A very simple CMS for a website

[Kezzer]

Right, that tutorial is good but has some security issues and isn't specific to what i'm designng. Anyway, I've roughly laid out what my authentication class will look like, I can work from outside of the object so I just need boolean values obviously.

Code:

<?php
require_once('DBConnector.php');

class Authenticate {

	var $dbconnection;

	function Authenticate() {
		$this->dbconnection = new DBConnector();
	}

	function login($username, $password) {
		$user = strip_tags(mysql_real_escape_string($username));
		$pass = strip_tags(mysql_real_escape_string($passsword));
		
		if($query = $this->dbconnection->query("SELECT mcc_users WHERE username == $user AND password == $pass");) {
			return TRUE;
		}
		else {
			return FALSE;
		}
	}
	
	function logout() {
		session_unset();
		session_destroy();
	}
}

It's not finalised, just a rough idea, I should check against null values really but that should stop against SQL injections and cross-scripting right?

[nick_1]

Right, that tutorial is good but has some security issues and isn't specific to what i'm designng. Anyway, I've roughly laid out what my authentication class will look like, I can work from outside of the object so I just need boolean values obviously.

Code:

...

It's not finalised, just a rough idea, I should check against null values really but that should stop against SQL injections and cross-scripting right?

You also need to be careful to filter out various hex characters as well. I would generally suggest taking an approach where you pick which characters to allow in the string, then filter based on that.

Let me see... how would I write this... I'm not sure if this is the best way but it seems a good way to ensure the string is something which won't cause you any problems. At the very least ensure you have quotes around each part of that query otherwise a simple space would be able to cause you some real headaches.

PHP Code:

    function clean_string($string) {
        $pattern = "/[^a-zA-Z0-9]/";
        if (preg_match($pattern, $string)) {
            //found something we don't like
            //I would probably log this somewhere to allow checking for repeated attempts
        } else {
            //return the string we do like
            return $string;
    }

    function login($username, $password) {
        $user = strip_tags(mysql_real_escape_string(clean_string($username)));
        $pass = strip_tags(mysql_real_escape_string(clean_string($passsword)));
        
        if($query = $this->dbconnection->query("SELECT mcc_users WHERE username == $user AND password == $pass");) {
            return TRUE;
        }
        else {
            return FALSE;
        }
    } 


Also VBulletin has [ PHP ] tags which will syntax highlight your code.

Nick

[Kezzer]

Yeh I know, I'm just so used to wrapping things in code tags instead

Well I may as well create a method which completely cleans a string and then just invoke it in the login method. I could create something to log what's happening but if it's not going to do any damage due to me checking the strings carefully then there's not much point in saying so.

Is the login function fine though?

[nick_1]

Is the login function fine though?

Yeah, although there are a few improvements you can do to save some work later... I assume you will probably have different access levels or member levels (webmaster, author etc...). If you are running a query to check the users password, why not get their access level (or anything else) at the same time. This saves a later query and only has the overhead of a little extra memory for the extra array items.

My current login query looks a little like this (amended to hide the indenty of the innocent ):

PHP Code:

if ($member = query("SELECT userid,password, accesslevel FROM members WHERE username='$username'")) {
    if (md5($password)!=$member[password]) {
        errormsg("Your password is not correct.");
    }
    $memberid = $member[userid];
} else {
    errormsg("Your password is not correct.");
} 


One thing that is considered good practice is to give the same error no matter which stage the check failed on to ensure you arn't revealing which usernames are valid.

I'm also interested in any feedback you have

Nick

[Kezzer]

I'd just print out "Your username and/or password is incorrect". That looks pretty simple yup, I just need to incorporate access levels in there really. Need to design up a system which will include it really, just basically create a user object I think would be the best idea, then do $user->getAccessLevel(); and check if the access level for the current user.

I need to go out and buy a notepad in a mo' so I can sketch it up

A user object could be handy though for the current session, basically login, if the credentials are correct then create a user object and retrieve some other values from the database such as access levels etc.

[nick_1]

I need to go out and buy a notepad in a mo' so I can sketch it up

A user object could be handy though for the current session, basically login, if the credentials are correct then create a user object and retrieve some other values from the database such as access levels etc.

You write code onto paper? I haven't done that for ages.

Another useful trick if you do go with the user object. You can include methods to authenticate, get permissions, serialise (convert the object into a string to put into the db) and much more. Its much better in the long run to write as objects rather than tie yourself to the concept of html pages.

If you want to see an example of this taken to an extreme have a look at plog a piece of blogging software which is completely class based.

Nick

[Kezzer]

Well i'm not used to procedural programming anyway which is why the code I pasted was OO based I only usually code in Java hence why

[nick_1]

Well i'm not used to procedural programming anyway which is why the code I pasted was OO based I only usually code in Java hence why

Ah fair enough. A trap many developers new to PHP classes fall into is creating one class which represents the entire page or just a couple of functional elements as you probably know its much easier and useful for make more general logically grouped objects instead.

This happens where I work, much of the system was written in ASP and to improve the code we put classes around to give us public and private member variables. The ideal situation would have been to rewrite the core to be truely object orientated.

Anyway rant over, I'm back to working on that on Monday

Nick

[Kezzer]

Hehe, well I have to think it out logically so it all coincides which is why I wanted to draw it out, if I see it diagramatically then I can figure it out much easier

I have the SystemComponent, DBConnector and i'll create a User class, not sure what else I'd need though. Probably a class for modifying database content as well. Can you think of anything else I would need?

[Ramedge]

i to am working on a cms, only a simple one mind. ive done all the admin pages and they all work but i need to protect the directory so that if some one found out you could edit the news page if you went to "/admin/admin.php?page=addnews" that they would get asked for a user name and password before they could look at it!
not sure the best way of doing this. i am pretty noobish when it comes to php.

[nick_1]

i to am working on a cms, only a simple one mind. ive done all the admin pages and they all work but i need to protect the directory so that if some one found out you could edit the news page if you went to "/admin/admin.php?page=addnews" that they would get asked for a user name and password before they could look at it!
not sure the best way of doing this. i am pretty noobish when it comes to php.

The quickest way to do it is to use apache's .htpasswd authentication (check the apache manual on apache.org) otherwise you'll have a lot more work to do. You probably want to do something similar to Kezzer and attempt to authenticate the user on every page, after which you can use sessions to prevent prompting them again.

Theres lots of info on this around, have a look at phpbuilder as they used to have some good examples.

Nick

[Dav0s]

yup, apache is way forward for basic restriction.

[nick_1]

yup, apache is way forward for basic restriction.

The only problem is that it doesn't give you finer control over things. If you want to have admins, authors etc you need to write something in PHP.

Nick

[Kezzer]

You say 'every' page, but in fact you can do it on one page (being admin.php for example) which has a switch statement linking to the other pages on it so it simplifies the code. I'm hoping to start putting things together this week though

[nick_1]

You say 'every' page, but in fact you can do it on one page (being admin.php for example) which has a switch statement linking to the other pages on it so it simplifies the code. I'm hoping to start putting things together this week though

Or put the code within an include and include it in each file. Your call

Nick

[Kezzer]

The joy of programming, diverse

Well, I'll hopefully put my classes together tonight and hopefully figure out how to implement everything securely, I'm intending to get this website up this week *notes deadlines* I just need to do all the actual forms for the admin system for adding and editing and deleting, i'll probably do that in a class as well with view, add, edit and delete functions