Just starting to learn OOP and first off I have to say I can (finally) see why this is more useful than procedural. Anyway, took this script off of a site, made some very small edits (still more to make). But I was just wondering if anything is wrong (bad practices, code leading to errors, etc)? And how would I make it so the database is checked during/after registration for users with the same username (i.e no two people with the same username/password).
Classes:
PHP Code:
<?php
include "/includes/database.php";
class Users {
private $username;
private $password;
private $email;
private $salt = "Zo4rU5Z1YyKJAASY0PT6EUg7BBYdlEhPaNLuxAwU8lqu1ElzHv0Ri7EM6irpx5w";
//Get user information
public function __construct($data = array()) {
if (isset($data['username'])) {
$this->username = mysqli_real_escape_string($data['username']);
}
if (isset($data['password'])) {
$this->password = mysqli_real_escape_string($data['password']);
}
if (isset($data['email'])) {
$this->email = mysqli_real_escape_string($data['email']);
}
public function storeFormValues($params) {
$this->__construct($params);
}
}
public function userLogin() {
//success variable will be used to return if the login was successful
$sucess = false;
try {
//create our pdo object
$con = new PDO(DB_DSN, DB_USERNAME, DB_PASSWORD);
//set how pdo will handle errors
$con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
//this would be our query
$sql = "SELECT * FROM `users` WHERE `username` = :username AND `password` = :password LIMIT 1";
//prepare the statements
$stmt = $con->prepare($sql);
//give value to named parameter :username
$stmt->bindValue("username", $this->username, PDO::PARAM_STR);
//give value to named parameter :password
$stmt->bindValue("password", hash("sha256", $this->password . $this->salt), PDO PARAM_STR);
$stmt->execute();
$valid = $stmt->fetchColumn(); //Set $_SESSION variables
if ($valid) {
$success = true;
$_SESSION['loggedin'] = 1;
$mem = $stmt->fetchColumn();
$_SESSION['username'] = $mem['username'];
$_SESSION['userid'] = $mem['id'];
$_SESSION['level'] = $mem['level'];
$ip = ($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
}
$con = null;
return $success;
} catch (PDOException $e) {
echo $e->getMessage();
return $success;
}
}
public function register() {
$correct = false;
try {
$con = new PDO(DB_DSN, DB_USERNAME, DB_PASSWORD);
$con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO `users`(username, password) VALUES(:username, :password)";
$stmt = $con->prepare($sql);
$stmt->bindValue("username", $this->username, PDO::PARAM_STR);
$stmt->bindValue("password", hash("sha256", $this->password . $this->salt), PDO::PARAM_STR);
$stmt->execute();
return "<p>Registration was successful - </p> <a href='#login'>You may now login</a>";
} catch (PDOException $e) {
return $e->getMessage();
}
}
}
?>
Form:
PHP Code:
<form method="POST" action="">
<fieldset>
<legend>Registration</legend>
<input type="text" name="username" placeholder="Username" required />
<input type="password" name="password" placeholder="Password" required />
<input type="password" name="cpw" placeholder="password" required />
<input type="email" name="email" placeholder="Email Address" required />
<input type="hidden" name="submitted" value="1" />
<input type="submit" name="submit" value="Register" />
</fieldset>
</form>
<?php
$usr = new Users; //create new instance of the class Users
$usr->storeFormValues($_POST['username'], $_POST['password'], $_POST['email']); //store form values
//if the entered password is match with the confirm password then register him
if ($_POST['password'] == $_POST['cpw']) {
echo $usr->register($_POST);
} else {
//if not then say that the user must enter the same password to the confirm box
echo "<p>Password and Confirm Password fields do not match</p>";
}
?>