I thought I would use this post to rant about what some people seem to think is secure user management. I will firstly state the hall of shame:
- Tutorialtastic
- Wallpaperama
- tinsology (should mention this ain’t too bad but I would not use it for about 5 security flaws)
- Yet another wannabe
- adesdesign (This one is actually devshed, I put it here cos they said it was their own and it’s not so fail to them, not only that but I think (by the looks of it) it’s been modified to be more insecure….total fail).
Now I should take a moment to explain I am not taking about SSL etc I am only talking about normal *slightly* secure session handling. Now for the hall of fame:
Let me sum this up one second. I searched Google using “secure php login” and out of all the links in the first page there was only two I would take any notice of…..sad isn’t it?
I have been seeing lots of people now looking at this article. I know the title is a bit deceptive. I wrote it so that hopefully users searching Google would have a hope in hell of seeing my blog instead of most of the other links they would find when they search “secure php login”. I do not endorse this as secure nor do I endorse anything as secure. This is a step in the right direction (implements most checks) and more so than what Google seems to provide but still, this is not secure.
I should also mention you may have noticed in changelog between v3.0 and v3.1 I have removed the graceful error handling. That is because I use PEAR DB and PEAR DB requires its own error handling outside of this class. If you are using normal MySQL (or another database) you will want to run a line similar to:
mysql_query($query) or $this->_captureError($Query);
And then use the _capfail($query) function in my code or create one of your own.
Below is the version I use:
function my_handle_error($db){
$code = $db->getCode();
if($code = "-27" || $code = "-24" || $code = "-4" || $code = "-14"){
header("Location: /0x00560");
}else{
header("Location: /0x00567");
}
exit;
}
PEAR::setErrorHandling(PEAR_ERROR_CALLBACK,'my_handle_error');
$db = db_connect();
$sess = new SessionManager($db);
session_start();
$user = new User($db);
I am settings the error handler within the PEAR DB object then I am testing for different error codes. The error codes I am physically testing for are connection errors. Connection errors will be redirected to a standard page telling the user the database is most likely down whilst all other errors will record information about the error and the time the error occurred; maybe even information about the computer involved (most likely if you have unit tested all the classes containing SQL you can bet with 70% certainty it’s a hacker. With AJAX you cannot since AJAX is still unpredictable but then the error would occur when attempting to connect to AJAX not in retrieving information from the table).
Version 3.4 slightly secure session handling, yet more to do but here the beginnings:
class User {
var $db = null; // PEAR::DB pointer
var $failed = false; // failed login attempt
var $date; // current date GMT
var $id = 0; // the current user's id
var $myKey = '';
var $ip = '';
var $msg = " ";
function User(&$db) {
$this->db = $db;
$this->date = $GLOBALS['date'];
$this->myKey = "54M_i1lM4N";
$this->ip = $_SERVER['REMOTE_ADDR'];
$this->msg = " ";
if ($_SESSION['logged']) {
@$this->_checkSession();
} elseif ( isset($_COOKIE['sxuser']) ) {
@$this->_checkCookie($_COOKIE['sxuser']);
} else {
@$this->session_defaults();
}
}
//*************************
// Basic Functions
//*************************
function _logAttempt($username, $successful){
