user login code

[eluser]weetstraw[/eluser]
Hello,

I'm new to codeIgniter and working on the user login / session aspect of my site. How the the model code below look? Am I missing anything?

Code:

function checkUserLogin()
{
    $this->load->library('validation');
    
    $rules['username']="trim|required";
    $rules['password']="trim|required|md5";
    
    $this->validation->set_rules($rules);
    
    if($this->validation->run()==FALSE){
        echo "you really screwed up...";
    } else {
        $query=$this->db->where("username",$_POST['username']);
        $query=$this->db->where("password",$_POST['password']);
        $query=$this->db->limit(1,0);
        $query=$this->db->get('users');
        
        if(!$query->num_rows()){
            //return NULL;
            echo "wrong login!<br />user:<strong>".$_POST['username']."</strong> Password: <strong>".$_POST['password']."</strong>";
        } else {
            $this->session->userdata('logged_in') == TRUE;
        }
    }
}

[eluser]weetstraw[/eluser]
Also, is there a way to directly access the model from view, instead of the controller?

Code:

<?php echo form_open('manage/loginAction'); ?>

[eluser]jedd[/eluser]
Hi weetstraw and welcome to the CI forums.

Your first message - if that's your model code - then yes, much should be changed. Most of that should be in your controller. Database activities are in the model.

Also, is there a way to directly access the model from view, instead of the controller?

Don't go down this path. Views and controllers talk to each other. Models and controllers talk to each other.

Views and models talking to each other is like cousins marrying.

[eluser]weetstraw[/eluser]
should everything but the code below be in the controller?

Code:

$query=$this->db->where("username",$_POST['username']);
$query=$this->db->where("password",$_POST['password']);
$query=$this->db->limit(1,0);
$query=$this->db->get('users');

[eluser]jedd[/eluser]
Pretty much, yes.

In your controller you'd probably call to a method in your model called check_credentials($user, $pass); and that'd return TRUE or FALSE (not much point returning anything else).

Your model would do the check using the lines you've already written.

The function in the controller might actually check for the existence of session->userdata('logged_in') before proceeding, but that depends on the logic wrapped around this function.

In general you should avoid talking to $_POST directly - use the [url="http://ellislab.com/codeigniter/user-guide/libraries/input.html"]input->post calls[/url].

[eluser]weetstraw[/eluser]
Great! Here is my working code, better? Obviously the "echo" statements will be gone but I use them for mocking up.

Hopefully this is helpful for others.

model

Code:

function checkUserLogin()
{
    $query=$this->db->where("username",$this->input->post('username'));
    $query=$this->db->where("password",$this->input->post('password'));
    $query=$this->db->limit(1,0);
    $query=$this->db->get('users');
    
    if($query->num_rows()){
        return TRUE;
    }
}

controller

Code:

function loginAction()
{
    $rules['username']="trim|required";
    $rules['password']="trim|required|md5";
    
    $this->validation->set_rules($rules);
        
    if($this->validation->run() == FALSE){
        echo "you really screwed up...<br />";
        echo anchor('users/login','back');
    } else {
        if($this->User_model->checkUserLogin() == TRUE){
            echo "we're good";
        /*
            $this->session->userdata('logged_in') == TRUE;
            redirect('manage');
        */
        } else {
            echo "wrong login!<br />User:<strong> ".$this->input->post('username')."</strong><br />Password: <strong>".$this->input->post('password')."</strong><br />";
            echo anchor('users/login','back');
        }
    }
}

view

Code:

<?php echo form_open('users/loginAction'); ?>
Username: <?php echo form_input('username'); ?>
Password: <?php echo form_password('password'); ?>
<input class="loginsubmit" type="submit" value="Login" />
<?php echo form_close(); ?>

[eluser]jedd[/eluser]
Much nicer!

In general, we try to avoid calling $post data from the model - the model should just get data, and send data, and not really have any idea about the origins of that data, or how it will be displayed, etc.

So, in your controller you could do this:

Code:

if  ( $this->User_model->checkUserLogin ($this->input->post('username') , $this->input->post('password')) ) {
...

And in your model:

Code:

function checkUserLogin ( $user = NULL , $pass = NULL )
{
    $query=$this->db->where("username", $user);
    $query=$this->db->where("password", $pass);
    $query=$this->db->limit(1,0);   // I'd drop this line
    $query=$this->db->get('users');
    
    if ($query->num_rows() == 1)
        return TRUE;
    else
        return FALSE;
}

[eluser]Jay Logan[/eluser]
I thought validation class has been deprecated. Maybe you should use form_validation library instead. I think it is the new standard for CodeIgniter.

[eluser]weetstraw[/eluser]
One more thing...

Can I have an entire controller protected with:

Code:

if($this->session->userdata('logged_in') == TRUE){...}

or do I have to have it in each function?

[eluser]pistolPete[/eluser]
[quote author="weetstraw" date="1239151681"]Can I have an entire controller protected...[/quote]

Put the code in the class constructor:

Code:

<?php
class Sample_controller extends Controller {

   function Sample_controller()
   {
      if($this->session->userdata('logged_in') != TRUE)
      {
            // redirect to login form for example
      }
   }
...
}