Hi guys,
well, I wrote a class for a big project (a framework), and here it is, I was wondering if someone have any suggestions regarding flexibility and security.
Course it uses specific framework classes but it's quite understable..
================================================================== <?php /** * Project: BBBM Framework * File: authentication.class.php * * @desc Main Authentication Class * @link http://www.bbbm.com.br/ * @copyright 2004 Bruno B B Magalhaes * @author Bruno B B Magalhaes <[EMAIL PROTECTED]> * @package BBBM Framework * @version 0.5dev */ class authentication { var $domain; var $database; var $authenticated = false; var $access_section = ''; var $access_level = '0'; var $post; var $session; var $cookie;
var $userid;
var $username;
var $password;
var $sessionid;
var $remember_me;
var $errormsg;
var $tables = array('users','usersgroups');
/**
* PHP 4 Constructor
*/
function authentication(&$database)
{
$this->database =& $database;
$this->database->build_table($this->tables);
$this->domain = $_SERVER['HTTP_HOST'];
}
/**
* Start Authentication Process
*/
function authenticate($access_section='',$access_level=0)
{
if($access_level > 0)
{
$this->access_level = $access_level;
$this->access_section = $access_section;
$this->check_post();
$this->check_session();
$this->check_cookie();
if($this->post == true)
{
$this->auth($this->username,$this->password,$this->access_level);
}
elseif($this->cookie == true)
{
$this->auth_check($this->username,$this->sessionid,$this- >access_level);
}
elseif($this->session == true)
{
$this->auth_check($this->username,$this->sessionid,$this- >access_level);
}
else
{
$this->authenticated = false;
}
}
else
{
$this->authenticated = true;
}
}
/**
* Authentication Process
*/
function auth($username='',$password='',$accesslevel=0)
{
$query = 'SELECT
*
FROM
'.$this->database->table['users'].' AS users,
'.$this->database->table['usersgroups'].' AS
groups
WHERE
users.userGroup=groups.groupId
AND
users.userName=\''.$username.'\'
AND
users.userPassword=\''.$password.'\'
AND
users.userStatus > \'0\'
AND
groups.groupStatus > \'0\'
LIMIT
1';$this->database->query($query);
if($this->database->num_rows() > 0)
{
$this->database->fetch_array();
if($this->database->row['groupLevel'] >= $accesslevel)
{
$this->authenticated = true;
$this->userid = $this->database->row['userId'];
$this->session_write('username',$this->database->row['userName']);
$this->session_write('userlevel',$this->database- >row['groupLevel']);
if(isset($this->remember_me))
{
$this->cookie_write('username',$this->database->row['userName']);
$this->cookie_write('sessionid',session_id());
}
$update_query = 'UPDATE
'.$this->database->table['users'].'
SET
userSession=\''.session_id().'\',
userLastvisit = NOW()
WHERE
userId=\''.$this->database->row['userId'].'\'';
$this->database->query($update_query);
}
else
{
$this->logout();
$this->authenticated = false;
$this->errormsg = 'error_noaccessprivileges';
} }
else
{
$this->logout();
$this->authenticated = false;
$this->errormsg = 'error_unauthorized';
}
} /**
* Authentication Check Process
*/
function auth_check($username='',$sessionid='',$accesslevel=0)
{
$query = 'SELECT
users.userId,
groups.groupLevel
FROM
'.$this->database->table['users'].' AS users,
'.$this->database->table['usersgroups'].' AS
groups
WHERE
users.userGroup=groups.groupId
AND
users.userName=\''.$username.'\'
AND
users.userSession=\''.$sessionid.'\'
AND
users.userStatus > \'0\'
AND
groups.groupStatus > \'0\'
LIMIT
1';$this->database->query($query);
if($this->database->num_rows() > 0)
{
$this->database->fetch_array();
if($this->database->row['groupLevel'] >= $accesslevel)
{
$this->authenticated = true;
$this->userid = $this->database->row['userId'];
$this->session_write('userlevel',$this->database- >row['groupLevel']);
if(isset($this->remember_me))
{
$this->cookie_write('username',$this->database->row['userName']);
$this->cookie_write('sessionid',session_id());
}
$update_query = 'UPDATE
'.$this->database->table['users'].'
SET
userSession=\''.$sessionid.'\'
userLastvisit = NOW()
WHERE
userId=\''.$this->database->row['userId'].'\'';
$this->database->query($update_query);
}
else
{
$this->logout();
$this->authenticated = false;
$this->errormsg = 'error_noaccessprivileges';
}
}
else
{
$this->logout();
$this->authenticated = false;
$this->errormsg = 'error_unauthorized';
}
}
/**
* Logout Process
*/
function logout()
{
if(isset($this->session) || isset($this->cookie))
{
$update_query = 'UPDATE
'.$this->database->table['users'].'
SET
userSession=\'\'
WHERE
userName=\''.$this->username.'\'
AND
userSession\''.$this->sessionid.'\'
';
$this->database->query($update_query);
if(isset($this->session))
{
session_unset();
session_destroy();
}
if(isset($this->cookie))
{
setcookie('username','',time() -
3600,'/',$this->domain);
setcookie('sessionid','',time() -
3600,'/',$this->domain);
}
}
}
/**
* Session Write Function
*/
function session_write($var='',$val='')
{
$_SESSION[$var] = $val;
}
/**
* Cookie Write Function
*/
function cookie_write($var='',$val='')
{
setcookie($var,$val,time()+24*3600*7,'/',$this->domain);
}
/**
* Session Check Function
*/
function check_session()
{
if(isset($_SESSION))
{
$this->sessionid = session_id();
if(isset($_SESSION['username']) &
isset($this->sessionid))
{
if($_SESSION['username'] !='' &
$this->sessionid !='')
{
$this->session = true;
$this->username =
addslashes(strip_tags($_SESSION['username']));
$this->remember_me = false;
}
else
{
$this->session = false;
$this->errormsg = 'error_sessionerror';
}
}
else
{
$this->session = false;
}
}
else
{
$this->session= false;
}
}
/**
* Cookie Check Function
*/
function check_cookie()
{
if(isset($_COOKIE))
{
if(isset($_COOKIE['username']) &
isset($_COOKIE['sessionid']))
{
if($_COOKIE['username'] !='' &
$_COOKIE['sessionid'] !='')
{
$this->cookie= true;
$this->username =
addslashes(strip_tags($_COOKIE['username']));
$this->sessionid =
addslashes(strip_tags($_COOKIE['sessionid']));
$this->remember_me = true;
}
else
{
$this->cookie= false;
$this->errormsg = 'error_cookieerror';
}
}
else
{
$this->cookie = false;
}
}
else
{
$this->cookie = false;
}
}
/**
* Cookie Check Post
*/
function check_post()
{
if(isset($_POST))
{
if(isset($_POST['username']) &
isset($_POST['password']))
{
if($_POST['username'] !='' & $_POST['password']
!='')
{
$this->post = true;
$this->username =
addslashes(strip_tags($_POST['username']));
$this->password =
md5($_POST['password']);
if(isset($_POST['rememberme']))
{
$this->remember_me = true;
}
else
{
$this->remember_me = false;
}
}
else
{
$this->post = false;
$this->errormsg = 'error_unfilledfield';
}
}
else
{
$this->post = false;
}
}
else
{
$this->post = false;
}
}
}
?>
============================================================Best Regards, Bruno B B Magalhaes
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