$successful = $this->db->quote($successful);
//write it to db
$sql = "INSERT INTO tbllogrecords(Username, IP, Successful) VALUES($username, '$this->ip', $successful)";
@$this->db->query($sql);
}
function _unsetVar($arr){
$count = count($arr);
for($i=0; $i<$count; $i++){
unset($arr[$i]);
}
unset($arr);
unset($count);
}
function _capfail($query){
$query = $this->db->quote($query);
$thisip = $this->db->quote($this->ip);
//put in db
$sql = "INSERT INTO tblDB_Er (query, ip) VALUES ($query, $thisip)";
$this->db->query($sql);
}
function generatePassword() {
$length=9;
$strength=8;
$vowels = 'aeuy';
$consonants = 'bdghjmnpqrstvz';
if ($strength & 1) {
$consonants .= 'BDGHJLMNPQRSTVWXZ';
}
if ($strength & 2) {
$vowels .= "AEUY";
}
if ($strength & 4) {
$consonants .= '23456789';
}
if ($strength &
{
$consonants .= '@#$%';
}
$password = '';
$alt = time() % 2;
for ($i = 0; $i < $length; $i++) {
if ($alt == 1) {
$password .= $consonants[(rand() % strlen($consonants))];
$alt = 0;
} else {
$password .= $vowels[(rand() % strlen($vowels))];
$alt = 1;
}
}
return $password;
}
//*****************
// Encryption
//*****************
function lindecrypt($enpass) {
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decryptedpass = mcrypt_decrypt (MCRYPT_RIJNDAEL_256, $this->mykey, $enpass, MCRYPT_MODE_ECB, $iv);
return rtrim($decryptedpass);
}
function linEncrypt($pass) {
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); //Creating the vector
$cryptedpass = mcrypt_encrypt (MCRYPT_RIJNDAEL_256, $this->mykey, $pass, MCRYPT_MODE_ECB, $iv);
return $cryptedpass;
}
function lindecryptO($enpass, $key) {
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decryptedpass = mcrypt_decrypt (MCRYPT_RIJNDAEL_256, $key, $enpass, MCRYPT_MODE_ECB, $iv);
return rtrim($decryptedpass);
}
function linEncryptO($pass, $key) {
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); //Creating the vector
$cryptedpass = mcrypt_encrypt (MCRYPT_RIJNDAEL_256, $key, $pass, MCRYPT_MODE_ECB, $iv);
return $cryptedpass;
}
//****************
// Populate Session
//****************
function session_defaults() {
$_SESSION['logged'] = false;
$_SESSION['uid'] = 0;
$_SESSION['username'] = '';
$_SESSION['cookie'] = 0;
$_SESSION['remember'] = false;
}
//*****************
// Ban Handlers
//*****************
function _isBanned($username){
$username = $this->db->quote($username);
//can I access my account?
$sql = "SELECT Banned FROM tbluser WHERE " .
"Username = $username";
@$result = $this->db->getRow($sql);
//has account been banned?
if ($result->Banned == 'true') {
return true;
}else{
//phew, better luck next time admin
return false;
}
}
//**************
// Lock Handlers
//**************
function _warnLock(){
if($_COOKIE['logAt'] > 2){
return true;
}
}
function _isLocked($username){
$username = $this->db->quote($username);
//can I access my account?
$sql = "SELECT Locked FROM tbluser WHERE " .
"Username = $username";
@$result = $this->db->getRow($sql);
//has account been banned?
if ($result->Locked == 'true') {
return true;
}else{
//phew, better luck next time admin
return false;
}
}
//**************
// Lock Account
//**************
function lockAccount($id){
$id = $this->db->quote($id);
$sql = "UPDATE tbluser SET Locked='true' WHERE UserID = $id";
@$this->db->query($sql);
}
//*************
// Is IP Allowed?
//*************
function _AllowIP($result){
$match = false;
while($result->fetchInto($qrow, DB_FETCHMODE_ASSOC)){
if($qrow['IP'] == $this->ip){
$match = true;
}
}
return $match;
}
//*************
// Username Check (AJAX)
//*************
function _userExist($username){
$username = $this->db->quote($username);
$sql = "SELECT Username FROM tbluser WHERE " .
