiar with coding a website > > entirely in PHP. That means you should be using PHP classes [modules|models] to
dynamically generate the HTML pages[the view] depending what the user has done[the
controller file controls the model].
You question is very vague and its hard to tell what your asking, however, I get the
impression you're unable to figure out what MVC is and how to use it. Suppose you've
just created a layout for a website you will be developing. Since it
isn't possible to predict the size of your user's screen, you're
layout was designed in the browser. Your layout [or template if you
will] should be standard compliant HTML5 or XHTML. It should not be
constructed with images. Some people may disagree with me on this but
with the exception of your logo/header(though some use text for this
too), you should not have any tags are part of your
template(this is before any content has been written, obviously you'll
probably want to use a lot of images in your content). Your view at
this point should be HTML and CSS - any images that are a part of your
layout (ie patterns, backgrounds, anything layout specific) should be
in the CSS of your website. This is kind of the same reason that we
use the MVC pattern - it separates what should be separate.
You take your layout as the HTML and you write a PHP class[module]
that contains functions, for example we'll use
$view->showLeadboard();, $view->showAds(); $view->showFooter();
$view->setTitle("Title");, $view->setDescription("Description");...
This assumes that you've instantiated your class. Perhaps you don't
want to instantiate a class and you'd prefer to use static methods,
the choice is yours but you should understand what you're doing well
enough to have good reasons for doing it.
Now that your view is held inside of a PHP module you can worry about
your content. Chances are, if your website is dynamic, there will be
multiple pages and locations on those pages that contain dynamic
content from a database, or forms (we're still inside of the view)
that submit data to the controller.
Suppose somebody is registering at your website. The go to your
domain and a view is generated based on the request to
www.site.com and the view that is generated is the index page. This person who has come to your page has decided to register for an
account with your service. They click on the "register" hyperlink and
another view is generated that displays a form for them to create
their login credentials. They fill the form out click submit. The
information supplied in the form is submitted to a controller(we're
not talking about ajax or implementing an MVC design pattern for our
javascript code right now), we'll say that the view
site.com/register submits to the controller site.com/engine/process.php. Process.php filters/sanitizes the user data from the form and instantiates the correct class(model,
we'll call this one new User) that will then make a database
call through one of its methods, or maybe even through its
constructor(you should be aware of the magic methods available to you
in PHP) and this the result of this query mutates the view to be
slightly different depending on what the controller told the model and
what the model told the view.
I don't even know what I can say about your question regarding AJAX - given your position with PHP I'm going to guess that you're using JQuery for ajax calls. If this is the case you do not need to implement a model-view-controller from your jquery files, you can just create a jquery script and then add a method to your view that calls that script and implements it.
All in all if you are struggling to understand what a common pattern like MVC is and how to use it you should really go back to the basics. I can't stress enough that the online tutorials aren't going to help you if you don't understand why the author used the solution that they used and chances are they're not explaining that to you because its sometime simple that you should be able to understand yourself provided you have a basic understanding of the php language, its syntax, and how to solve problems with it. This all comes just from spending time with the language, learning how it works, and learning what it doesnt do well and what it does do well.
Ok, you have a couple of questions wrapped into one large question but I'll try to answer them as best as I can. I'll answer them in the order of importance.
How do you update your class(es).
How to structure forms better.
How to check login status.
Most applications now use some form of an MVC architecture. Models, Views, and Controllers are a way of separating responsibilities to classes. Here's a brief tutorial on MVC architecture for PHP. With that said, there are a number of open source frameworks that you can use like, Zend, CakePHP and more.
Try using one of the strategies for MVC or try a framework.
Try not to have the form self submit to itself. Instead route it to a seperate page and handle the logic there. Also you can wrap your inputs into and array by using the [] notation. For example: <input type="text" name="user[firstname]" />
However If you are just doing a login form, then all you need is some unique form of identification and a credential (e.g. username and password).
There are several ways to persist users' login status, chiefly used are sessions and cookies. Storing the entire model in the session or cookie is usually frowned upon. Instead try storing the username and a unique key that you can compare against in a database.
Using cookies gives you more control over how long you want the session to last.
The users when they sign up are given a default 'member_type' as "User". I'm trying to restrict access to certain pages from "Users" and unauthenticated visitors using $_SERVER['SCRIPT_NAME'] using a function stored in the header.php.
The concept is sound (I believe) but I really need some fresh eyes to help me solve the logic.
Here is the function in the header:
$basicAuth = array("member.php", "order.php", "logout.php");
$adminonly = array("admin.php", "v_feedback.php", "user.php", "v_content.php", "product.php");
restrictAccess($basicAuth, $adminonly);
And here is the function in its entirety:
function restrictAccess($basicAuth, $adminonly){
$error = "You do not have the authentication privileges to access this area, go home.";
if (isset($_SESSION['type'])){
$auth = "Basic";
if($_SESSION['type']=="Admin"){
$auth = "Admin";
}
} else {
$auth = "None";
}
//For testing purposes
echo $auth;
if ($auth == "None"){
if(($_SERVER['SCRIPT_NAME']==$basicAuth)||($_SERVER['SCRIPT_NAME']==$adminonly)){
echo $error;
exit();
}
}elseif($auth =="Basic"){
if(($_SERVER['SCRIPT_NAME'])==$adminonly){
echo $error;
exit();
}
}
}
I have a feeling that it something to do with the logic behind the way I've structured it which is to fault.
Thank you.
if($_SERVER['SCRIPT_NAME']==$basicAuth) is completely wrong.
You can not compare array and a string.
if(array_search($_SERVER['SCRIPT_NAME'],$basicAuth) !== FALSE) would serve, but You better use keys instead of values, and then if(array_key_exists($_SERVER['SCRIPT_NAME'],$basicAuth)).
