Use Case:
Some areas of a website is restricted for member only, if user is logged in display page else redirect to login / registration form.
My Logic
I created a method inside the Users() class which simply check if a $_SESSION['userID'] is set.
The logic is if the $_SESSION[] is not set, then the user is not logged in since the $_SESSION['userID'] variable gets set on login. I came up with the following...
Method
public static function isLogged(){
if(!isset($_SESSION['userID'])){
header(':Location: login.php');
die();
}
}
Considering the above, I simply add the isLogged() method to the start of the page, and if the $_SESSION('userID') super global is not set the user gets redirected.
My Problems / Questions
The problem with the above is I cant out my mind to rest since:
The method seems inefficient...i.e there is a better (more efficient way of doing this)?
Im unsure whether there are any work arounds that unauthorized users can perform to view the page
I'm perhaps missing some critical info inside the isLogged() method?
Additional INFO
Login Method
public function login_user($newEmail, $newPword)
{
global $db;
$this->email = $newEmail;
$this->password = $newPword;
$sql = "SELECT * FROM bru_users WHERE email = :email AND password = :pword";
$stmnt = $db->prepare($sql);
$stmnt->bindValue(':email', $newEmail);
$stmnt->bindValue(':pword', $newPword);
$stmnt->execute();
$is_registered = $stmnt->rowCount();
if ($is_registered > 0) {
$users = $stmnt->fetchAll();
foreach ($users as $user) {
$userInfo[] = array('userID' => $user['userID'], 'email' => $user['email'], 'userName' =>$user['userName'], 'firstname' => $user['firstname'],
'lastname' => $user['lastname'], 'reg_date' => $user['registration_date']);
}
if(isset($userInfo)){
foreach ($userInfo as $start) {
$_SESSION['userID'] = $start['userID'];
$_SESSION['email'] = $start['email'];
$_SESSION['userName'] =$start['userName'];
$_SESSION['firstname'] = $start['firstname'];
$_SESSION['lastname'] = $start['lastname'];
}
}
} else {
return false;
}
return true;
}
Would greatly appreciate it if a more experienced coder can have a quick scan through this. Many Thanks
The method seems inefficient...i.e there is a better (more efficient way of doing this)?
No, session variables are reasonably efficient. This is the normal way of doing it.
Im unsure whether there are any work arounds that unauthorized users can perform to view the page
Only if they can hijack the session of an authorized user. But then pretty much all bets are off as far as user authentication. Hijacking a session would require them to get the other user's cookies. If you encrypt your connections with SSL, you're as safe as you can get.
I'm perhaps missing some critical info inside the isLogged() method?
Nope, that's all there is to it.
i have a normal php login which connects to a database authenticates the user, now i need to convert this to a login that uses yii framework, can anybody tell me in order to do so.. what are the first things that i should do and can i convert this to yii login. following is the current login function that i have to call
function login($usr,$pwd) {
$query = "SELECT * FROM login WHERE us.username='$usr' AND us.password='$pwd'; ";
$dataReader=$command->query();
$row = mysql_fetch_array($dataReader);
$log = new stdClass();
if($row) {
$pro->accountID = (int)$row['accountID'];
$pro->accountname = $row['accountname'];
$pro->usertype = (int)$row['usertype'];
$string = rand() . 'SURVAYLAND' . rand() . $usr. $pwd;
$_SESSION['SURVEY_AUTHENTICATE_KEY'] = md5($string);
} else {
$pro = false;
}
}
Whenever you call Yii::app()->user, you get an instance of CWebUser. This is the way Yii represents the user that it currently viewing your application.
This user can be logged in or access the app without login (in other words, be a guest).
Class CWebUser has a method called login, which, as you expected, logs in a user.
Method login() takes as argument an object that implements IUserIdentity interface.
The easiest way to make your own is to create a simple class (call it MyIdentity for exemple):
//this class' constructor takes a username and a password
class MyIdentity extends CUserIdentity
{
private $_id;
public function authenticate()
{
// check username and password in DB
// return true or false to signal whether user should be logged in
}
public function getId()
{
return $this->_id;
}
}
Then use what you just created to actually log in an user:
// Login a user with the provided username and password.