"(Username = $username)";
PEAR::setErrorHandling(PEAR_ERROR_PRINT, "ERROR");
@$result = $this->db->getRow($sql);
if (is_object($result) ) {
return true;
}else{
return false;
}
}
//***************
// Actual Script
//***************
function _checkLogin($username, $password, $remember) {
$username = @strip_tags($username);
$username = @stripslashes($username);
$password = @strip_tags($password);
$password = @stripslashes($password);
if($remember == "1" || $remember == "0"){
$username = @substr($username, 0, 20);
$unquotedUser = $username;
//prepare the variables
$username = $this->db->quote($username);
$password = $this->db->quote($password);
$password = $this->db->quote($this->linEncrypt($password));
//check the ban catalogue
$sql = "SELECT Banned FROM tbluser WHERE Username = $username";
@$result = $this->db->getRow($sql);
if($result->Banned == 'true'){
return false;
}else{
if(eregi ( "localhost/login", $_SERVER['HTTP_REFERER'] )){
$sql = "SELECT UserID, Username, cookie, Locked FROM tbluser WHERE " .
"Username = $username AND " .
"Password = $password";
@$result = $this->db->getRow($sql);
//does this user already exist as a logged user?
if ( is_object($result) ) {
if($result->Locked == "false"){
//check for allowed ips
$ipSQL = "SELECT IP FROM tblallowedip WHERE UserID = $result->UserID";
$ipresult = $this->db->query($ipSQL);
if($ipresult->numRows() > 0)$needIP = true;
if(isset($needIP)){
if($this->_AllowIP($ipresult)){
@$this->_logAttempt($username, true);
@$this->_setSession($result, $remember);
@$this->_setCookie($unquotedUser, $password, $remember);
//if(isset($_COOKIE['logAt'])){
//setcookie("logAt", "", time() - 3600);
//}
@$this->_unsetVar(array($username, $password, $result, $remember, $unquotedUser, $sql));
return true;
}else{
return false;
}
}else{
@$this->_logAttempt($username, true);
@$this->_setSession($result, $remember);
@$this->_setCookie($unquotedUser, $password, $remember);
//if(isset($_COOKIE['logAt'])){
//setcookie("logAt", "", time() - 3600);
//}
@$this->_unsetVar(array($username, $password, $result, $remember, $unquotedUser, $sql));
return true;
}
}else{
return false;
}
} else {
//write to login table for record keeping
@$this->_logAttempt($username, false);
@$this->_logout();
//if($_COOKIE['logAt'] > 3){
//@$this->lockAccount($result->UserID);
//}
//if(!isset($_COOKIE['logAt'])){
//setcookie("logAt", 1);
//}else{
//$tri = $_COOKIE['logAt'] + 1;
//setcookie("logAt", $tri);
//}
@$this->_unsetVar(array($username, $password, $result, $remember, $unquotedUser, $sql));
return false;
}
}else{
return false;
}
}
}else{
return false;
}
}
function _setSession(&$values, $remember, $init = true) {
//write to db
$this->id = $values->UserID;
$_SESSION['uid'] = $this->id;
$_SESSION['username'] = htmlspecialchars($values->Username);
$_SESSION['cookie'] = $remember;
$_SESSION['logged'] = true;
if ($init) {
$session = $this->db->quote(session_id());
$sql = "UPDATE tbluser SET session = $session, ip = '$this->ip' WHERE " .
"UserID = $this->id";
@$this->db->query($sql);
}
}
function _setCookie($u, $p, $r){
$username = $this->linEncryptO($u, "S5M337ll4Ma9");
$password = $this->linEncryptO($p, "d4NIl2An");
$remember = $this->linEncryptO($r, "En2r9t0");
if($r == "1"){
setcookie("sxuser", $username, time()+60*60*24*365*10);
setcookie("sxp", $password, time()+60*60*24*365*10);
setcookie("sxremember", $remember, time()+60*60*24*365*10);
}else{
setcookie("sxuser", $username);
setcookie("sxp", $password);
setcookie("sxremember", $remember);
}
@$this->_unsetVar(array($username, $password, $remember));
}
function _checkCookie($cookie){
if(!$cookie) return;
$username = $this->lindecryptO($_COOKIE['sxuser'], "S5M337ll4Ma9");
$password = $this->lindecryptO($_COOKIE['sxp'], "d4NIl2An");
$remember = $this->lindecryptO($_COOKIE['sxremember'], "En2r9t0");
$thiip = $this->db->quote($_SERVER['REMOTE_ADDR']);
$username = $this->db->quote($username);
$sql = "SELECT * FROM tbluser WHERE " .
