New to Code Igniter & $_SESSION?

[eluser]Unknown[/eluser]
Hi All,

I have only been using CI for two days and I am struggling to see any real advantages apart from a better code structure. Today I have developed a basic user login system and it took a lot longer than it would just to do it in PHP.

Another thing is, I normally use $_SESSION to store details of the logged in user however I can't seem to do this anymore? (Also is a bad from a security point of view to store these details there? if so, what way is better?)

Below I have also provided some of the code I have developed today for the registration part of the user login system. Any feedback on this would be great.

Register (Controller)

Code:

<?php

class Register extends CI_Controller {

    function index() {
    
        // Load Register Model
        $this->load->model('Register_model');
        
        // Load Form Validation Helper
        $this->load->library('form_validation');
        
        // Validate Form Fields
        $this->form_validation->set_rules('username', 'Username', 'trim|required|min_length[5]|max_length[12]|xss_clean');
        $this->form_validation->set_rules('password', 'Password', 'trim|required|matches[passconf]|md5');
        $this->form_validation->set_rules('passconf', 'Password Confirmation', 'trim|required');
        $this->form_validation->set_rules('email', 'Email', 'trim|required|valid_email');
        $this->form_validation->set_rules('forename', 'First Name', 'trim|required');
        $this->form_validation->set_rules('surname', 'Last Name', 'trim|required');
        
        if ($this->form_validation->run() == FALSE)
        {
            $this->load->view('register');
        }
        else
        {
            // Check Username is Available
            if ($this->Register_model->check_username($this->input->post('username')))
            {
                // User Details Array (for passing to register function)
                $User['username'] = $this->input->post('username');
                $User['password'] = $this->input->post('password');
                $User['email'] = $this->input->post('email');
                $User['forename'] = $this->input->post('forename');
                $User['surname'] = $this->input->post('surname');
                
                // Register the User
                if ($this->Register_model->register_user($User['username'], $User['password'], $User['email'], $User['forename'], $User['surname']))
                {
                    $this->load->view('register_success');
                }
                else
                {
                    echo "Registration Failed, Please Try Again.";
                }
            }
            else
            {
                echo "Username in use.";
            }
        }
        
    }

}

Register (Model)

Code:

<?php

class Register_model extends CI_Model {

    function check_username($username) {
        $this->load->database();
        $check_username = $this->db->query("SELECT * FROM Users WHERE Username = '".$username."' LIMIT 1");
        if ($check_username->num_rows() == 1)
        {
            return FALSE;
        }
        else
        {
            return TRUE;
        }
    }
    
    function register_user($username, $password, $email, $forename, $surname) {
        $this->load->database();
        $sql = "INSERT INTO Users (Username, Password, Email, Forename, Surname)
                Values('".$username."', '".$password."', '".$email."', '".$forename."', '".$surname."')";
        $register_user = $this->db->query($sql);
        if ($register_user)
        {
            return TRUE;
        }
        else
        {
            return FALSE;
        }
    }

}

Register (View)

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
&lt;html&gt;
&lt;head&gt;
    &lt;title&gt;&lt;/title>
&lt;/head&gt;
&lt;body&gt;
    &lt;?php echo validation_errors(); ?&gt;
    &lt;form name="username" action="register" method="post"&gt;
        <label for="username">Username</label></br>&lt;input type="text" name="username" /&gt;&lt;/br>
        <label for="password">Password</label></br>&lt;input type="password" name="password" /&gt;&lt;/br>
        <label for="passconf">Password Confirmation</label></br>&lt;input type="password" name="passconf" /&gt;&lt;/br>
        <label for="email">Email</label></br>&lt;input type="email" name="email" /&gt;&lt;/br>
        <label for="forename">First Name</label></br>&lt;input type="text" name="forename" /&gt;&lt;/br>
        <label for="surname">Last Name</label></br>&lt;input type="text" name="surname" /&gt;&lt;/br>
        &lt;input type="submit" value="Register" /&gt;
    &lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;

[eluser]WanWizard[/eluser]
In CI you use the Sessions library instead of PHP's session management...

[eluser]Unknown[/eluser]
[quote author="WanWizard" date="1297297925"]In CI you use the Sessions library instead of PHP's session management...[/quote]

Whats the advantage of doing so?

[eluser]dark_lord[/eluser]
You can refer to the documentation to further understand the session class.

http://ellislab.com/codeigniter/user-gui...sions.html

[eluser]WanWizard[/eluser]
@Richie Jenkins,

There are several reasons for not using PHP's native sessions:
- they are not secure (the session id is a simple non-encrypted cookie without any checks)
- they are file based, and depending on the host config not always very secure (you can access other website's session files if not configured carefully)
- they are file based, so you can't query them (for example to get the number of logged-in users)
- they don't scale as well as a database does (not much of an issue in a single-server setup)
and probably lots more.

For me, the security issues alone are reason enough not to use them.

[eluser]InsiteFX[/eluser]
WanWizard, you can set the PHP Sessions to use a database.

But you would need to write code yourself.

InsiteFX