PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Dec 06, 2019 5:42 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: How's my PHP?
PostPosted: Fri Sep 02, 2016 8:03 pm 
Offline
Forum Newbie

Joined: Fri Sep 02, 2016 7:41 pm
Posts: 4
Syntax: [ Download ] [ Hide ]
<?php
/*
Why bother with PDO?

Database specs:
user varchar(32), hash character(60), merit bigint,

--Todos--
Is it good?

Note: bcrypt causes passwords to be truncated to 72 chars.

Functions and output:

1) conSql
        0 Unable to connect to database
        (sql connection)
2) rmUser
        0 Success
        1 Permission denied
        2 Unable to connect to DB
        3 Unknown error
3) authUser
        0 Inauthentic
        1 Authentic
4) unlogUser
        (none)
5) logUser
        0 Success
        1 Incorrect username/password
        2 Unable to connect to DB
6) chkUser_exist
        0 Doesn't exist
        1 exists
        2 Unable to connect to DB
7) makeUser
        0 Success
        1 Permission denied
        2 User already exists
        3 Unable to connect to database
        4 Unknown error
8) chkPermit
        0 Permission denied
        1 Permission granted
*/


define("CONF","Conf/Shar/kernel/"); //Helps make checking permissions much easier

//A bunch of SQL constants, makes changing info easier
define("hostname","localhost");
define("username","user");
define("password","lCvebzHkf3mN1ERwfLewVWx8i2LjhLrF");
define("database","db");

function conSql()
        {
        $sqlcon = mysqli_connect(hostname, username, password, database);
        if(!$sqlcon)
                {
                echo "Fatal: Shar/kernel.php, Unable to connect to database";
                return 0;
                }
        return $sqlcon;
        }

function rmUser($merits,$user)
        {
        if(chkPermit($merits,CONF."rmUser") == 0){return 1;}
        $sqlcon = conSql();
        if(!$sqlcon){return 2;}
        $e_user = mysqli_real_escape_string($sqlcon,$user);
        $query  = "DELETE FROM users WHERE user='$e_user'";
        if(mysqli_query($sqlcon, $query)){return 0;}
        echo "Fatal: Shar/kernel.php, rmUser, SQL error.";
        return 3;
        }

function authUser()
        {
        if(!isset($_SESSION["user"])){return 0;}
        $sqlcon = conSql();
        if(!$sqlcon){return 0;}
        $e_user = mysqli_real_escape_string($sqlcon,$_SESSION["user"]);
        $query = "SELECT * FROM users WHERE user='$e_user'";
        $result = mysqli_query($sqlcon, $query);
        while($row = mysqli_fetch_assoc($result))
                {
                if(
                ($row["user"] == $_SESSION["user"]) and
                ($row["hash"] == $_SESSION["hash"])   )
                        {return 1;}
                }
        return 0;
        }

function logoutUser(){
        $_SESSION["user"] = "";
        $_SESSION["hash"] = "";
        session_destroy();
        }

function loginUser($user,$key)
        {
        $sqlcon = conSql();
        if(!$sqlcon){return 2;}
        $e_user = mysqli_real_escape_string($sqlcon,$user);
        $query = "SELECT * FROM users WHERE user='$e_user'";
        $result = mysqli_query($sqlcon, $query);
        while($row = mysqli_fetch_assoc($result))
                {
                if($row["user"] == $user)
                        {
                        if(password_verify($key,$row["hash"]) == 1)
                                {
                                session_start();
                                $_SESSION["user"] = $row["user"];
                                $_SESSION["hash"] = $row["hash"];
                                $_SESSION["merit"]=$row["merit"];
                                return 0;
                                }
                        }
                }
        return 1;
        }

function chkUser_exist($user) //is this correct? Can this function be shortened?
        {
        $sqlcon = conSql();
        if(!$sqlcon){return 2;}
        $e_user = mysqli_real_escape_string($sqlcon,$user);
        $query = "SELECT user FROM users WHERE user='$e_user'";
        $result = mysqli_query($sqlcon, $query);
        while($row = mysqli_fetch_assoc($result))
                {
                if($row["user"] == $user){mysqli_close($sqlcon);return 1;}
                }
        mysqli_close($sqlcon);
        return 0;
        }//The function works, but can it be better somehow?