"Username = $username AND Password = $password AND ip = $thiip";
@$result = $this->db->getRow($sql);
if(is_object($result)){
if($remember == "1" || $remember == "0"){
@$this->_setSession($result, $remember);
@$this->_unsetVar(array($username, $password, $cparts, $remember, $decryptc, $cookie, $sql, $result, $tableres));
}else{
@$this->_logout();
@$this->_unsetVar(array($username, $password, $cparts, $remember, $decryptc, $cookie, $sql, $result, $tableres));
}
}
}
function _destroyCookie(){
setcookie("sxuser", "", time() - 3600);
setcookie("sxp", "", time() - 3600);
setcookie("sxremember", "", time() - 3600);
unset($_COOKIE['sxuser']);
unset($_COOKIE['sxp']);
unset($_COOKIE['sxremember']);
}
function _checkSession() {
$username = $this->db->quote($_SESSION['username']);
$cookie = $this->db->quote($_SESSION['cookie']);
$session = $this->db->quote(session_id());
$thiip = $this->db->quote($_SERVER['REMOTE_ADDR']);
$sql = "SELECT * FROM tbluser WHERE " .
"Username = $username AND " .
"session = $session AND (ip = $thiip)";
@$result = $this->db->getRow($sql);
if (is_object($result) ) {
@$this->_setSession($result, $cookie, false);
} else {
@$this->_logout();
}
}
function _logout(){
$id = session_id();
session_regenerate_id();
$this->session_defaults();
$newid = $this->db->quote($id);
$sql = "DELETE FROM `sessions` WHERE `session_id` = $newid";
@$this->db->query($sql);
@$this->_destroyCookie();
session_unset();
return true;
}
function _registerUser($username, $password, $email, $c_Origin, $g_Sex, $b_yearBirth, $pub_prof, $pub_chan){
$unquotedpw = $password;
$unquotedusername = $username;
//quote the data so no injections
$country = $this->db->quote($c_Origin);
$gender = $this->db->quote($g_Sex);
$birthyear = $this->db->quote($b_yearBirth);
$username = $this->db->quote($username);
$password = $this->db->quote($password);
$email = $this->db->quote($email);
$pub_prof = $this->db->quote($pub_prof);
$pub_chan = $this->db->quote($pub_chan);
//privacy options
//encrypt pw
$encryptedpw = $this->db->quote($this->linEncrypt($password));
//write to db
$insertSql = "INSERT INTO tbluser(Username, Password, Email, Country, Gender, BirthYear, PublicProfile, PublicChannel) VALUES($username, $encryptedpw, $email, $country, $gender, $birthyear, $pub_prof, $pub_chan)";
@$this->db->query($insertSql);
//log user in
if($this->_checkLogin($unquotedusername,$unquotedpw,0)){
unset($password);
return true;
}else{
unset($password);
return false;
}
}
function _recoverDetails($userEmail){
//change this function to update tabel with a randomly generated pw.
