Take a look and tell me what you think so far?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
xtjdx
Forum Newbie
Posts: 5
Joined: Sun Oct 09, 2005 3:23 am

Take a look and tell me what you think so far?

Post by xtjdx »

I'm working on a new login authentication/session scheme (plus using it as an example for a friend who I'm helping learn PHP) and would appreciate some input on it so far.
Basically I'm wondering if there are some ways to shorten my code a little bit, as so far it's pretty long for the small amount of functionality that I actually have. I'm also wondering which one is favored more: sessions or cookies? I used to use sessions but have started enjoying cookies a bit more lately. Also, this used to be class-oriented, but I've strayed from that because for me it gets a lot more cluttered.
There is a bit of pseudo-code in there still and the actual authentication checking is being written at this very moment. It's a bit sloppy still, but will get cleaned up! Thanks in advance for helping!

Code: Select all

<?
include_once('config/global.config.php');

// Login form display function
function DisplayLoginForm($id = 'loginForm')
{
	global $loginError;
	if (isset($loginError))
	{
		// There was already activity with login and it resulted in an error, so
		// output supplied error message
	}
	else
	{
		// Standard output. This function is designed so that you can use it on any page
		// instead of just on login.php, or whatever.
	?>
<form action="<? echo $_SERVER['PHP_SELF']; ?>" method="POST" id="<? echo $id; ?>">
	<table class="loginTable" cellpadding="0" cellspacing="0">
		<tr>
			<td align="right">Username:</td>
			<td align="left"><input type="text" name="username" size="16"></td>
		</tr>
		<tr>
			<td align="right">Password:</td>
			<td align="left"><input type="password" name="password" size="16"></td>
		</tr>
		<tr>
			<td align="left" colspan="100%">Remember Me: <input type="checkbox" name="remember" value="1"></td>
		</tr>
		<tr>
			<td align="left" colspan="100%"><input type="submit" name="loginSubmit" value="Log In"></td>
		</tr>
	</table>
</form>
	<?
	}
}

// Function for validating login information
function CheckLoginInfo($username, $password)
{
	global $mysql;
	
	// Connect to the database and use $mysql['dbName']
	$loginConnection = mysql_connect($mysql['host'], $mysql['loginUser'], $mysql['loginPassword']) or die(mysql_error());
	mysql_select_db($mysql['dbName']) or die(mysql_error());
	if ($username && $password)
	{
		// Custom function to clean up input
		$username = SqlClean($username);
		// Hash this value before the query. It's safer.
		$password = md5($password);
		
		// Query for checking
		$userQuery = 'Select * From tblUsers Where username = \'' . $username . '\' And password = \'' .
					$password . '\' And active = 1';
		$userResult = mysql_query($userQuery) or die(mysql_error());
		$userRows = mysql_num_rows($userResult);
		if ($userRows == 1)
		{
			// There was one record. This is what will happen for valid users.
			$returnvalue = true;
		}
		elseif ($userRows > 1)
		{
			// Multiple records were returned. This was probably a SQL injection.
			// Log and act like it was an invalid login
			// LoggingProcedure()
			$returnvalue = false;
		}
		else
		{
			// Invalid login. Just return false.
			$returnvalue = false;
		}
	}
	mysql_close($loginConnection);
	return $returnvalue;
}

// After authenticated, session needs to be created
function CreateSession($username, $persistent)
{
	// Get our vars in here...
	global $mysql;
	global $session;
	
	// Clean input up even if it has already been cleaned
	$username = SqlClean($username);
	// Get IP address
	$ipaddr = $_SERVER['REMOTE_ADDR'];
	// Create a random 32-digit token
	for ($i = 0; $i < 32; $i++)
	{
		// 1 outputs a letter, 0 a number
		if (rand(0,1) == 1)
		{
			// And, a little more complexity with upper/lowercase
			if (rand(0,1) == 1)
			{
				$token = $token . strtoupper(chr(rand(65,90)));
			}
			else
			{
				$token = $token . strtolower(chr(rand(65,90)));
			}
		}
		else
		{
			$token = $token . rand(0,9);
		}
	}
	// This function will have 3 ways to create the sid
	$type = rand(1,3);
	switch($type)
	{
		case 1:
			$sid = $username . '++' . $ipaddr . '++' . $token;
			break;
		case 2:
			$sid = $token . '++' . $ipaddr . '++' . $username;
			break;
		case 3:
			$sid = $ipaddr . '++' . $username . '++' . $token;
			break;
	}
	$sid = md5($sid);
	
	// Connect to database and get ready to insert
	$sessionConnection = mysql_connect($mysql['host'], $mysql['sessionUser'], $mysql['sessionPassword']) or die(mysql_error());
	mysql_select_db($mysql['dbName']) or die(mysql_error());
	
	// Make sure the insert doesn't fail
	if (mysql_query('Insert Into tblSessions(username, ipaddr, token, sid) Values(\'' . $username . '\', \'' .
		$ipaddr . '\', \'' . $token . '\', \'' . $sid . '\')'))
	{
		// It succeeded, so now we'll create the cookies.
		// NOTE: THIS _MUST_ GO BEFORE ANY OUTPUT
		// Best way to do this would be to add this in the head section after checking for
		// POST vars. If there is output before this, you _WILL_ get errors.
		if ($persistent == 1)
		{
			setcookie('sid', $sid, time()+60*60*24*$session['expireTime']);
			setcookie('type', $type, time()+60*60*24*$session['expireTime']);
		}
		else
		{
			setcookie('sid', $sid);
			setcookie('type', $type);
		}
	}
	else
	{
		mysql_close($sessionConnection);
		return false;
	}
	mysql_close($sessionConnection);
	return true;
}
?>
Post Reply