$identity=new MyIdentity($username,$password);
if($identity->authenticate())
Yii::app()->user->login($identity);
else
echo $identity->errorMessage;
I'm trying to learn MVC pattern but,even if I'm trying hard, it seems I still got big issues.
I have got a controller,named baseController that do the following:
class baseController {
public $model;
public $user;
...
$activeuser = $this->model->getlogin();
if ($activeuser != 'invalid user' && $activeuser != "") {
$this->user=$activeuser;
header("Location:home.php");
}
I have got a model.php file which contains the getlogin() function:
public function getlogin() {
if (isset($_REQUEST['username']) && isset($_REQUEST['password'])) {
$username = mysql_real_escape_string($_REQUEST['username']);
$pwd = mysql_real_escape_string($_REQUEST['password']);
$pwd = md5($pwd);
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password ='$pwd' AND attivato =1;");
if (mysql_num_rows($query) == 1) {
require_once 'User.php';
$sql=mysql_fetch_array($query);
$activeuser = new User();
$activeuser->username=$sql['username'];
$activeuser->email=$sql['email'];
return $activeuser;
} else {
return 'invalid user'; //TO-DO
}
}
}
The home.php create a new homeController and calls its invoke() function.The homeController file include the view page,that's called afterlogin.php.
In the afterlogin.php I've got the "ERROR":
if (isset($activeuser)){
echo "<p>Utente ".$activeuser->username."</p>";
echo "<p>Email ".$activeuser->email."</p>";}
//echo "<p>Pass ".$activeuser->pwd."</p>";
echo"<h1> HOMEPAGE, LOGIN OK </h1>";
It seems the homeController,and so the afterlogin page cannot access the user created in the baseController file. If I try an echo inside the baseController of $this->user->username everything is working. What should I do?? HELP!!
The client-server lifecycle is effectively stateless; on every page load, your variables and objects are wiped out.
There are the client-sourced $_POST and $_GET superglobals, which is part of the standard form submission and url query processes.
The server has databases, file writing (sketchy from a security POV) and the $_SESSION superglobal. These are the ways the server can manage a data state between pageloads.
Understand that if you're using objects, you need to have them instantiated on every page load for them to work. You can store your user_ID in $_SESSION['user_ID'] and instantiate the user object from it every time, making appropriate changes according to how the data changes.
I am currently writing a login script because I am trying to learn PDO using OOP. I have a index.php page which only contain a login form. Then I have a User class, it looks like this:
<?php
include_once('database.php');
session_start();
class User{
public $id;
public $username;
public $password;
public $firstname;
public $lastname;
public function Login($username, $password) {
$db = new Database;
$db = $db->dbConnect();
$query = "SELECT * FROM users WHERE username = ? AND password = ?";
$statement = $db->prepare($query);
$statement->bindParam(1, $username);
$statement->bindParam(2, $password);
$statement->execute();
$rows = $statement->rowCount();
$data = $statement->fetchAll();
if( $rows == 1 ) {
$this->id = $data[0]['id'];
$this->username = $data[0]['username'];
$this->password = $data[0]['password'];
$this->firstname = $data[0]['firstname'];
$this->lastname = $data[0]['lastname'];
$_SESSION['SESSID'] = uniqid('', true);
header("location: dashboard.php");
}
}
}
?>
When the user is signed-in he/she goes to dashboard.php. I want to access the current User class from there, so I can use echo $user->username from there. But in dashboard.php, I have to declare the User class as new, so it doesn't keep all the variables.
Do you have any ideas on how i can access the User class variables in Dashboard.php which was declared in the Login-function?
Sorry for the bad explanation, but I hope you understand. Thank you in advance!
First off put your user class definition in another file and load it in like you do your database.php. In there you want only your class definition none of the session start business... <?php class User {....} ?> (the closing ?> is optionial).
so what you have now on your pages that need access to the user object is
<?php
include_once('database.php');
include_once('user.php');
session_start();
Then after a user has successfully logged you tuck the user in the session.
