User Class
Posted: Sat Jun 12, 2010 9:11 pm
I intend for this to be stored in a session variable... can anyone shoot holes in this?
Code: Select all
<?php
class User{
public $id = 0;
public $email = "";
public $fname = "";
public $mname = "";
public $lname = "";
public $addr1 = "";
public $addr2 = "";
public $city = "";
public $state = "";
public $zip = "";
public $day_phone = "";
public $night_phone = "";
public $alt_email = "";
public $is_logged_in = false;
var $sec_conn;
function __construct(){
$sec_conn = mysql_connect(SECURITY_DB_SERVER, SECURITY_LOGIN, SECURITY_PASSWORD);
mysql_select_db(SECURITY_DATABASE, $sec_conn);
}
function login($email, $password){
$sanitized_email = mysql_real_escape_string($email);
$sanitized_password = mysql_real_escape_string($password);
$query = "SELECT u.user_id, u.user_fname, u.user_mname, u.user_lname, u.user_addr1, u.user_addr2, u.user_city, u.user_state, u.user_zip, u.user_dayphone, u.user_nightphone, u.user_alt_email " .
"FROM users u INNER JOIN user_password_salts ups ON ups.user_id = u.user_id INNER JOIN user_passwords up ON up.user_id = u.user_id " .
"WHERE u.user_email = '$sanitized_email' AND SHA('$sanitized_password'+ups.salt_value) = up.password_hash AND u.is_enabled = true LIMIT 1;";
$result = mysql_query($query, $sec_conn) or die("Logon query failed. Please contact a site administrator.");
if (mysql_affected_rows($result) != 1){ //Username or password does not match.
return false;
}
//populate the row values
$row = mysql_fetch_assoc($result);
$this->is_logged_in = true;
//populate the object's properties
$this->email = $email;
$this->id = $row['user_id'];
$this->fname = $row['user_fname'];
$this->mname = $row['user_mname'];
$this->lname = $row['user_lname'];
$this->addr1 = $row['user_addr1'];
$this->addr2 = $row['user_addr2'];
$this->city = $row['user_city'];
$this->state = $row['user_state'];
$this->zip =$row['user_zip'];
$this->day_phone = $row['user_dayphone'];
$this->night_phone = $row['user_nightphone'];
$this->alt_email = $row['user_alt_email'];
$this->is_logged_in = $row['is_logged_in'];
//return success indicator
return true;
}
function logout(){
if ($this->is_logged_in == true){
$this->id = 0;
$this->is_logged_in = false;
$this->email = "";
$this->fname = "";
$this->mname = "";
$this->lname = "";
$this->addr1 = "";
$this->addr2 = "";
$this->city = "";
$this->state = "";
$this->zip = "";
$this->day_phone = "";
$this->night_phone = "";
$this->alt_email = "";
}
return true;
}
function has_role($role_name){
if ($this->is_logged_in != true) {
return false; // if you're not logged in, you cannot determine your role assignments
}
$sanitized_role_name = mysql_real_escape_string($role_name);
$query = "SELECT 1 FROM user_group ug on ug.user_id = u.user_id INNER JOIN role_group rg ON rg.group_id = ug.group_id " .
"INNER JOIN roles r ON r.role_id = rg.role_id WHERE ug.user_id = $this->id AND r.role_name = '$sanitized_role_name' LIMIT 1;";
$result = mysql_query($query, $sec_conn) or die("Could not query the roles tables.");
if (mysql_affected_rows($result) == 1){
return true; //found a record of the role for the user.
}
return false;
}
function change_password($email, $old_password, $new_password){
$sanitized_email = mysql_real_escape_string($email);
$sanitized_new_password = mysql_real_escape_string($new_password);
if (!$this->login($email, $password)){
return false; //failed to validate old password
}
$new_salt = mysql_real_escape_string(generate_random_string(50));
$query = "UPDATE user_password_salts SET salt_value = '$new_salt' WHERE user_id = $this->id LIMIT 1;";
$result = mysql_query($query, $sec_conn) or die("Failed to update the new salt value.");
if (mysql_affected_rows($result) != 1){ //failed to update the salt value
return false;
}
$query = "UPDATE user_passwords SET password_hash = SHA('$sanitized_password$new_salt') WHERE user_id = $this->id LIMIT 1;";
$result = mysql_query($query, $sec_conn) or die("Failed to update the new password. Please contact your systems administrator.");
if (mysql_affected_rows($result) != 1){ //failed to update the password
return false;
}
//password change operation completed successfully
return true;
}
} //end User class
function generate_random_string($length){
$character_set = ‘0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz’;
$character_set_length = strlen($characters);
$returnval = "";
for($p = 0; $p < $length; $p++){
$returnval .= substr($character_set, mt_rand(1, $character_set_length), 1);
}
return $returnval;
}
?>