php-beginner

Why is this not ready for production? Because there is no error handling? And what do you mean with data normalization? I am writing my own login system and I'd like to implement this code to produce messages when they deliver bad input. Nothing special right?

Thankyou so much! I would have never figured that out lol. How can I learn these things? I mean, I can't find this in the php manual. I have also read alot of tutorials but still I can't figure this out myself. I know that echoing in a class is not the best thing to do, but I need something to output my own generated errors. I see no other option because Exceptions are used for other kind of errors. If you have any suggestions to learn this, please tell me.

I'm confused now ;P This is what I want. But then the oop way. Where have I gone wrong and how should it be done? $error = array(); $error['empty'] = "Empty input."; $error['invalid'] = "Invalid characters."; if(count($error)>0){ echo '<u>Errors:</u>'; echo '<ul>'; foreach($error as $msg){ echo '<li>'. $msg .'</li>'; } echo '</ul>'; } Thanks so far.

Yes, I tried that before but that will output: Array.

Hello all, When I run this code and a second error occurs, the array will be overwritten. Can someone tell me how to show both errors? if($this->formValidator->isEmpty($username) || $this->formValidator->isEmpty($password)){ $this->message->storeMessage(array($error['a'] = 'U heeft niet alle velden ingevuld.')); } if($this->formValidator->isInvalid($username) || $this->formValidator->isInvalid($password)){ $this->message->storeMessage(array($error['b'] = 'U heeft ongeldige karakters ingevuld.')); } if($this->message->messages == true){ $this->message->showMessage(); } class Message{ public $messages = array(); public function storeMessage(array $messages){ $this->messages = $messages; } public function showMessage(){ echo '<ul>'; foreach($this->messages as $msg){ echo '<li>'. $msg .'</li>'; } echo '</ul>'; } }

Yes, but not accepting cookies still let me login Is it because it is not real cookie data (what you mentioned before)? I try to understand and test it before I'll put anything online. Thankyou so far.

That means that I don't have to use the function "use only cookies" right? Because there's only a session in the cookie (which is not real cookie data?). So this won't prevent the SID through the url. So what do I need to prevent the SID through the url?

I have also tried to let Firefox ask me when I wanted to store the cookie. When I refuse the cookie, the headers are still sent. So it has to be something in my code. Right?

Yes it should, but you also need to check that the form is not passing a hidden parameter. With that said, your assumption that your browser is not accepting cookies might be invalid. If you're not seeing the url param, or hidden form parameters, and you're still seeing sessions in operation, then I'd question your assumptions. For testing, I would use firebug to analyze what is going on. You're right. But, I don't get it. This time is disabled cookies in FireFox and again it's not working. I checked this with Firebug and I see that the header is send. I see the SESSID, password and username. p.s. I checked with Wireshark if I can see my password in plain text because i saw that in Firebug. Well I can but I have encrypt this with a salt + password. This means that my code is not correct or can't I send this encrypted other then SSL? Thanks so far!

I have read some articles, including that one. My code is not enough to fix the whole session stealing, but I don't understand why my code doesn't work and let me log in. Do I correctly disable cookies? My code should force the browser to use cookies and don't put the SID in the url. So when I disable cookies, this "login" shouldn't work anymore right?

Yes. The SID is not being passed in the url when my cookies are enabled. When I disable cookies, I can still log in. I have done this in Internet Explorer: Internet options -> Privacy -> Advanced -> block all cookies

I thaught that "use only cookies" should prevent that the session id is filled in the url but filled in a cookie?

Hello everyone, I am trying to use only cookies so that session fixation is not possible. Unfortunately I can still log in when I disable cookies in Internet Explorer. Am I doing something wrong? Or do I misunderstand the concept? This is my code: <?php class Session{ private $username; public function createSession($username){ $this->username = $username; ini_set("session.use_only_cookies", 1); session_start(); $_SESSION['username'] = $this->username; return $this->username; } } ?>

Thankyou for your explanation. From what I've read, return is used inside the class and echo is used outside the class. So I'm a bit confused now ^^

class Message{ private $message; public function showDialog($message){ $this->message = $message; return $this->message; } } if(empty($username) || empty($password)){ $this->message->showDialog('epic failure'); } If I echo, it works. But that's not allowed.

