Re: sessions/cookies

[Jochem Maas <jochem@xxxxxxxxxxxxx>]

others have given good advice, but let's learn to walk before we run shall we.


1. session_start() should be called once per request.
2. checkValidUser() does a select on all the users in the database, this is *wrong* -
do a select with a suitable WHERE clause the retrieves the one user that matches the
given user name and password.
3. GetAccessLevel() uses an undefined property.
4. all the properties ($UserID, $AdminLevel, etc) are only set during the request where
the user's login credentials are checked. subsequent requests will not have that info.
5. use php5?
6. go back and read the other replies regarding seperation of responsibilities and encapsulation.


nihilism machine schreef:
> I wrote an authentication class in php4. The sessions dont seem to be 
> working with internet explorer, just with FF. here is the code below, a 
> cookies notice pops up when you try and login:
>
> <?php
>
>
>
> class auth {
>
>     var $UserID;
>     var $AdminLevel;
>     var $FirstName;
>     var $LastName;
>     var $DateAdded;
>     var $MobileTelephone;
>     var $LandLineTelephone;
>
>     // Connect to the database
>     function auth() {
>         mysql_connect('','','') or die('ERROR: Could not connect to 
> database');
>         mysql_select_db('') or die('ERROR: Could not select database');
>     }
>
>     // Attempt to login a user
>     function CheckValidUser($Email,$Password) {
>         $result = mysql_query('SELECT * FROM Users');
>         $Password = $this->encode($Password);
>
>         if (mysql_num_rows($result) != 0) {
>             while($row = mysql_fetch_assoc($result)) {
>                 if (!strcmp($row['Email'],$Email)) {
>                     if (!strcmp($row['Password'],$Password)) {
>                         // User info stored in Globals
>                         $this->UserID = $row['ID'];
>                         $this->AdminLevel = $row['Admin_Level'];
>                         $this->FirstName = $row['First_Name'];
>                         $this->LastName = $row['Last_Name'];
>                         $this->DateAdded = $row['Date_Added'];
>                         $this->MobileTelephone = $row['Telephone_Mobile'];
>                         $this->LandLineTelephone = 
> $row['Telephone_Land_Line'];
>                         // User info stored in Sessions
>                         session_start();
>                         $_SESSION['Status'] = "loggedIn";
>                         $_SESSION['Email'] = $row['Email'];
>                         $_SESSION['AdminLevel'] = $row['Admin_Level'];
>                         $_SESSION['LandLine'] = 
> $row['Telephone_Land_Line'];
>                         $_SESSION['MobileTelephone'] = 
> $row['Telephone_Mobile'];
>                         $_SESSION['FirstName'] = $row['First_Name'];
>                         $_SESSION['LastName'] = $row['Last_Name'];
>                         return true;
>                     }
>                 }
>             }
>             header("Location: index.php?error=invalidLogin");
>         } else {
>             die('ERROR: No Users in the database!');
>         }
>     }
>     
>     // Create a new user account
>     function CreateUser($Email, $Password, $AdminLevel, 
> $LandLineTelephone, $MobileTelephone, $FirstName, $LastName) {
>         $Password = $this->encode($Password);
>         $this->AccessLevel = $AdminLevel;
>         $DateAdded = date("Y-m-d H:i:s");
>         mysql_query("INSERT INTO Users (Email, Password, Admin_Level, 
> Date_Added, First_Name, Last_Name, Telephone_Land_Line, 
> Telephone_Mobile) VALUES ('$Email','$Password','$AdminLevel', 
> '$DateAdded', '$FirstName', '$LastName', '$LandLineTelephone', 
> '$MobileTelephone')") or die(mysql_error());
>         return $this->UserID = mysql_insert_id();
>     }
>
>     // Update a users access level
>     function UpdateAccessLevel($ID,$AdminLevel) {
>         mysql_query("UPDATE Users SET Admin_Level='$AdminLevel' WHERE 
> ID=$ID") or die(mysql_error());
>         return true;
>     }
>
>     // Delete a user
>     function DeleteUser($ID) {
>         mysql_query("DELETE FROM Users WHERE ID=$ID") or 
> die(mysql_error());
>         return true;
>     }
>
>     // Get a users access level
>     function GetAccessLevel() {
>         return $this->AccessLevel;
>     }
>
>     // Get a users ID
>     function GetUserID() {
>         return $this->UserID;
>     }
>     
>     // Log user out
>     function LogOut() {
>         session_start();
>         session_unset();
>         session_destroy();
>         header("Location: index.php");
>     }
>     
>     // Check users access level to see if they have clearance for a 
> certain page
>     function CheckUserLevel($RequiredLevel) {
>         if ($_SESSION['AdminLevel'] < $RequiredLevel) {
>             if ($_SESSION['AdminLevel'] == 2) {
>                 header("Location: financial.php");
>             } else if ($_SESSION['AdminLevel'] == 1) {
>                 header("Location: user.php");
>             } else {
>                 header("Location: index.php");
>             }
>         }
>     }
>     
>     // Check to see if a user is logged in
>     function CheckLoggedIn() {
>         session_start();
>         if ($_SESSION['Status'] != "loggedIn") {
>             header("Location: index.php");
>         }
>     }
>
>     // Private Methods
>     
>     function encode($str) {
>         return md5(base64_encode($str));
>     }
> }
>
> ?>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php