Creating a PHP Session Class Does it need improvement

PHP
1

Hello,

I am having some issues of my session class i am trying to develop i am trying to learn how to create my own session class for login and logout and other details only issue is that im not sure what i am doing wrong to check either i am logged in or not on the page that requires people to login

not sure if my class i have created so far is the way i should be going about it ive made an attempt on my class but not sure on how to check if the user has logged in without doing OOP Progrmaming

My class is the following


class Sessions extends BCCMS
{
	//
	private $LoggedIn = false;
	public $user_id;
	public $userExists = false;
	public $passMatch = false;
	public $con;
	
	function _construct()
	{
		
	}
	public function CheckLogin()
	{
		if($this->LoggedIn = true)
		{
			return $this->LoggedIn = true;	
		}
		else
		{
			return $this->LoggedIn = false;	
		}
		//	
	}//
	public function ConnectDB($dbhost,$dbuser,$pass,$dbname)
	{
		//
		$this->con=mysqli_connect($dbhost,$dbuser,$pass,$dbname);
		if(!$this->con)
		{
			die("Unable to connect to MYSQL Database on ".$dbhost."");
		}
		else
		{
			//echo "Connected to DB".$dbname."";
		}	
		//
	}
	//
	public function is_logged_in()
	{
		return $this->LoggedIn;
	}
	public function login($user,$password)
	{
		//
		$msg_pass="";
		$msg_user="";
		$user = mysqli_real_escape_string($this->con,stripslashes(trim($user)));
		$password = mysqli_real_escape_string($this->con,stripslashes(trim($password)));
		$Q=$this->Query("SELECT * FROM members WHERE username='".$user."' AND Password='".$password."'");
		echo $Q;
		if($this->LoggedIn = true)
		{
			$this->SuccessLogin($user);
		}
		else
		{
			//
			if($this->UsernameMatch($user) == true)
				{
					if($this->PasswordMatch($password) == true)
					{
						$this->SuccessLogin($user);
					}
					else
					{
						echo "Your Username matches but your password does not match the username in the database";	
					}	
				}
				else
				{
					echo "Username Does not match";
				}
				//
			}
	}
	public function logout()
	{
		unset($_SESSION['user']);
		unset($this->user_id);
		$this->LoggedIn = false;	
	}
	public function UsernameMatch($user)
	{
		//
		$this->Query("SELECT username FROM members WHERE username='".$user."'");
		$count=mysqli_num_rows($rs);
		if($count=1)
		{
			
			return $this->userExists = true;
		}
		else
		{
			return $this->userExists = false;	
		}
		//
	}
	//
	public function PasswordMatch($user)
	{
		//
		$this->Query("SELECT password FROM members WHERE username='".$user."'");
		$count=mysqli_num_rows($rs);
		if($count=1)
		{
			return $this->passMatch = true;
		}
		else
		{
			return $this->passMatch = false;	
		}
		//
	}
	//
	private function SuccessLogin($user)
	{
		//
		$_SESSION['user'] = $user;
		$this->LoggedIn = true;
		echo "Logged in";
		//
	}
	//	
}

Is this correct anything else i can do to improve it?

2

Here are some initial thoughts.

What is a BCCMS and why does this class need to extend it?

The whole UsernameMatch/Password match forking and messaging - don’t do this, you are giving too much info to someone who might be trying to force their way in - “Your Username matches but your password does not match the username in the database” <- whoopee, I’m 50% there!

So refactor all of that out, simplify it.

Overall this class is doing too much – especially with all the db connection stuff, that means the script calling this has to hold db credentials.

I’d tend towards passing a db object to this class, maybe in the constructor.

If you are serious about adopting OOP then I would urge you to look at using PDO (or mysqli using OOP methods).

dbconfig.php


$PDO = new PDO ; // set your pdo object here

userland.php


include 'dbconfig.php';

// now you db connection is already instantiated and ready to be used


$sess = new Sesssion($PDO);

// pass the connection to your Session object

if( !$sess->isLoggedIn() )
         // send away

Is one way of dealing with the dependency on the connection, it is a type of “aggregation”.

Think about the signatures of the methods in terms of how you’d use them in your userland code, make sure they are easy to read and describe what you object is doing on your behalf.

HTH

3

@Cups - Can you personally reccomend any training resources regarding PDO?

4

The original docs I learned from were those by the guy who wrote it, his slides and presentations [google]Wez Furlong PDO[/google].

I am sure there are better tuts around than that now of course.

Possibly the main thing to grasp is that there are 2 classes working in tandem PDO and PDOStatement.