And, by the way, isn't it simplier to include "basicAuthNeeded.php" into some scripts and "adminAuthNeeded.php" into other instead of Your method?
Or else use more complex but more flexible method (define some roles, define resources and use some checkPermissions($role, $resource))?
I know, globals not (;
I am new to OOP, and I'm refactoring some functions I created into classes, but I come to a problem. Some of my classes are called from the pages themselves that the users enter (example: $Link->create('page/to/go');). Since this is outside any class, there's no problem, the links get created.
But then, I have a class that attempts to login the user when created, and if the email entered is not in the database it redirects the user to the register page. Obviously, only doing header ('Location '.$Link->create('page/to/go')) does not work.
What I would do is to set the create method as static and then call it from everywhere. But I think this would be similar to using globals and I am trying to correct bad habits. So how should I do this?
Here's some of the code for the class Link, implementing a 404-detect that I explained here:
class Link
{
private function valid($check)
{
$exceptions=array("help/report", "translate"); // More pages and rules to be added
return in_array($check,$exceptions);
}
public function create($arg)
{
if (!file_exists("/path/to/".$arg) && !$this->valid($arg))
{
// Call a function to store the error in a database.
error ("404 for ".$arg);
// One way of handling it. Replace '/' for ' ' and google that string in this page.
$arg=str_replace("/","%20",$arg);
return "https://www.google.com/#q=site%3A".Configuration::get('BaseUrl')."%20".$arg;
}
else
{
// If the page exists or is an exception, create the normal link.
if(empty($arg)) return Configuration::get('BaseUrl');
else return Configuration::get('BaseUrl').$arg;
}
}
}
As you can see in the code, when I implement error() into a class I will have a similar problem.
One option I just thought is that I might want to return an error and parse it from outside the __construct() of the User class. But it only works with this, as it's a yes/not, and I don't think making a error code up is proper for other cases.
So, what is your suggestion for passing properties and methods from one classes to others? Is it okay to use static for this context?
EDIT. The difficulty of my question it's that, almost all book, tutorial, page etc I've seen talks about how to create a SINGLE class. I haven't seen any explaining deeply how classes should talk to each other.
EDIT 2. As requested in the comments, here goes some more code. The user accesses his courses entering only the email (getting a level 1), while the user can only edit his settings if he gets a level 2 in the settings page. Not finished as I'll put some more methods.
class User
{
private $Email;
private $Name;
public function __construct()
{
if (!empty($_POST['logout'])) session_destroy();
else if ( !empty($_POST['email']) )
{
$this->loginEmail($_POST['email']);
}
else if ( $_SESSION['level'] == 1 )
{
if (!empty($_POST['password']))
{
$this->loginFull($_SESSION['email'],$_POST['password']);
}
else
{
$this->loginEmail($_SESSION['email']);
}
}
else if ( $_SESSION['level'] == 2 )
{
$this->loginFull($_SESSION['email'],$_SESSION['pass']);
}
else session_destroy();
}
private function loginEmail($Email)
{
$sql=mysql_query("SELECT * FROM users WHERE email='".mysql_real_escape_string($Email)."'"); //Retrieve the entries from the database
$row=mysql_fetch_assoc($sql);
if(mysql_num_rows($sql)==1)
{
$this->getData($row);
$_SESSION['level']=1;
}
else header ('Location: http://example.org/new/student/');
}
private function loginFull($Email,$Pass)
{
$sql=mysql_query("SELECT * FROM users WHERE email='".mysql_real_escape_string($Email)."' AND pass='".md5($Pass)."'"); //Retrieve the entries from the database
$row=mysql_fetch_assoc($sql);
if(mysql_num_rows($sql)==1)
{
$this->getData($row);
$_SESSION['pass']=$Pass;
$_SESSION['level']=2;
}
else $this->loginEmail($Email);
}
private function getData($row)
{
$_SESSION['email']=$row['email'];
$this->Email=$row['email'];
$this->Name=$row['name'];
}
public function get($Var)
{
return $this->$Var;
}
}
And now the class Error. As you can see, I already performed some DI without even knowing about it here.
class Error
{
private $Page;
private $Language;
private $User;
public function __construct($Page,$Language,$User="None")
{
$this->Page=$Page;
$this->Language=$Language;
$this->User=$User;
if (!empty($_REQUEST['banner']))
$this->Banner=$_REQUEST['banner'];
}
public function add($Kind)
{
if (!mysql_query("INSERT INTO error (kind, page, lang, user, version, date) VALUES ('".mysql_real_escape_string($Kind)."', '".mysql_real_escape_string($this->Page)."', '".mysql_real_escape_string($this->Language)."', '".mysql_real_escape_string($this->User)."', '".Configuration::get('Version')."',NOW() )"))
mail(Configuration::get('ErrorEmail'), "Error '".$Kind."' that couldn't be stored.",
"Full url: ".$FullUrl."\n Language: ".$this->Language->Lang."\n User: ".$Identif."\n Version: ".$Version); // Inform of the error by email
}
}
Create instance of Link class and pass it to where it is needed (using setter or constructor).
Definitelly read something abou DI (Dependency Injection) and then DI Containers.
Nice introduction in Nette Framework - Dependency Injection
Singletons and Static aren't a good choice. In the end everything falls onto the globals problem.
You should inject your link helper into the classes by constructor or setter (DI as #jasir said).
If you'll redirect the user, you can also inject an redirector helper:
$redirector->redirect('controller','action', array('my','params'));
Hint: this is bad too Configuration::get(). Inject the config instead.
And always remember: Don't look for things!