$_SESSION["user"] = $user;
Then when you want to get at it just say
$user = $_SESSION["user"];
echo $user->username;
What you could do is, put your user object into the session:
$obj = new Object();
$_SESSION['obj'] = serialize($obj);
$obj = unserialize($_SESSION['obj']);
or you could create a singleton, check out this link:
Creating the Singleton design pattern in PHP5
You have 2 options:
a) You store all the login info in a session.
b) You only store the user ID and some sort of identifier that the user has / is logged in, and create another method that will load the information from the database each time you load the page (bad idea really)
For example, you could add the following methods to your class in order to implement the above mentioned functionality and some more:
function createUserSession(array $userData) {
// Create / save session data
}
function readActiveUserSession() {
// Read current user information
}
function destroyActiveUserSession() {
// Call to destroy user session and sign out
}
Of course, you will have to add the appropriate code to the methods.
Currently I have the code below which registers a user.
It doesn't check to see if the username currently exists or anything like that, that is something that I want to implement.
I've never known how to use php objects and forms together. Any help will be much appreciated.
register.php
The page checks to see if a user is already logged in, either way the form is still displayed and submits to itself. The database access details are stored in config.php as constants.
<?php
session_start();
include("includes/config.php");
if(isset($_SESSION['username'])) {
echo "You are currently logged in as: " . $_SESSION['username'];
echo "<br />";
include("nav.php");
echo "<hr />";
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Register</title>
</head>
<body>
<?php
$odb = new PDO("mysql:host=" . DB_SERVER . ";dbname=" . DB_NAME, DB_USER, DB_PASS);
if (isset($_POST['firstName'])) {
$firstName = $_POST['firstName'];
$lastName = $_POST['lastName'];
$username = $_POST['username'];
$password = $_POST['password'];
$password = md5(DB_SALT.$password);
$type = $_POST['type'];
$date=date("Y-m-d");
$time=date("H:i:s");
$sql = "INSERT INTO tblMembers (firstName, lastName, username, passwordHash, type, joinedDate, joinedTime, lastActiveDate, lastActiveTime) VALUES (:firstName, :lastName, :username, :passwordHash, :type, :joinedDate, :joinedTime, :lastActiveDate, :lastActiveTime);";
$query = $odb->prepare($sql);
$results = $query->execute(array(
":firstName" => $firstName,
":lastName" => $lastName,
":username" => $username,
":passwordHash" => $password,
":type" => $type,
":joinedDate" => $date,
":joinedTime" => $time,
":lastActiveDate" => $date,
":lastActiveTime" =>$time
));
}
?>
<form method="post" action="">
Name: <input type="text" id="firstName" name="firstName" value="Michael" /><br />
Last Name: <input type="text" id="lastName" name="lastName" value="Norris" /><br />
Username: <input type="text" id="username" name="username" value="mstnorris" /><br />
Password: <input type="password" id="password" name="password" value="password" /><br />
Type: <input type="text" id="type" name="type" value="4" /><br />
<input type="submit" value="Add" />
</form>
</body>
</html>
I know how to write php objects using classes. This is what I had previously although I have been told that the methods I used are outdated. If anyone can shed any light on how to update it, it sure would help.
