[eluser]Johnny Freeman[/eluser]
Hello, I am fairly new to CI and want to custom build a user authorization section for the backend section of a site that i am making. I already know that there are already plugins built for this task. However, I have chosen to do it myself.
I am seeking feedback on the following code about how I could improve on security AND most importantly I want to make sure i am doing it properly according to CI standards. I have already tested the code so far and it works just fine. Also, keep in mind that this is far from being complete, just curious to see what the community thinks and make sure I am on the right track.
This is the login controller function:
Code:
function login()
{
$this->load->model('user');
$user = $this->input->post('username');
$pass = $this->input->post('password');
$rmbr = $this->input->post('rememberme');
if ( $this->user->doesexist($user) && $this->user->passwordiscorrect($user, $pass) ) :
echo "true";
else :
echo "false";
endif;
}
And, this is the user model:
Code:
function doesexist($user)
{
############# This function checks ONLY to see if a user exists #############
/*********************************
* function to retrieve the user
*********************************/
$query = $this->db->get_where('users', array('username' => $user ) );
/*********************************
* if the user exists, return TRUE
*********************************/
if ( $query->num_rows() > 0 )
{ return TRUE; }
/*********************************
* if not, return FALSE
*********************************/
return FALSE;
}
#############################################################################################
function passwordiscorrect($user, $pass)
{
############# This function checks if the given password matches the given username #############
/*********************************
* function to retrieve the user's data
*********************************/
$query = $this->db->get_where('users', array('username' => $user ) );
/*********************************
* encrypt the given password so we can match it to the real password
*********************************/
$pass = md5($pass);
/*********************************
* if the password matches, return TRUE
*********************************/
$row = $query->row_array();
if ( $pass == $row['password'] )
{
return TRUE;
}
/*********************************
* if not, return FALSE
*********************************/
return FALSE;
}
I appreciate all of your comments and I look foward to this new learning experience!