$unquotePass = $this->generatePassword();
$newRandPass = $this->db->quote($unquotePass);
$newRandPass = $this->db->quote($this->linEncrypt($newRandPass));
$quotedEmail = $this->db->quote($userEmail);
$upsql = "UPDATE tbluser SET Password=$newRandPass WHERE Email = $quotedEmail";
$sql = "SELECT Username FROM tbluser WHERE Email = $userEmail";
@$result = $this->db->getRow($sql);
if (is_object($result)){
$to = $userEmail;
$subject = 'Your StageX Account Details';
$message = 'Hello '.$result->Username.'\n
Shown below are your account details for the StageX video site.\n
Username: '.$result->Username.'\nPassword: '.$unquotePass.'\n
We would like to strongely recommend that you change your password as soon as you log in.\n
Thank you\n
StageX Team\n\n\n\n
==================================================================================\n
This message is confidental to the receiver and should not be viewed by others.\n
The mail box from which this message originated is unmanaged and any emails sent to it will not be looked at.\n
==================================================================================\n';
$headers = 'From: no-reply@stagex.co.uk';
mail($to,$subject,$message,$headers);
return true;
}else{
return false;
}
}
}
And the login.php to go with it all:
<?php
require_once('includes/header.php');
$tries = 0;
if(isset($_GET['nxt'])){
$smarty->assign("nexturl", $_GET['nxt']);
$nxt = $_GET['nxt'];
}else{
$nxt = "/";
}
if(isset($_POST['signIn'])){
$req_fields = array("username"=>"Username", "password"=>"Password");
$tries = $POST['t'];
if(!$_SESSION['logged']){
if(check_empty_fields()){
if(isset($_POST['remember'])){
$remember = $_POST['remember'];
}else{
$remember = 0;
}
if($user->_checkLogin($_POST["username"], $_POST["password"], $remember)){
header("Location: $nxt");
}else{
if($user->_isBanned($_POST["username"])){
$smarty->assign("logError", "Your account has been banned. If you wish to appeal to this banning you can do so in the help section.");
}elseif($user->_isLocked($_POST["username"])){
$smarty->assign("logError", "Your account has been locked. This could have been a result of some one attempting to gain unauthorized access to your account or you just forgetting the password. Please use <a href='/forgot_password' class='normalHyp'>the forgot password page</a> to retrieve your account.");
}elseif($user->_warnLock($tries)){
$smarty->assign("logEror", "Warning: If you fail to correctly provide the correct credentials one or more times your account will be locked");
}else{
$smarty->assign("logError", "Those are incorrect login credentials.");
}
$tries = $tries++;
$smarty->assign('t', $tries);
}
}else{
$smarty->assign("logError", $msg);
}
}else{
$smarty->assign("logError", "You are already logged in. You cannot login twice.");
}
}
if($_SESSION['logged']){
header("Location: /");
}else{
$smarty->display('login.htm');
}
?>
And the register.php
if (isset($_POST['registerUser'])){
$smarty->assign('user', $_POST['username']);
$smarty->assign('email', $_POST['email']);
$smarty->assign('countryvalue', $_POST['country']);
$longDescCtry = translate_country_code($_POST['country']);
$smarty->assign('country', $longDescCtry);
$smarty->assign('publicProf', $_POST['publicProf']);
if(isset($_POST['publicProf'])){
$publicProf = $_POST['publicProf'];
}else{
$publicProf = 0;
}
$smarty->assign('publicChan', $_POST['publicChan']);
if(isset($_POST['publicChan'])){
$publicChan = $_POST['publicChan'];
}else{
$publicChan = 0;
}
$smarty->assign('gender', $_POST['gender']);
$req_fields = array("username"=>"Username", "passchk_pass"=>"Password", "email"=>"Email", "country"=>"Country", "gender"=>"Gender");
$formedDate = $_POST['birthday_day'].$_POST['birthday_mon'].$_POST['birthday_yr'];
