User Class

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

Post Reply
jholovacs
Forum Newbie
Posts: 3
Joined: Sat Jun 12, 2010 2:17 pm

User Class

Post by jholovacs »

I intend for this to be stored in a session variable... can anyone shoot holes in this?

Code: Select all

<?php
class User{
	
    public $id = 0;
    public $email = "";
    public $fname = "";
    public $mname = "";
    public $lname = "";
    public $addr1 = "";
    public $addr2 = "";
    public $city = "";
    public $state = "";
    public $zip = "";
    public $day_phone = "";
    public $night_phone = "";
    public $alt_email = "";
    public $is_logged_in = false;
    
    var $sec_conn;
    
    function __construct(){
        $sec_conn = mysql_connect(SECURITY_DB_SERVER, SECURITY_LOGIN, SECURITY_PASSWORD);
        mysql_select_db(SECURITY_DATABASE, $sec_conn);
        }
        
    function login($email, $password){
        
        $sanitized_email = mysql_real_escape_string($email);
        $sanitized_password = mysql_real_escape_string($password);
        $query = "SELECT u.user_id, u.user_fname, u.user_mname, u.user_lname, u.user_addr1, u.user_addr2, u.user_city, u.user_state, u.user_zip, u.user_dayphone, u.user_nightphone, u.user_alt_email " .
            "FROM users u INNER JOIN user_password_salts ups ON ups.user_id = u.user_id INNER JOIN user_passwords up ON up.user_id = u.user_id " .
            "WHERE u.user_email = '$sanitized_email' AND SHA('$sanitized_password'+ups.salt_value) = up.password_hash AND u.is_enabled = true LIMIT 1;"; 
        $result = mysql_query($query, $sec_conn) or die("Logon query failed.  Please contact a site administrator.");
        if (mysql_affected_rows($result) != 1){ //Username or password does not match.
            return false;
            }
        //populate the row values
        $row = mysql_fetch_assoc($result);
        $this->is_logged_in = true;
        
        //populate the object's properties
        $this->email = $email;
        $this->id = $row['user_id'];
        $this->fname = $row['user_fname'];
        $this->mname = $row['user_mname'];
        $this->lname = $row['user_lname'];
        $this->addr1 = $row['user_addr1'];
        $this->addr2 = $row['user_addr2'];
        $this->city = $row['user_city'];
        $this->state = $row['user_state'];
        $this->zip =$row['user_zip'];
        $this->day_phone = $row['user_dayphone'];
        $this->night_phone = $row['user_nightphone'];
        $this->alt_email = $row['user_alt_email'];
        $this->is_logged_in = $row['is_logged_in'];
        
        //return success indicator
        return true;
        }
        
    function logout(){
        
        if ($this->is_logged_in == true){
            
            $this->id = 0;
            $this->is_logged_in = false;
            $this->email = "";
            $this->fname = "";
            $this->mname = "";
            $this->lname = "";
            $this->addr1 = "";
            $this->addr2 = "";
            $this->city = "";
            $this->state = "";
            $this->zip = "";
            $this->day_phone = "";
            $this->night_phone = "";
            $this->alt_email = "";
            }

            return true;
        }
        
    function has_role($role_name){
        if ($this->is_logged_in != true) {
            return false; // if you're not logged in, you cannot determine your role assignments
            }
            
        $sanitized_role_name = mysql_real_escape_string($role_name);    
        $query = "SELECT 1 FROM user_group ug on ug.user_id = u.user_id INNER JOIN role_group rg ON rg.group_id = ug.group_id " .
            "INNER JOIN roles r ON r.role_id = rg.role_id WHERE ug.user_id = $this->id AND r.role_name = '$sanitized_role_name' LIMIT 1;";
            
        $result = mysql_query($query, $sec_conn) or die("Could not query the roles tables.");
        if (mysql_affected_rows($result) == 1){
            return true; //found a record of the role for the user.
            }
            
        return false;
        }
        
    function change_password($email, $old_password, $new_password){
        $sanitized_email = mysql_real_escape_string($email);
        $sanitized_new_password = mysql_real_escape_string($new_password);
        
        if (!$this->login($email, $password)){
            return false; //failed to validate old password
            }
            
        $new_salt = mysql_real_escape_string(generate_random_string(50));
        $query = "UPDATE user_password_salts SET salt_value = '$new_salt' WHERE user_id = $this->id LIMIT 1;";
        $result = mysql_query($query, $sec_conn) or die("Failed to update the new salt value.");
        
        if (mysql_affected_rows($result) != 1){ //failed to update the salt value
            return false;
            }
            
        $query = "UPDATE user_passwords SET password_hash = SHA('$sanitized_password$new_salt') WHERE user_id = $this->id LIMIT 1;";
        $result = mysql_query($query, $sec_conn) or die("Failed to update the new password.  Please contact your systems administrator.");
        
    
        if (mysql_affected_rows($result) != 1){ //failed to update the password
            return false;
            }
        
        //password change operation completed successfully
        return true;
        
        }
} //end User class

function generate_random_string($length){
    $character_set = ‘0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz’;
    $character_set_length = strlen($characters);
    $returnval = "";
    for($p = 0; $p < $length; $p++){
        $returnval .= substr($character_set, mt_rand(1, $character_set_length), 1);
        }
    return $returnval;
    }
?>
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: User Class

Post by AbraCadaver »

With just a quick look I can see that you'll have problems when this is serialized/unserialized. You need to look at the __sleep() and __wakeup() magic methods to cleanup and then reconnect etc..
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Post Reply