help on user authorization - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: help on user authorization (/showthread.php?tid=10117) |
help on user authorization - El Forum - 07-18-2008 [eluser]Johnny Freeman[/eluser] Hello, I am fairly new to CI and want to custom build a user authorization section for the backend section of a site that i am making. I already know that there are already plugins built for this task. However, I have chosen to do it myself. I am seeking feedback on the following code about how I could improve on security AND most importantly I want to make sure i am doing it properly according to CI standards. I have already tested the code so far and it works just fine. Also, keep in mind that this is far from being complete, just curious to see what the community thinks and make sure I am on the right track. This is the login controller function: Code: function login() Code: function doesexist($user) help on user authorization - El Forum - 07-18-2008 [eluser]Colin Williams[/eluser] Well, right away it is clear that you are running two identical queries, something you should never have to do. Consider caching results in a property of your model. This means you'll always check your cache property first, then run the query if you don't find it there. You'll also need to remember to update your cache when the data is manipulated (per request only.) Prototype: Code: class User extends Model { Also, I see no need to run two checks to do the login. You could simply have an authenticate() method that returns false on the conditions a) there is no such user in the database, or b) the password for the user is wrong. help on user authorization - El Forum - 07-19-2008 [eluser]Bramme[/eluser] Dunno if this is of any use for you, but I've always used a query like Code: if(num_rows(mysql_query(SELECT * FROM users WHERE username = $username AND password = $password)) == 1) { Much faster if you ask me... (should do a benchmark though) help on user authorization - El Forum - 07-19-2008 [eluser]Johnny Freeman[/eluser] Colin: Thanks for the pointer about caching although I have to admit that (slapping myself on the hand) I don't fully understand exactly how it's all done. I will do some research on it. Also, the reason that I created two seperate functions for the check is so that I could also use them later. Example: When a user is registering for a new acount i can use the $this->user->doesexist() function to see if the username is availible or not. However, would it be bad practice to do something like this: Code: function isauthorized($user, $pass) Bramme: Your suggestion would be perfect if i were coding with simplicity in mind. I'm not sure if it is faster as far as loading time goes, but it's definitely faster for typing the code. So thanks. To All: Thank you again for your suggestions and I am excited to hear more from you. help on user authorization - El Forum - 07-19-2008 [eluser]loathsome[/eluser] Why would you check if the user exist AND if the password is correct at the same time? Just running "passwordiscorrect" would be sufficient enough. help on user authorization - El Forum - 07-19-2008 [eluser]Johnny Freeman[/eluser] You're absolutely correct, Thank you. help on user authorization - El Forum - 06-02-2009 [eluser]Unknown[/eluser] Hi All, I am new to CI and want to create a user login module, I will be using the code above. Now My question is that is this a right way or there are other ways around also :question: Thanks, Nauman help on user authorization - El Forum - 06-02-2009 [eluser]Johnny Freeman[/eluser] I'm sure there are alternative ways of achieving this goal. But the code above will safice. I used it for a while and eventually rewrote it into a library. Have fun! Johnny |