Code: Select all
<?php
/*
Why bother with PDO?
Database specs:
user varchar(32), hash character(60), merit bigint,
--Todos--
Is it good?
Note: bcrypt causes passwords to be truncated to 72 chars.
Functions and output:
1) conSql
0 Unable to connect to database
(sql connection)
2) rmUser
0 Success
1 Permission denied
2 Unable to connect to DB
3 Unknown error
3) authUser
0 Inauthentic
1 Authentic
4) unlogUser
(none)
5) logUser
0 Success
1 Incorrect username/password
2 Unable to connect to DB
6) chkUser_exist
0 Doesn't exist
1 exists
2 Unable to connect to DB
7) makeUser
0 Success
1 Permission denied
2 User already exists
3 Unable to connect to database
4 Unknown error
8) chkPermit
0 Permission denied
1 Permission granted
*/
define("CONF","Conf/Shar/kernel/"); //Helps make checking permissions much easier
//A bunch of SQL constants, makes changing info easier
define("hostname","localhost");
define("username","user");
define("password","lCvebzHkf3mN1ERwfLewVWx8i2LjhLrF");
define("database","db");
function conSql()
{
$sqlcon = mysqli_connect(hostname, username, password, database);
if(!$sqlcon)
{
echo "Fatal: Shar/kernel.php, Unable to connect to database";
return 0;
}
return $sqlcon;
}
function rmUser($merits,$user)
{
if(chkPermit($merits,CONF."rmUser") == 0){return 1;}
$sqlcon = conSql();
if(!$sqlcon){return 2;}
$e_user = mysqli_real_escape_string($sqlcon,$user);
$query = "DELETE FROM users WHERE user='$e_user'";
if(mysqli_query($sqlcon, $query)){return 0;}
echo "Fatal: Shar/kernel.php, rmUser, SQL error.";
return 3;
}
function authUser()
{
if(!isset($_SESSION["user"])){return 0;}
$sqlcon = conSql();
if(!$sqlcon){return 0;}
$e_user = mysqli_real_escape_string($sqlcon,$_SESSION["user"]);
$query = "SELECT * FROM users WHERE user='$e_user'";
$result = mysqli_query($sqlcon, $query);
while($row = mysqli_fetch_assoc($result))
{
if(
($row["user"] == $_SESSION["user"]) and
($row["hash"] == $_SESSION["hash"]) )
{return 1;}
}
return 0;
}
function logoutUser(){
$_SESSION["user"] = "";
$_SESSION["hash"] = "";
session_destroy();
}
function loginUser($user,$key)
{
$sqlcon = conSql();
if(!$sqlcon){return 2;}
$e_user = mysqli_real_escape_string($sqlcon,$user);
$query = "SELECT * FROM users WHERE user='$e_user'";
$result = mysqli_query($sqlcon, $query);
while($row = mysqli_fetch_assoc($result))
{
if($row["user"] == $user)
{
if(password_verify($key,$row["hash"]) == 1)
{
session_start();
$_SESSION["user"] = $row["user"];
$_SESSION["hash"] = $row["hash"];
$_SESSION["merit"]=$row["merit"];
return 0;
}
}
}
return 1;
}
function chkUser_exist($user) //is this correct? Can this function be shortened?
{
$sqlcon = conSql();
if(!$sqlcon){return 2;}
$e_user = mysqli_real_escape_string($sqlcon,$user);
$query = "SELECT user FROM users WHERE user='$e_user'";
$result = mysqli_query($sqlcon, $query);
while($row = mysqli_fetch_assoc($result))
{
if($row["user"] == $user){mysqli_close($sqlcon);return 1;}
}
mysqli_close($sqlcon);
return 0;
}//The function works, but can it be better somehow?
function makeUser($merits, $user, $key)
{
if(chkPermit($merits,CONF."makeUser") == 0){return 1;} //Do we have permission?
if(chkUser_exist($user)){return 2;} //Does the user already exist?
$hash = password_hash($key,PASSWORD_BCRYPT); //create the hash
$sqlcon = conSql(); //connect to the db
if(!$sqlcon){return 3;}
$e_user = mysqli_real_escape_string($sqlcon,$user); //secure the data
$e_hash = mysqli_real_escape_string($sqlcon,$hash);
$e_merit= mysqli_real_escape_string($sqlcon, "0");
$query = "INSERT INTO users VALUES ('$e_user','$e_hash','$e_merit')"; //create the query
if(mysqli_query($sqlcon, $query)){mysqli_close($sqlcon);return 0;}
echo "Fatal: Shar/kernel.php, makeUser, SQL error";
mysqli_close($sqlcon);
return 4;
}
function chkPermit($merits,$entity)
{
if(!file_exists($entity))
{
echo 'Fatal: Shar/kernel.php, chkPermit, $entity = '.$entity.', file not found';
return 0;
}
$level = file_get_contents($entity);
if($merits >= $level){return 1;}
else{return 0;}
}
?>
EDIT:
I have updated the code, how is it now? I kind of understand exceptions much better, but I don't see how it's better than just using error codes. It seems much simpler and easier, not to mention they seem to work better. I honestly can't handle PDO and its object orientation. I'm not going to, use anything other than mysql anyways. I like the idea of prepared statements, but I don't see where in my code they'd work better than escape strings. I may use them in the future though. What do you guys think? The particular functions I'm concerned about it chkUser and loginUser.