$smarty->assign('DOBday', $_POST['birthday_day']);
$smarty->assign('DOBmonval', $_POST['birthday_mon']);
$longDescMonth = translate_month_value($_POST['birthday_mon']);
$smarty->assign('DOBmon', $longDescMonth);
$smarty->assign('DOByr', $_POST['birthday_yr']);
$username = @strip_tags($_POST['username']);
$username = @stripslashes($_POST['username']);
$password = @strip_tags($_POST['passchk_pass']);
$password = @stripslashes($_POST['passchk_pass']);
$email = @strip_tags($_POST['email']);
$email = @stripslashes($_POST['email']);
$username = @substr($username, 0, 20);
if($formedDate > 111901){
if(check_empty_fields()){
if (ereg("^[a-zA-Z0-9]*$",$username) ) {
if(ereg("^[a-zA-Z0-9_]*$", $password)){
if(ereg("^[a-zA-Z0-9._-]+@[a-zA-Z0-9-]+\.[a-zA-Z.]{2,5}$", $email)){
if(!$user->_userExist($username)){
if(!$user->Eexist($email)){
$resp = recaptcha_check_answer ("6LfX3QkAAAAAAA4o9cjigvCX-ZgILKNxY9DdyEh9",
$_SERVER["REMOTE_ADDR"],
$_POST["recaptcha_challenge_field"],
$_POST["recaptcha_response_field"]);
if (!$resp->is_valid) {
$smarty->assign('registerError', "The reCAPTCHA was entered incorrectly. Please enter the reCAPTCHA correctly.");
}else{
$completeDate = $_POST['birthday_day']."/".$_POST['birthday_mon']."/".$_POST['birthday_yr'];
if($user->_registerUser($username, $password, $email, $_POST['country'], $_POST['gender'], $completeDate, $publicProf, $publicChan)){
header("Location: /user");
}else{
$smarty->assign('registerError', "There was an unkown error. This error has been reported. Please try loggin in. If you cannot login please file a bug report.");
}
}
}else{
$smarty->assign('registerError', "That email already exists on the system. Please use <a href='/forgot_password'>account recovery</a> to retrieve your account details.");
}
}else{
$smarty->assign('registerError', "That username has already been used please choose another.");
}
}else{
$smarty->assign('registerError', "Please enter a valid Email (i.e. support@stagex.co.uk).");
}
}else{
$smarty->assign('registerError', "The only characters accepted within a password are aplhabetical and numerical along with the underscore symbol (_).");
}
}else{
$smarty->assign('registerError', "The username must only contain numbers and letters. Please choose another username.");
}
}else{
$smarty->assign('registerError',$msg);
}
}else{
$smarty->assign('registerError', "Please enter a valid Date of Birth.");
}
}
if($_SESSION['logged']){
header("Location: /");
}else{
$smarty->display('register.htm');
}
Well I just found a site, a very interesting site. It’s a freelancing site that allows me to earn some money over the net. Basically employers put lots of projects on this site and say how much they will pay for you to complete the project and you (with others) bid for the chance to earn that money.
Hopefully (fingers crossed) this might be able to earn me some money as well as experience standing on my CV for a job. Kind of ironic really everyone where I live says they can’t get experienced IT professionals but how do you expect to get any when you have no training jobs??
This tutorial will teach the user how to use the Facebook platform to control user logins to their Facebook application.
//some more content
Here is an example class of what I created for some other random app. As you can see I have created a class (acting much like a wrapper really) around the Facebook login method: facebook->require_login(). This particular app required the user to be registered on their own database after connecting through Facebook. The function _f_checkRegistered($fb_user) will check first time registration, this could act like a start screen for a new player to a Facebook game for example.
