5
\$\begingroup\$

I have a php authentication script and everything works fine, but I'm very unsure about the way I programmed it (I hardcoded some things). I was hoping stack could look through this and point out any potential problems. Here's the script:

<?php
require_once 'Bcrypt.php';
class Mysql {
 private $conn;
 function __construct() {
 $this->conn = new PDO('mysql:host=***;dbname=***;charset=UTF-8','***','***') or 
 die('There was a problem connecting to the database.');
 }
 function verify_Username_and_Pass($un, $pwd) {
 ini_set('display_errors', 'On');
 error_reporting(E_ALL | E_STRICT);
 $query = "SELECT *
 FROM Conference
 WHERE Username = :un";
 $stmt = $this->conn->prepare($query);
 $stmt->bindParam(':un', $un);
 //$stmt->bindParam(':pwd', $pwd);
 $stmt->execute();
 $row = $stmt->fetchAll();
 $hash = $row[0]["Password"];
 $is_correct = Bcrypt::check($pwd, $hash);
 if ($is_correct) {
 // User exist
 $firstName = $row[0]["First Name"];
 $_SESSION["FirstName"] = $firstName;
 return true;
 $stmt->close();
 }
 else {
 // User doesn't exist
 return false;
 $stmt->close();
 }
 }
}
?>

So how does it look?

RubberDuck
31.1k6 gold badges73 silver badges176 bronze badges
asked Oct 4, 2012 at 19:37
\$\endgroup\$

1 Answer 1

1
\$\begingroup\$

I've tried cleaning it up a bit here, removed instances of setting a variable once and using it directly below where it was set (yes, improves readability, but still). 

require_once 'Bcrypt.php';
class Mysql {
 private $conn;
 private $host = 'host';
 private $dbName = 'dbname'; 
 private $charset = 'UTF-8';
 private $checkUserQuery = 'SELECT * FROM Conference WHERE Username = :un';
 function __construct() {
 $this->conn = new PDO('mysql:host=' . $this->host . ';dbname=' . $this->dbname . ';charset=' . $this->charset) 
 or die('There was a problem connecting to the database.');
 }
 function verifyUsernameAndPass($un, $pwd) {
 $stmt = $this->conn->prepare($this->checkUserQuery);
 $stmt->bindParam(':un', $un);
 #$stmt->bindParam(':pwd', $pwd);
 $stmt->execute();
 $row = $stmt->fetchAll();
 $stmt->close(); # Moved up, so closes before we return/exit function
 # You're setting $hash here, and using it directly below.
 # See new code below
 //$hash = $row[0]['Password'];
 //$is_correct = Bcrypt::check($pwd, $hash);
 //if ($is_correct) {
 if( Bcrypt::check($pwd, $row[0]['Password']) ){
 # User exist
 # You're setting $firstName once, and using it directly below it.
 # See new code below
 //$firstName = $row[0]['First Name']; 
 //$_SESSION['FirstName'] = $firstName;
 $_SESSION['FirstName'] = $row[0]['First Name'];
 return true;
 } else {
 # User does not exist
 return false;
 }
 }
}

And here's the same code, without my comments:

require_once 'Bcrypt.php';
class Mysql {
 private $conn;
 private $host = 'host';
 private $dbName = 'dbname'; 
 private $charset = 'UTF-8';
 private $checkUserQuery = 'SELECT * FROM Conference WHERE Username = :un';
 function __construct() {
 $this->conn = new PDO('mysql:host=' . $this->host . ';dbname=' . $this->dbname . ';charset=' . $this->charset) 
 or die('There was a problem connecting to the database.');
 }
 function verifyUsernameAndPass($un, $pwd) {
 $stmt = $this->conn->prepare($this->$checkUserQuery);
 $stmt->bindParam(':un', $un);
 $stmt->execute();
 $row = $stmt->fetchAll();
 $stmt->close();
 if( Bcrypt::check($pwd, $row[0]['Password']) ){ # User exists
 $_SESSION['FirstName'] = $row[0]['First Name'];
 return true;
 } else { # User does not exist
 return false;
 }
 }
}
answered Oct 5, 2012 at 17:19
\$\endgroup\$

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.