Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // Other settings
- session_start();
- // Connect to the database
- class Database {
- private $host = "localhost";
- private $db_name = "login";
- private $username = "root";
- private $password = "";
- public $conn;
- public function dbConnection() {
- $this->conn = null;
- try {
- $this->conn = new PDO("mysql:host=" . $this->host . ";dbname=" . $this->db_name, $this->username, $this->password);
- $this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
- }
- catch(PDOException $exception) {
- echo "Connection error: " . $exception->getMessage();
- }
- return $this->conn;
- }
- }
- // Functions for managing users
- class USER {
- private $conn;
- public function __construct() {
- $database = new Database();
- $db = $database->dbConnection();
- $this->conn = $db;
- }
- public function runQuery($sql) {
- $stmt = $this->conn->prepare($sql);
- return $stmt;
- }
- public function register($uname,$umail,$upass) {
- try {
- ///// SECURITY ENCRYPTING AND HASHING PW //////
- //// Salting and Pepper PW////
- //salt
- $salt=base64_encode(mcrypt_create_iv(16,MCRYPT_DEV_URANDOM));
- //pepper "static salt"
- //$password="This1sApassw0rd";
- //$new_password = hash("sha256",$password."mySecret".$salt);
- $password="123456";
- $pepper="ThisIs a sdæfkjglsfjdhleqrbh 3204i9245m";
- $new_password = password_hash($upass, PASSWORD_DEFAULT);
- $stmt = $this->conn->prepare("INSERT INTO users(user_name,user_email,user_pass) VALUES(:uname, :umail, :upass)");
- // Escaping SQLi in PHP
- // Use prepared statements and parameterized queries.
- // These are SQL statements that are sent to and parsed
- // by the database server separately from any parameters.
- // This way it is impossible for an attacker to inject
- // malicious SQL.
- $stmt->bindparam(":uname", $uname);
- $stmt->bindparam(":umail", $umail);
- $stmt->bindparam(":upass", $new_password);
- $stmt->execute();
- return $stmt;
- }
- catch(PDOException $e) {
- echo $e->getMessage();
- }
- }
- public function update($dob,$job,$gender,$location, $user_id) {
- try {
- $stmt = $this->conn->prepare("UPDATE users(user_dob,user_job,user_gender,user_location) VALUES(:dob, :job, :gender, :location) WHERE users(user_id=:id)");
- // Escaping SQLi in PHP
- // Use prepared statements and parameterized queries.
- // These are SQL statements that are sent to and parsed
- // by the database server separately from any parameters.
- // This way it is impossible for an attacker to inject
- // malicious SQL.
- $stmt->bindparam(":dob", $dob);
- $stmt->bindparam(":job", $job);
- $stmt->bindparam(":gender", $gender);
- $stmt->bindparam(":location", $location);
- $stmt->bindparam(":id", $user_id);
- $stmt->execute();
- return $stmt;
- }
- catch(PDOException $e) {
- echo $e->getMessage();
- }
- }
- public function doLogin($uname,$umail,$upass) {
- try {
- $stmt = $this->conn->prepare("SELECT user_id, user_name, user_email, user_pass FROM users WHERE user_name=:uname OR user_email=:umail ");
- // Escaping SQLi in PHP
- // Use prepared statements and parameterized queries.
- // These are SQL statements that are sent to and parsed
- // by the database server separately from any parameters.
- // This way it is impossible for an attacker to inject
- // malicious SQL.
- $stmt->execute(array(':uname'=>$uname, ':umail'=>$umail));
- $userRow=$stmt->fetch(PDO::FETCH_ASSOC);
- if($stmt->rowCount() == 1) {
- if(password_verify($upass, $userRow['user_pass'])) {
- $_SESSION['user_session'] = $userRow['user_id'];
- return true;
- } else {
- return false;
- }
- }
- }
- catch(PDOException $e) {
- echo $e->getMessage();
- }
- }
- public function is_loggedin() {
- if(isset($_SESSION['user_session'])) {
- return true;
- }
- }
- public function redirect($url) {
- header("Location: $url");
- exit;
- }
- public function doLogout() {
- unset($_SESSION['user_session']);
- return true;
- }
- function is_html($string) {
- // Check if string contains any html tags.
- return preg_match('/<\s?[^\>]*\/?\s?>/i', $string);
- }
- }
- ?>
Add Comment
Please, Sign In to add comment