<?php
class Facebook_User{
var $db = null;
var $msg = ' ';
var $date;
var $ip = '';
var $myKey = '';
var $facebook = null;
var $user_details = ' ';
function Facebook_User(&$db, &$facebook){
$this->db = $db;
$this->facebook = $facebook;
$this->date = $GLOBALS['date'];
$this->ip = $_SERVER['REMOTE_ADDR'];
$this->myKey = "54M_i1lM4N";
$expires = $facebook->session_expires;
$time = time();
if($expires < $time){
//$facebook->expire_session();
}
if($_SESSION['logged']){
}else{
if($_SESSION['F_LOG']){
if($_SESSION['logged']){
$this->_f_sessionDefaults();
}
$this->_f_checkSession();
}
}
}
function generatePassword() {
$length=9;
$strength=8;
$vowels = 'aeuy';
$consonants = 'bdghjmnpqrstvz';
if ($strength & 1) {
$consonants .= 'BDGHJLMNPQRSTVWXZ';
}
if ($strength & 2) {
$vowels .= "AEUY";
}
if ($strength & 4) {
$consonants .= '23456789';
}
if ($strength &
{
$consonants .= '@#$%';
}
$password = '';
$alt = time() % 2;
for ($i = 0; $i < $length; $i++) {
if ($alt == 1) {
$password .= $consonants[(rand() % strlen($consonants))];
$alt = 0;
} else {
$password .= $vowels[(rand() % strlen($vowels))];
$alt = 1;
}
}
return $password;
}
function linEncrypt($pass) {
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); //Creating the vector
$cryptedpass = mcrypt_encrypt (MCRYPT_RIJNDAEL_256, $this->mykey, $pass, MCRYPT_MODE_ECB, $iv);
return $cryptedpass;
}
function _f_sessionDefaults(){
$_SESSION['uid'] = 0;
$_SESSION['name'] = '';
$_SESSION['FP_TEMP'] = '';
$_SESSION['F_LOG'] = false;
}
function _f_checkSession(){
$facebook_uid = $this->db->quote($_SESSION['uid']);
$fullName = $this->db->quote($_SESSION['name']);
$sql = "SELECT * FROM facebook_User WHERE UID = $facebook_uid AND Name = $fullName";
$result = $this->db->getRow($sql);
if(is_object($result)){
if($_SESSION['FP_TEMP'] == md5($result->TMP_PW)){
$this->_f_login();
}else{
$this->_f_sessionDefaults();
return false;
}
}else{
$this->_f_sessionDefaults();
return false;
}
}
function _f_login(){
$fb_user = $this->facebook->require_login();
$this->_f_checkRegistered($fb_user);
}
function _f_Logout(){
$this->facebook->expire_session();
$this->facebook->clear_cookie_state();
}
function _f_assignCred($facebook_uid, $fullName){
$TMP_PW = $this->linEncrypt($this->generatePassword());
$F_PWTMP = $this->db->quote($TMP_PW);
$_SESSION['uid'] = $facebook_uid;
$_SESSION['name'] = $fullName;
$_SESSION['FP_TEMP'] = md5($TMP_PW);
$_SESSION['F_LOG'] = true;
$sql = "UPDATE facebook_User SET TEMP_PW = $F_PWTMP WHERE UID = $facebook_uid AND Name = $fullName";
$this->db->query($sql);
}
function _f_checkRegistered($fb_user){
$user_details = $this->facebook->api_client->users_getInfo($fb_user, array('name'));
$facebook_uid = $this->db->quote($fb_user);
$fullName = $this->db->quote($user_details[0]['name']);
$sql = "SELECT * FROM facebook_User WHERE UID = $facebook_uid AND Name = $fullName";
$result = $this->db->getRow($sql);
if(is_object($result)){
$this->_f_assignCred($facebook_uid, $fullName);
return true;
}else{
return false;
}
}
function _f_URegister($fb_user){
//XXX @todo: make registration script
}
}
?>
I should just mention this class is incomplete so don’t blame me if all of it does not work. But this is the basic structure I use for Facebook apps.
Hello and welcome I have been off recently working on something new for my video site.
I thought I would produce some sort of tutorial on here so others can understand how to customize their JQuery galleries. I will be starting to talk you through the process of producing the end product in a couple of days but I thought I would post the initial screen shot now so you can all see what the end product will look like:
What we are looking at is the big gray strip across the middle of the page, ignore the header or footer. There are three parts to the gallery, “hot” (popular) videos, default spotlight videos and editors pick. The JQuery gallery will scroll between each part when one the links is clicked and the links will change accordingly (I could have done it all by normal AJAX but I wanted the scroll effect so meh).
