- Joined
- Dec 11, 2010
- Messages
- 2,955
- Reaction score
- 2,689
It is, at least it's better than my old code I used. And yeah, NHibernate is really annoying to manage. It forced me to use an ID when I didn't want it (for example fuserights don't need an unique ID) in my way.
ID's can also be strings.
define('_INC', 'includes');
define('CLSPATH', 'classes');
include(_INC . '/' . CLSPATH . '/class.configuration.php');
include(_INC . '/' . CLSPATH . '/class.database.php');
include(_INC . '/' . CLSPATH . '/class.core.php');
Core::initialize();
class Core
{
private static $database = null;
public static function initialize()
{
self::$database = new Database();
}
}
class Configuration
{
private static $types = array
(
'mysql' => array
(
'hostname' => 'localhost',
'username' => 'root',
'password' => '',
'database' => 'aciddb'
),
'mus' => array
(
'ip_addr' => '127.0.0.1',
'port' => '30001'
)
);
public static function getValue($type, $key)
{
return Configuration::$types[$type][$key];
}
}
class Database
{
private $pdo;
public function Database()
{
try
{
$this->pdo = new PDO('mysql:host=' . Configuration::getValue('mysql', 'hostname') . ';dbname=' . Configuration::getValue('mysql', 'database'), Configuration::getValue('mysql', 'username'), Configuration::getValue('mysql', 'password'));
}
catch (PDOException $ex)
{
echo 'Error while attemting to connect PDO, error: ' . $ex->getMessage();
}
}
}
Avoid try catch. Only use it when you have a usefull task that needs to be executed. Its not there to log the error and continues the script which cause more exceptions because there was something wrong elsewhere and you ignored it...
define('DS', DIRECTORY_SEPARATOR);
define('_INC', 'includes');
define('CLSPATH', 'classes');
include(_INC . DS . CLSPATH . DS . 'class.configuration.php');
include(_INC . DS . CLSPATH . DS . 'class.database.php');
include(_INC . DS . CLSPATH . DS . 'class.core.php');
Core::initialize();
Yeah that's what I used first, except of I used '/' itself except of DIRECTORY_SEPARATOR. Will update it, thanks for the support.PHP:define('DS', DIRECTORY_SEPARATOR); define('_INC', 'includes'); define('CLSPATH', 'classes'); include(_INC . DS . CLSPATH . DS . 'class.configuration.php'); include(_INC . DS . CLSPATH . DS . 'class.database.php'); include(_INC . DS . CLSPATH . DS . 'class.core.php'); Core::initialize();
$error = '';
if (isset($_POST['name']) && isset($_POST['password']))
{
// Hopefully this filters it out
$name = $_POST['name'];
$name = stripslashes($name);
$name = mysql_real_escape_string($name);
$pass = $_POST['password'];
$pass = stripslashes($pass);
$pass = mysql_real_escape_string($pass);
if (strlen($name) > 0)
{
if (strlen($pass) > 0)
{
$res = Core::$database->createResult('SELECT * FROM members WHERE username = :name');
$res->addParam(':name', $name);
$res->execute();
if ($res->columnCount() < 1)
{
$error = 'Username not found!';
}
else
{
$user = $res->fetch();
if ($user['password'] != $pass)
{
$error = 'Wrong password!';
}
else
{
$_SESSION['NAME'] = $name;
$_SESSION['USER'] = $user;
header("Location: home.php");
}
}
}
else
{
$error = 'Please insert your password!';
}
}
else
{
$error = 'Please insert your username!';
}
}
function TryLoginUser($username, $password)
{
if (empty($username))
{
return 'Please insert your username!';
}
else if (empty($password))
{
return 'Please insert your password!';
}
$res = Core::$database->createResult('SELECT * FROM `members` WHERE `username` = :name LIMIT 1');
// LIMIT 1 because you expect one record
$res->addParam(':name', $username);
$res->execute();
if ($res->columnCount() < 1) // Column? Not a row? Colomn is a field like "password, username" etc
{
return 'Username not found!';
}
$user = $res->fetch();
if ($user['password'] != $password) // You dont encrypt your passwords?
{
return 'Wrong password!';
}
$_SESSION['NAME'] = $username;
$_SESSION['USER'] = $user;
return true;
}
if (isset($_POST['name'], $_POST['pass']))
{
$username = mysql_real_escape_string($_POST['name']);
$password = mysql_real_escape_string($_POST['pass']);
// No need to strip slashes, you compare them. Use them when you return the variable back to the client (print/echo)
// And you're still using the old MySQL lib? :<
if (($result = TryLoginUser($username, $password)) == =true)
{
header("Location: home.php");
}
else
{
printf('Do whatever you like with your error: %s', $result);
}
}
Did some tweeks. Personelly I like this more. Look arround, pointed out some stuff in the comment sections in it.
And it might be me, but imagine you have verry big function with allot of if-else statements in it. The way you did this would end up like huge mountains. People with small screen will be fucked because of that.
The way I did this is more flatter and comes directly to it's point. It's like reading, left to right, top to bottom. And not like yours jumping straight to the bottom if something fails at the top.
But that's personally of how I think about it....
PHP:function TryLoginUser($username, $password) { if (empty($username)) { return 'Please insert your username!'; } else if (empty($password)) { return 'Please insert your password!'; } $res = Core::$database->createResult('SELECT * FROM `members` WHERE `username` = :name LIMIT 1'); // LIMIT 1 because you expect one record $res->addParam(':name', $username); $res->execute(); if ($res->columnCount() < 1) // Column? Not a row? Colomn is a field like "password, username" etc { return 'Username not found!'; } $user = $res->fetch(); if ($user['password'] != $password) // You dont encrypt your passwords? { return 'Wrong password!'; } $_SESSION['NAME'] = $username; $_SESSION['USER'] = $user; return true; } if (isset($_POST['name'], $_POST['pass'])) { $username = mysql_real_escape_string($_POST['name']); $password = mysql_real_escape_string($_POST['pass']); // No need to strip slashes, you compare them. Use them when you return the variable back to the client (print/echo) // And you're still using the old MySQL lib? :< if (($result = TryLoginUser($username, $password)) == =true) { header("Location: home.php"); } else { printf('Do whatever you like with your error: %s', $result); } }
Battleball is v13, rebound was v26, also, I miss the old times so much, I remember playing battleball and they switched to rebound, I liked it less, good ol' memories.
Gonna continue today, I did some work to recreate the old website Habbo used in those days. To give you a little idea:
It's going to be completed 100% with homes (and groups, don't know if they were there but I think they were) and it's going to have secure PHP. Thanks to web.archive.org for taking me to the old layout (for HTML and some images) and thanks to ZabboWEB for the images + css + js etc.
What happened to this?
mysql_real_escape_string() can be used with PDO?
mysql_real_escape_string is a function to filter variables.
The MySQL connection. If the link identifier is not specified, the last link opened byYou must be registered to see linksis assumed. If no such link is found, it will try to create one as ifYou must be registered to see linkswas called with no arguments. If no connection is found or established, an E_WARNING level error is generated.
Aha, I thought you could always use mysql_real_escape_string even if you use MySQLi/PDO.And is part of the MySQL Lib. I also thought you also needed a mysql connection to get that function to work. Not sure if a PDO mysql connection is the same...
A qoute from php.net about the second argument of the escape_string function
It also says: "Use mysqli_real_escape_string when using MySQLi or PDO:quote when using PDO" when you want to secure inputs[/COLOR]