Login

08-30-2014, 09:28 AM

[eluser]CroNiX[/eluser]
because if the session variable doesn't exist, session returns boolean false, and trim(false) is an empty string. So you should be using === comparisons when checking session to see if value exists so it checks the variables data TYPE in addition to its value.

Code:
if ($this->CI->session->userdata('user_id')) {

would not pass your check if the user id is 0, even though the user exists in session, so that's not a good check. It might not matter here with this example, but it will with others.

Code:
if ($this->CI->session->userdata('user_id') !== FALSE) {

is much more accurate to see if the value is set in session or not. There are plenty of instances where 0 is a valid value in session but it wouldn't work the way you are checking.

Also, if you allow

Code:
$this->CI->db->escape(md5($password))

then its next to useless. md5 should NOT be allowed on its own. There are plenty of rainbow tables out there that will bypass that in NO TIME. You better hope none of your users, or the public who can access your app, are hackers. Your site, or more likely your clients site, would become theirs. I guess you haven't been paying attention to the news lately of all of the hacking going on. It's because of stuff like you're doing using md5(), which is totally insecure.
https://crackstation.net/
https://www.freerainbowtables.com/tables/
http://project-rainbowcrack.com/table.htm