The sections themselves are broken down into videos. There is one main highlight video which has information about it (length and rating) and four smaller image representing other videos. When the user hovers over one of the images and tooltip will show displaying the title of the video.
In this tutorial I will be using, HTML, CSS, JQuery (Scroll and AJAX), PHP and MySQL and I will be checking this product in IE7 (IE8 is emulated as IE7) and Firefox (just the two browsers I have at hand, no IE is not running under Wine, it’s in a VM
).
One last tip before I say bye for a couple of days whilst I get the finishing touches done, this tutorial is really only for professionals I would recommend the newer users stick to the JQuery gallery post I uploaded some time ago. This tutorial will be using the full Monty.
I know this hack is old and everything but I thought I’d repost this on here since I forgot how to do this today and it took ages for me to find out how to do this again. This hack basically stops buttons from expanding their widths in IE to stupid levels and is standards mode compliant.
/* IE6 */
* html input {
overflow: visible;
width: 1px;
}
/* IE7 */
*+html input {
overflow: visible;
}
As requested I have written this tutorial so that readers understand exactly how to produce AJAX forms with JQuery. Now, let’s dive into the weird and wonderful world of JQuery!
Now as always you need to import your JQuery with this in your head tag:
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.1/jquery.min.js" type="text/javascript"></script>
Now we need to make our form so within the body tag we add our form:
<form name="thisform"> <input type="text" id="myfirstname"> <input type="text" id="mylastname"> <input type="submit" value=" Submit " id="submit_AJAX"> </form>
Now comes the difficult part:- making the JQuery function and binding it to the form. You will want to put this within your head tag as well:
$(document).ready(function() {
$("#submit_AJAX").click(function () {
//get our values
var first = $("#myfristname").val();
var last = $("#mylastname").val();
var dataString = 'first='+ first + '&last=' + last;
//shows you whats being sent
alert (dataString);
$.ajax({
type: "POST",
url: "somepage.php",
data: dataString,
success: function(callback) {
if(!callback) return;
//alerts the user of the echo in the php
alert(callback);
}
});
});
}
And lastly we need to make a simple PHP (server-side) page to handle the AJAX request:
<?php
if(isset($_COOKIE['AJAXFORM']){
$_COOKIE['AJAXFORM'] = $_POST['first']." ".$_POST['last'];
echo "cookie updated";
}else{
setcookie("AJAXFORM", $_POST['first']." ".$_POST['last']);
echo "cookie made";
}
?>
And that should do it
You will now have an AJAX form. I should explain in this example I have binded the function via the onclick on the submit button, however, to have many forms simply turn the AJAX function into its own separate function then on the form submit just make it point to that function:
<form name="thisform" onsubmit="AJAXFUNCTION()">
Enjoy
I have created this tutorial as a mid-way between my Simple PHP Upload post and the Multiple Files with Progress Bar Upload post. This is designed to give all visitors of my site a chance to understand the more complex version.
Ok, we are building upon the material described within a previous post. The previous post is basically simple uploader and what I am going to explain here is how to up the coding so that the page does not need to refresh in order to upload the file.
All I did was rewrite the HTML to look more like:
<html> <head> <title>Upload Dat File!!</title> </head> <form action="upload.php" method="post" target="uploadFrame" enctype="multipart/form-data"> <input type="file" name="userfile" size="30"/> <input type="submit" value=" Upload "> </form> <iframe name="uploadFrame" style="display:none;"></iframe> </html>
So this HTML shows a new iframe named uploadFrame and the form target pointing to this iframe. The reason why this form will not need to refresh is because you are in fact making the form point to the iframe, meaning the upload will take place in the iframe now instead of on a new page; kool, huh?
So as the file uploads it sends all data to the iframe which then opens upload.php and runs the script we had before. That means that uploading without refresh is now covered, enjoy

