Page 1 of 1

An XML Project - any potential problems?

Posted: Sun Apr 27, 2008 12:44 pm
by toasty2
I've made a working XML user system. It works for me, but I'm wondering if anyone spots any problems or bad practices.

First of all, a sample XML user file (passwords are SHA256, file name should be users.xml.php):

Code: Select all

 <?xml version="1.0" encoding="UTF-8"?><?php exit; ?><users>  <user>    <username>username</username>    <password>5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8</password>  </user></users>
And the PHP Script:

Code: Select all

 
<?php
  /*
    XML User Management System
    (C) Copyright 2008 Blake Buckalew
  */
session_start();
 
define(HASH,'sha256');
define(XUMSVER,'0.1');
define(XMLFILE,'users.xml.php');
 
# Let's do some checks first:
if (!in_array(HASH,hash_algos()))
{
  exit('The selected hash is unvailable on this server.'); // error
}
 
# Start of Functions
$XML = simplexml_load_file(XMLFILE);
 
function debug_xml()
{
  echo '<pre>';
  global $XML;
  print_r($XML);
  echo '</pre>';
}
 
# Add user function, returns false if user already exists.
function add_user($user,$pass)
{
  global $XML;
  foreach($XML->user as $u)
  {
    if($u->username == $user) // Does the user already exist?
    {
      return false;
    }
  }  
  $newuser = $XML->addChild('user');
  $newuser->addChild('username',$user);
  $newuser->addChild('password',hash(HASH,$pass));
  file_put_contents(XMLFILE,$XML->asXML());
}
 
# Login function, returns true on success and can optionally set variables for you.
function login($username,$password,&$authvar=false,&$unamevar=false)
{
  global $XML;
  foreach($XML->user as $u)
  {
    if($u->username == $username and comparetohash($password,$u->password))
    {
      $r = true;
      # Set variables
      if($authvar) {$authvar = $r;}
      if($unamevar) {$unamevar = $username;}
      return $r;
    }
  }
}
 
function comparetohash($pass,$hash)
{
  return hash(HASH,$pass) == $hash ? true : false;
}
 
# TESTING the functions:
login('username','password',$_SESSION['auth']);
if($_SESSION['auth'] == true){echo 'Logged in';}else{echo 'Wrong password';}
add_user('fred','password');
debug_xml();
?>
 
I am going to improve this and release it at a later date if anyone is interested by the way.

Re: An XML Project - any potential problems?

Posted: Mon Apr 28, 2008 5:14 am
by Mordred
In my book, using XML is a bad practice itself, but even objectively speaking for your case, replacing a database with flat files is a bad idea, and if the files in question are XMLs you are only adding performance overhead for no added benefit.

You are also using unsalted hashes

Re: An XML Project - any potential problems?

Posted: Wed Apr 30, 2008 1:43 pm
by ManUnderground
XML has its uses but I don't think you should replace the database with it in this case. Here are a couple reasons:
1. Searching for elements in XML is much slower than in a relational database. This may change in the future, but from what I've learned attempts to make searching for elements in XML faster amounts to shredding the XML and turning it into a relational database, so why not just stick with the database?
2. If it's a file you can't leverage best practices for scaling w/ databases. I'm sure you can find a way around this issue,but is it worth the trouble?

XML is fine for writing a protocol of some sort, but it doesn't seem ideally suited to be your data store.

Re: An XML Project - any potential problems?

Posted: Thu May 01, 2008 5:28 pm
by toasty2
I agree with you and I know it isn't very scalable. This won't be storing more than 5 users so that won't be a problem. In most cases I would agree that a database is more suitable, but in this case they don't have MySQL and they really don't need it. On the security side.. I will definitely implement salting. Also is this worth converting to a class? I have very little OOP experience.

Re: An XML Project - any potential problems?

Posted: Fri May 02, 2008 2:33 pm
by Verminox
Also, this might be a little prone to human error.

For example:
Your directory:
- index.php
- blah.php
...
40 other files
...
- users.xml.php

Now you make some changes to blah.php or index.php or update a whole bunch of other stuff for a whole site revamp (It's version 2.0!) or whatever. You upload your entire local directory to the server and when your FTP client keeps asking you whether to replace each file you get annoyed and click 'Replace All' (or in some other human-error way replace the existing files).

Now users.xml.php just got replaced! All your user data is lost :-(

Re: An XML Project - any potential problems?

Posted: Sat May 03, 2008 7:30 pm
by toasty2
True, but that can happen to anything...database (not common but still possible), files created by a CMS (i.e. a default page), configuration file, etc. Its really no different. Avoiding it isn't that difficult...people need to back things up, its as simple as that.