Basically I'm wondering if there are some ways to shorten my code a little bit, as so far it's pretty long for the small amount of functionality that I actually have. I'm also wondering which one is favored more: sessions or cookies? I used to use sessions but have started enjoying cookies a bit more lately. Also, this used to be class-oriented, but I've strayed from that because for me it gets a lot more cluttered.
There is a bit of pseudo-code in there still and the actual authentication checking is being written at this very moment. It's a bit sloppy still, but will get cleaned up! Thanks in advance for helping!
Code: Select all
<?
include_once('config/global.config.php');
// Login form display function
function DisplayLoginForm($id = 'loginForm')
{
global $loginError;
if (isset($loginError))
{
// There was already activity with login and it resulted in an error, so
// output supplied error message
}
else
{
// Standard output. This function is designed so that you can use it on any page
// instead of just on login.php, or whatever.
?>
<form action="<? echo $_SERVER['PHP_SELF']; ?>" method="POST" id="<? echo $id; ?>">
<table class="loginTable" cellpadding="0" cellspacing="0">
<tr>
<td align="right">Username:</td>
<td align="left"><input type="text" name="username" size="16"></td>
</tr>
<tr>
<td align="right">Password:</td>
<td align="left"><input type="password" name="password" size="16"></td>
</tr>
<tr>
<td align="left" colspan="100%">Remember Me: <input type="checkbox" name="remember" value="1"></td>
</tr>
<tr>
<td align="left" colspan="100%"><input type="submit" name="loginSubmit" value="Log In"></td>
</tr>
</table>
</form>
<?
}
}
// Function for validating login information
function CheckLoginInfo($username, $password)
{
global $mysql;
// Connect to the database and use $mysql['dbName']
$loginConnection = mysql_connect($mysql['host'], $mysql['loginUser'], $mysql['loginPassword']) or die(mysql_error());
mysql_select_db($mysql['dbName']) or die(mysql_error());
if ($username && $password)
{
// Custom function to clean up input
$username = SqlClean($username);
// Hash this value before the query. It's safer.
$password = md5($password);
// Query for checking
$userQuery = 'Select * From tblUsers Where username = \'' . $username . '\' And password = \'' .
$password . '\' And active = 1';
$userResult = mysql_query($userQuery) or die(mysql_error());
$userRows = mysql_num_rows($userResult);
if ($userRows == 1)
{
// There was one record. This is what will happen for valid users.
$returnvalue = true;
}
elseif ($userRows > 1)
{
// Multiple records were returned. This was probably a SQL injection.
// Log and act like it was an invalid login
// LoggingProcedure()
$returnvalue = false;
}
else
{
// Invalid login. Just return false.
$returnvalue = false;
}
}
mysql_close($loginConnection);
return $returnvalue;
}
// After authenticated, session needs to be created
function CreateSession($username, $persistent)
{
// Get our vars in here...
global $mysql;
global $session;
// Clean input up even if it has already been cleaned
$username = SqlClean($username);
// Get IP address
$ipaddr = $_SERVER['REMOTE_ADDR'];
// Create a random 32-digit token
for ($i = 0; $i < 32; $i++)
{
// 1 outputs a letter, 0 a number
if (rand(0,1) == 1)
{
// And, a little more complexity with upper/lowercase
if (rand(0,1) == 1)
{
$token = $token . strtoupper(chr(rand(65,90)));
}
else
{
$token = $token . strtolower(chr(rand(65,90)));
}
}
else
{
$token = $token . rand(0,9);
}
}
// This function will have 3 ways to create the sid
$type = rand(1,3);
switch($type)
{
case 1:
$sid = $username . '++' . $ipaddr . '++' . $token;
break;
case 2:
$sid = $token . '++' . $ipaddr . '++' . $username;
break;
case 3:
$sid = $ipaddr . '++' . $username . '++' . $token;
break;
}
$sid = md5($sid);
// Connect to database and get ready to insert
$sessionConnection = mysql_connect($mysql['host'], $mysql['sessionUser'], $mysql['sessionPassword']) or die(mysql_error());
mysql_select_db($mysql['dbName']) or die(mysql_error());
// Make sure the insert doesn't fail
if (mysql_query('Insert Into tblSessions(username, ipaddr, token, sid) Values(\'' . $username . '\', \'' .
$ipaddr . '\', \'' . $token . '\', \'' . $sid . '\')'))
{
// It succeeded, so now we'll create the cookies.
// NOTE: THIS _MUST_ GO BEFORE ANY OUTPUT
// Best way to do this would be to add this in the head section after checking for
// POST vars. If there is output before this, you _WILL_ get errors.
if ($persistent == 1)
{
setcookie('sid', $sid, time()+60*60*24*$session['expireTime']);
setcookie('type', $type, time()+60*60*24*$session['expireTime']);
}
else
{
setcookie('sid', $sid);
setcookie('type', $type);
}
}
else
{
mysql_close($sessionConnection);
return false;
}
mysql_close($sessionConnection);
return true;
}
?>