function makeUser($merits, $user, $key)
        {
        if(chkPermit($merits,CONF."makeUser") == 0){return 1;} //Do we have permission?
        if(chkUser_exist($user)){return 2;} //Does the user already exist?
        $hash = password_hash($key,PASSWORD_BCRYPT); //create the hash
        $sqlcon = conSql(); //connect to the db
        if(!$sqlcon){return 3;}
        $e_user = mysqli_real_escape_string($sqlcon,$user); //secure the data
        $e_hash = mysqli_real_escape_string($sqlcon,$hash);
        $e_merit= mysqli_real_escape_string($sqlcon,  "0");
        $query = "INSERT INTO users VALUES ('$e_user','$e_hash','$e_merit')"; //create the query
        if(mysqli_query($sqlcon, $query)){mysqli_close($sqlcon);return 0;}
        echo "Fatal: Shar/kernel.php, makeUser, SQL error";
        mysqli_close($sqlcon);
        return 4;
        }

function chkPermit($merits,$entity)
        {
        if(!file_exists($entity))
                {
                echo 'Fatal: Shar/kernel.php, chkPermit, $entity = '.$entity.', file not found';
                return 0;
                }
        $level = file_get_contents($entity);
        if($merits >= $level){return 1;}
        else{return 0;}
        }
?>
 


Okay, story time! So, I was on a chat I frequent, and some guy came on, pestered the admin over some small amount of HTML code that he didn't likem, and started attacking us. He saw this code I posted, and then made fun of me. It's clearb that this guy was a troll, but damn what he said was really burned in my mind. He particularly focused on the "genSalt" function, and said that I can't even indent properly. Okay, now to relevant info (some of the stuff he said was rediculous), he said that the function was stupid and wrong, because it meant that Apache has access to the urandom device, which was supposedly a huge security flaw. Honestly, I feel like ranting, if you want the story, please ask. He also said that I should've used the random_bytes() function instead of the function I used. He said the whole thing was terrible, but made no other specifications than that.

EDIT:
I have updated the code, how is it now? I kind of understand exceptions much better, but I don't see how it's better than just using error codes. It seems much simpler and easier, not to mention they seem to work better. I honestly can't handle PDO and its object orientation. I'm not going to, use anything other than mysql anyways. I like the idea of prepared statements, but I don't see where in my code they'd work better than escape strings. I may use them in the future though. What do you guys think? The particular functions I'm concerned about it chkUser and loginUser.


Last edited by Giganitris on Sat Oct 08, 2016 8:54 pm, edited 2 times in total.

Top
 Profile  
 
PostPosted: Fri Sep 02, 2016 9:16 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA


Top
 Profile  
 
PostPosted: Fri Sep 02, 2016 10:13 pm 
Offline
Forum Newbie

Joined: Fri Sep 02, 2016 7:41 pm
Posts: 4
Wow, that's a lot of valuable information. I guess I have a lot of re-writing to do. Also, the "merits" aren't stored in a file, but in the db. The rw file that it pulls the info from is the merits needed to do a thing. I know it's silly, it's kind of for fun. I was trying to simulate Unix permission thingies, I guess.

About return codes for functions, why not? The intended thing is that I write a documentation file that has the return codes at the very beginning, and it makes it much easier for a dev to write a file that includes mine. Or even if I provide a table in the comments, wouldn't that also work? I was kind of following the "Rule of Repair: Repair what you can — but when you must fail, fail noisily and as soon as possible." As you can see, I'm more of a C/C++ guy. I'm also obsessed with Unix philosophy.

What are the harmful things an SQL error can contain?

Haha I'm sorry about the "snippets" thing. This is the only file that'll contain SQL at all.

How do I separate the salt that's stored with the hash to verify the password, assuming I have to do it myself.?

A friend recommended PDO over mysqli, so I guess I might change it to that and rewrite my SQL to use prepared statements.


Also just a snippet of what the troll said "Apache2 is the most pwned bloatware of them all. You really are a skiddy."
"You can't even indent the code properly."

Please tell me I'm not a skiddy, that's the worst insult in all of software history. Seriously, I've been called a lot of horrible things, but that hurts the most.


Top
 Profile  
 
PostPosted: Fri Sep 02, 2016 11:14 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA


Top
 Profile  
 
PostPosted: Sat Sep 03, 2016 2:06 am 
Offline
Forum Newbie

Joined: Fri Sep 02, 2016 7:41 pm
Posts: 4
Thank you, that's very helpful. I think that answers all my questions.

EDIT:
I have updated the code, how is it now? I kind of understand exceptions much better, but I don't see how it's better than just using error codes. It seems much simpler and easier, not to mention they seem to work better. I honestly can't handle PDO and its object orientation. I'm not going to, use anything other than mysql anyways. I like the idea of prepared statements, but I don't see where in my code they'd work better than escape strings. I may use them in the future though. What do you guys think? The particular functions I'm concerned about it chkUser and loginUser. Can this be done more efficiently?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group