<?php
require_once("database.php");
class Member extends DatabaseObject {
protected static $table_name = "tblMembers";
var $firstName = "Mike"; // initiating the $firstName variable
var $lastName = "Norris"; // initiating the $lastName variable
var $username = "mstnorris"; // initiating the $username variable
var $password = "password"; // initiating the $password variable
var $reviews = "0"; // initiating the $reviews variable
var $type = "4"; // initiating the $type variable
function __construct($firstName, $lastName, $username, $password, $reviews, $type) {
$this->firstName = $firstName;
$this->lastName = $lastName;
$this->username = $username;
$this->password = $password;
$this->reviews = $reviews;
$this->type = $type;
//$this->insert($firstName, $lastName, $username, $password, $type);
}
function set_firstName($firstName) {
$this->firstName = $firstName;
}
function get_firstName() {
return $this->firstName;
}
function set_lastName($lastName) {
$this->lastName = $lastName;
}
function get_lastName() {
return $this->lastName;
}
function get_fullName() {
if (isset($this->firstName) && isset($this->lastName)) {
return $this->firstName . " " . $this->lastName;
} else {
return "";
}
}
function set_username($username) {
$this->username = $username;
}
function get_username() {
return $this->username;
}
function set_password($password) {
$this->password = md5(DB_SALT.$password);
}
function get_password() {
return $this->password;
}
public static function authenticate($username="", $password="") {
global $database;
$username = $database->escape_value($username);
$password = $database->escape_value($password);
$passwordHash = md5(DB_SALT.$password);
$sql = "SELECT * FROM tblMembers ";
$sql .= "WHERE username = '{$username}' ";
$sql .= "AND passwordHash = '{$passwordHash}' ";
$sql .= "LIMIT 1";
$result_array = self::find_by_sql($sql);
if (!empty($result_array)) {
//echo "true";
return array_shift($result_array); // Pulling first element from array
} else {
//echo "false";
return false; // Ability to ask whether we return something
}
}
public function insert($firstName, $lastName, $username, $password) {
$database = new Database();
$database->query("INSERT INTO tblMembers VALUES ('','{$firstName}','{$lastName}','{$username}','{$password}','4')");
}
// Common Database Methods
private static function instantiate($record) {
$object = new self;
foreach ($record as $attribute=>$value) {
if ($object->has_attribute($attribute)) {
$object->$attribute = $value;
}
}
return $object;
}
public static function find_all() {
return self::find_by_sql("SELECT * FROM ".self::$table_name);
}
public static function find_by_id($id=0) {
global $database;
$result_array = self::find_by_sql("SELECT * FROM ".self::$table_name." WHERE userID={$id} LIMIT 1");
if (!empty($result_array)) {
return array_shift($result_array); // Pulling first element from array
} else {
return false; // Ability to ask whether we return something
}
}
public static function find_by_sql($sql="") {
global $database;
$result_set = $database->query($sql);
$object_array = array();
while ($row = $database->fetch_array($result_set)) {
$object_array[] = self::instantiate($row);
}
return $object_array;
}
private function has_attribute($attribute) {
$object_vars = get_object_vars($this);
return array_key_exists($attribute, $object_vars);
}
}
?>
Can the MVC approach be used with AJAX? Also, with that in mind, the AJAX code I have used before in other projects use $_GET, is there any problems with this as the data is never being sent to the address bar? If so, how do I use $_POST with AJAX?
Mike:
your set a getter and a setter like this:
class Spam
{
public $attr;
public $var;
public $arg;
/* __construct, __set, and __get
these are all special functions
we know this from the double underscore */
function __construct ()
{
// construction code
}
function __set ( $arg0, $arg1 )
{
$this->$arg0 = $arg1;
}
function __get ( $arg )
{
return $this->$arg;
}
}
and you would call it from your code as follows:
// this calls the __constructor function
$barney = new Spam();
// this calls the __set function
$barney->attr = "garnished with spam & eggs";
// this calls the __get function
$attrValue = $barney->attr;
This reduces the need to call a different method to set/get the values of your variable. This will only work on public variables as private and protected variables cannot be accessed from outside of your class.
Also, it is a good idea to have separate views, models, and controllers. Your controller is the script that the form submits to, your model is the class that is instantiated, and your view is where the user sends the information from. This will make your code easier to understand, rather than having your controller and view together.
Are you restricted to PHP4 for some reason? Or did you download some really old code and you're now trying to get it to work?
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<[ UPDATE 2.27.2013 ]>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
OOP PHP Programming in Conjunction with JavaScript AJAX technology
Model-View-Controller:
MVC is not specific to PHP. MVC is a software design pattern that aims to solve a maintainability problem in code that combines separate
components of the code in ways that make the code less readable and
hard to maintain, which in the end is also a security risk.
Model-View-Controller is typically implemented via frameworks. In
regards to PHP there are frameworks available such as Zend,
CodeIgniter, CakePHP, etc. There frameworks implement the model view
controller through the document tree, although you can create your own
PHP framework (which isn't a good idea given your new to the
language), its probably better to use one that has already been
around. These frameworks may also enforce their own standards that result
in better code.
