radar Posted December 13, 2010 Share Posted December 13, 2010 I have this function completely written in my class file that I am working on. The point to this function is to be able to check the login of a user or administrator for either of the control panels associated with my site. It will check the session intime as well as the page / module referenced. Once it passes all those checks, it will check and ensure the emailaddress/password stored in the current session still holds true and the account is still active... if the account is still active it will update the lastActivity as well as update all of the session variables with what is currently in the database. What I am looking for is basically a look at the function, see if it looks good.. If there is any part to it that could create security holes for the site just off the login function itself... Usage: $q->validUser($_SESSION['user'], $_mod); <?php function validUser($sess, $p) { if ($sess['inTime'] == '' && $p != 'login' && $p != 'logout') { session_destroy(); $login = '0'; $_int = ''; return $login; } else if ($sess['inTime'] < time()-3600 && $p != 'login') { $sess['inTime'] = ''; session_destroy(); $this->check_login($sess, $p); } else { $this->user = $sess['emailAddress']; $this->pass = $sess['password']; $login = $this->sql_query("SELECT * FROM users WHERE emailAddress = '".$this->user."' AND password = '".$this->pass."' AND status = '1' LIMIT '1'"); if ($login = $this->sql_numrows($login) < 1) { $sess['inTime'] == ''; session_destroy(); $login = '0'; } else { // logged in, lets update the database for last_activity AND the session. $this->sql_query("UDATE users SET lastActivity = '".now()."' WHERE emailAddress = '".$this->user."'"); $login = $this->sql_query("SELECT * FROM users WHERE emailAddress = '".$this->user."' AND password = '".$this->pass."' AND status = '1' LIMIT '1'"); $login = mysql_fetch_assoc($login); foreach ($login as $key => $value) { $sess[$key] = $value; } $sess['inTime'] = time(); $login = '1'; } return $login; } } ?> That is the main function, sql_query and sql_numrows is: <?php function sql_query($query = "", $transaction = FALSE) { unset($this->query_result); if ($query != "") { $this->num_queries++; if ($transation == BEGIN_TRANSACTION && !$this->in_transation) { $result = mysql_query("BEGIN", $this->db_connect_id); if (!$result) { return false; } $this->in_transaction = TRUE; } $this->query_result = mysql_query($query, $this->db_connect_id); } else { if ($transaction == END_TRANSACTION && $this->in_transaction ) { $result = mysql_query("COMMIT", $this->db_connect_id); } } if ($this->query_result) { unset($this->row[$this->query_result]); unset($this->rowset[$this->query_result]); if ($transaction == END_TRANSACTION && $this->in_transaction ) { $this->in_transaction = FALSE; if (!mysql_query("COMMIT", $this->db_connect_id)) { mysql_query("ROLLBACK", $this->db_connect_id); return false; } } return $this->query_result; } else { if ($this->in_transaction ) { mysql_query("ROLLBACK", $this->db_connect_id); $this->in_transaction = FALSE; } return false; } } function sql_numrows($query_id = 0) { if(!$query_id) { $query_id = $this->query_result; } return ($query_id) ? mysql_num_rows($query_id) : false; } ?> Any insight that can help to benefit these functions would be appreciated. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.