was wondering if there is anything wrong with this code it works fine but i wanna know if there is anything experts or pro would do diff y and what this is just the class that does the processing ect. im gonna write another page to filter input ect before it sends the information here
<?php
define("host","localhost");
define("database_name","yourchoice");
define("username","root");
define("password","feind");
try{
$conn=new pdo("mysql:host=".host.";dbname=".database_name.";charset=utf8",username,password);
}
catch(pdoexception $e)
{
echo"sorry the connection to database has failed ".$e;
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<?php
session_start();
require ("config.php");
class users
{
public $uid;
public $u_name;
protected $u_password;
protected $u_info;
protected $u_salt;
public function login ($u_name,$u_password)
{
$now=time();
global $conn;
$this->getsalt($u_name);
$stmnt=$conn->prepare("select*from users where name=:name and pass=:pass");
$stmnt->execute(array(":name"=>$u_name,":pass"=>sha1($u_password.$this->u_salt)));
$result=$stmnt->fetch(pdo::FETCH_OBJ);
if(!$result==null)
{
$this->uid=$result->id;
$this->u_name=$result->name;
$this->u_password=$result->pass;
$this->u_info=$result;
if($this->brute_check($result->id)==false)
{
$_session['u_name']=$this->u_name;//registers a session if all checks out
//deletes the previously failed loggin attempts from table
$delete_prev_failed_attempts=$conn->prepare("delete from login_attempts where u_id=:id");
$delete_prev_failed_attempts->execute(array(":id"=>$this->uid));
echo"<p>login sucessfull</p><br/>ect......whatever page xanda chooses them to see";
}
else
{
echo"user account locked for the next hour";
}
}
else
{
$query=$conn->prepare("select*from users where name=:u_name");
$query->execute(array(":u_name"=>$u_name));
$name=$query->fetch(PDO::FETCH_OBJ);
if($name==null)
{
die("<p>Username or password is incorrect........ill bring you back to the login page or ask alex to register you</p>");
}
$id=$name->id;
$insert=$conn->prepare("insert into login_attempts(u_id,time) values(:id,:time)");
$insert->execute(array(":id"=>$id,":time"=>$now));
if($this->brute_check($id)==true)
{
echo"user account locked for the next hour";
}
else
{
echo"<p>Username or Password is incorrect........ill bring you back to the login page or ask alex to register you</p>";
}
}
}
//function to check amount of login attempts with a hour time period refrence table login attemts
public function brute_check($id)
{
global $conn;
$now=time();
$hour_ago=$now-(1*60*60);
$stmnt=$conn->prepare("select time from login_attempts where u_id=:uid and time>=:past1_hour");
$stmnt->execute(array(":uid"=>$id,":past1_hour"=>$hour_ago));
$rows=$stmnt->rowcount();
if($rows>5)
return true;
else
return false;
}
/*this is the login function note to try create a new user ect. ect. via certain things being true*/
public function register($req_name,$req_pass)
{
global $conn;
$time=time();
$salt=$time;
$this->u_salt=$salt;
$pass=$this->hash_pass($req_pass,$salt);
$check=$conn->prepare("select*from users where name=:req_name");
$check->execute(array(":req_name"=>$req_name));
$rows_check=$check->rowcount();
if(!$rows_check==null)
{
echo"username already taken";
return false;
}
else
{
try{
$insert=$conn->prepare("insert into users(name,pass,salt) values(:req_name,:req_pass,:salt)");
$insert->execute(array(":req_name"=>$req_name,":req_pass"=>$pass,":salt"=>$salt));
echo"user created you may now login";
return true;
}
catch(pdoexception $e)
{
echo"error ".$e;
}
}
}
//function to hash passwords
public function hash_pass($req_pass,$salt)
{
$hashed_pass=sha1($req_pass.$salt);
return $hashed_pass;
}
/*im so soryy if this code is cumbersome the point of good code is to be easily understood
This function Gets the salt from the username and also varifies the user exists*/
public function getsalt($u_name)
{
global $conn;
$get_salt=$conn->prepare("select name,salt from users where name=:name");
$get_salt->execute(array(":name"=>$u_name));
$result=$get_salt->fetch(PDO::FETCH_OBJ);
if($get_salt->rowcount()>0)
{
$this->u_salt=$result->salt;
return true;
}
}
}
if($POST['op']=='login')
{
$user=new users;
$user->login($POST['name'],$POST['pass']);
}
else if ($POST['op']=='register')
{
$user=new users;
$user->register($POST['name'],$POST['pass']);
}
else
echo"Unknown Request";
?>
</body>
</html>