To understand a maintainable MVC framework you should be familiar with coding a website > > entirely in PHP. That means you should be using PHP classes [modules|models] to
dynamically generate the HTML pages[the view] depending what the user has done[the
controller file controls the model].
You question is very vague and its hard to tell what your asking, however, I get the
impression you're unable to figure out what MVC is and how to use it. Suppose you've
just created a layout for a website you will be developing. Since it
isn't possible to predict the size of your user's screen, you're
layout was designed in the browser. Your layout [or template if you
will] should be standard compliant HTML5 or XHTML. It should not be
constructed with images. Some people may disagree with me on this but
with the exception of your logo/header(though some use text for this
too), you should not have any tags are part of your
template(this is before any content has been written, obviously you'll
probably want to use a lot of images in your content). Your view at
this point should be HTML and CSS - any images that are a part of your
layout (ie patterns, backgrounds, anything layout specific) should be
in the CSS of your website. This is kind of the same reason that we
use the MVC pattern - it separates what should be separate.
You take your layout as the HTML and you write a PHP class[module]
that contains functions, for example we'll use
$view->showLeadboard();, $view->showAds(); $view->showFooter();
$view->setTitle("Title");, $view->setDescription("Description");...
This assumes that you've instantiated your class. Perhaps you don't
want to instantiate a class and you'd prefer to use static methods,
the choice is yours but you should understand what you're doing well
enough to have good reasons for doing it.
Now that your view is held inside of a PHP module you can worry about
your content. Chances are, if your website is dynamic, there will be
multiple pages and locations on those pages that contain dynamic
content from a database, or forms (we're still inside of the view)
that submit data to the controller.
Suppose somebody is registering at your website. The go to your
domain and a view is generated based on the request to
www.site.com and the view that is generated is the index page. This person who has come to your page has decided to register for an
account with your service. They click on the "register" hyperlink and
another view is generated that displays a form for them to create
their login credentials. They fill the form out click submit. The
information supplied in the form is submitted to a controller(we're
not talking about ajax or implementing an MVC design pattern for our
javascript code right now), we'll say that the view
site.com/register submits to the controller site.com/engine/process.php. Process.php filters/sanitizes the user data from the form and instantiates the correct class(model,
we'll call this one new User) that will then make a database
call through one of its methods, or maybe even through its
constructor(you should be aware of the magic methods available to you
in PHP) and this the result of this query mutates the view to be
slightly different depending on what the controller told the model and
what the model told the view.
I don't even know what I can say about your question regarding AJAX - given your position with PHP I'm going to guess that you're using JQuery for ajax calls. If this is the case you do not need to implement a model-view-controller from your jquery files, you can just create a jquery script and then add a method to your view that calls that script and implements it.
All in all if you are struggling to understand what a common pattern like MVC is and how to use it you should really go back to the basics. I can't stress enough that the online tutorials aren't going to help you if you don't understand why the author used the solution that they used and chances are they're not explaining that to you because its sometime simple that you should be able to understand yourself provided you have a basic understanding of the php language, its syntax, and how to solve problems with it. This all comes just from spending time with the language, learning how it works, and learning what it doesnt do well and what it does do well.
Ok, you have a couple of questions wrapped into one large question but I'll try to answer them as best as I can. I'll answer them in the order of importance.
How do you update your class(es).
How to structure forms better.
How to check login status.
Most applications now use some form of an MVC architecture. Models, Views, and Controllers are a way of separating responsibilities to classes. Here's a brief tutorial on MVC architecture for PHP. With that said, there are a number of open source frameworks that you can use like, Zend, CakePHP and more.
Try using one of the strategies for MVC or try a framework.
Try not to have the form self submit to itself. Instead route it to a seperate page and handle the logic there. Also you can wrap your inputs into and array by using the [] notation. For example: <input type="text" name="user[firstname]" />
However If you are just doing a login form, then all you need is some unique form of identification and a credential (e.g. username and password).
There are several ways to persist users' login status, chiefly used are sessions and cookies. Storing the entire model in the session or cookie is usually frowned upon. Instead try storing the username and a unique key that you can compare against in a database.
Using cookies gives you more control over how long you want the session to last.