Thankyou for your reactions. I think I will continue this script without the use of a framework. Maybe I'll use it in the future. About the general message class: I could make a message class where I bound messages to a variable. But, then I have to echo them in other classes right? And echo shouldn't be used in classes. Or am I wrong? Like: if(login){then true} else{echo $this->error->message;}

Thankyou for your explanation. Do you think it is wise to use a framework for a newb like me. I mean, three weeks ago I started learning OO in php. And, why isn't it wise to use exception for wrong login input. I found an article that says that there are no rules for that. Or am I wrong?

No, I mean a form class. But why should I use a framework? I mean, I'm new to OOP, is it better to concentrate on frameworks?

Thankyou for your suggestions. I've read that there are no rules for using exceptions or which error handling is the best. But I agree that it doesn't feel right to use it this way for the login. Could you give me an example?

Hello everyone, The last few weeks I've asked a few questions. From the answers given, I've finished my login script. But, I am a noob at oop php and I have also no clue if there are any security holes. So my question to you guys is: What have i done wrong? What can i do better? And what's missing? I also have a one basic question: I have't declared any variable to public, protected or private. Is it better to declare every variabe? or only a few? Here is my code: Index.php: <?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { require('classes/class_lib.php'); if(isset($_POST['username'])){ $username = $_POST['username']; } if(isset($_POST['password'])){ $password = $_POST['password']; } try{ $user = new User; $user->login($username, $password); } catch(MysqlException $error){ echo $error->getError(); } catch(LoginException $error){ echo $error->getError(); } } ?> // form etc. And my class_lib.php: <?php class MysqlException extends Exception{ public function getError(){ $errorMessage = 'Er is een fout opgetreden in '.$this->getFile().' op regel '.$this->getLine().'<br />'; $errorMessage .= 'Foutmelding: <i>'.$this->getMessage().'</i><br />'; return $errorMessage; } } class LoginException extends Exception{ public function getError(){ $errorMessage = $this->getMessage(); return $errorMessage; } } class Mysql{ public function __construct(){ $this->db = new mysqli('localhost','root','','login'); if($this->db->connect_error){ throw new MysqlException('Kan geen verbinding maken.'); } } public function escapeString($string){ $this->string = $this->db->real_escape_string($string); return $string; } } class Query extends Mysql{ public function runQuery($query){ $this->result = $this->db->query($query); if(!$this->result){ throw new MysqlException('Er is iets fout gegaan tijdens het uitvoeren van de query.'); } } public function returnQuery(){ return $this->result->num_rows; if(!$this->result){ throw new MysqlException('Er is iets fout gegaan tijdens het ophalen van de resultaten.'); } } } class User{ public function __construct(){ $this->mysql = new Mysql; $this->query = new Query; } public function login($username, $password){ $this->username = $this->mysql->escapeString($username); $this->password = $this->mysql->escapeString($password); $this->setQuery = "SELECT gebruikerid FROM gebruikers WHERE gebruikersnaam='" . $this->username . "' AND wachtwoord='" . $this->password . "'"; $this->query->runQuery($this->setQuery); if($this->query->returnQuery() > 0){ return true; }else{ if(empty($username) || empty($password)){ throw new LoginException('U moet alle velden invullen.'); }else{ throw new LoginException('Uw logingegevens kloppen niet.'); } } } } ?>

That is exactly what i need. Thankyou very much!

Hello everyone, Can someone show me a way how to pass $_post variable from a form to a function? So, input username and input password to a function login($username, $password).

I have marked this problem solved. But i hope you still want to answer my last question. Why do i have to return returnQuery() ? And why don't i have to return runQuery() ? <?php class Mysql{ protected $db; public function __construct(){ $this->db = new mysqli('localhost','root','','login'); } } class Query extends Mysql{ private $result; public function runQuery($query){ $this->result = $this->db->query($query); } public function returnQuery(){ return $this->result->num_rows; } } class User{ private $query; // Instantiate Query object. public function __construct(){ $this->query = new Query; } public function login(){ $this->setQuery = "select userid from users where username = 'wouter' and password = 'test'"; $this->query->runQuery($this->setQuery); if($this->query->returnQuery() > 0){ echo "You are logged in!"; }else{ echo "Wrong username / password!"; } } } ?>

Thankyou so much!

By making the connection in the constructor, you mean saving it in the connection variable? This code will give me the following error: Fatal error: Call to a member function query() on a non-object What's wrong?