User Class

anakadote · Apr 30, 2010

Newish to OOP, especially with PHP. Here's a class I wrote for handling users. Are there any red flags I should worry about?

<?php

class User
{
	protected $_userId;
	protected $_username;
	protected $_password;
	protected $_accessLevel;
	protected $_ipAddress;
	protected $_userAgent;
	protected $_dbLink;

public function __construct($username, $password)
{
	require_once('MysqlDBConnection.php');

	$this->_username = $username;
	$this->_password = $password;
	$this->_dbLink = MysqlDBConnection::getInstance(DB_HOST, DB_NAME, DB_USER, DB_PASS);
}

public function login()
{
	$query = "SELECT `user_id`, `salt`, `hash` FROM `users` WHERE `username`='{$this->_username}' LIMIT 1";
	$result = MysqlDBConnection::selectQuery($query);
	if($result > 0){
		if($result['hash'] === sha1($this->_username.$result['salt'].$this->_password)){
			$this->_userID = $result['user_id'];
			$this->_ipAddress = filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_CALLBACK, array('options'=>"mysql_real_escape_string"));
			$this->_userAgent = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT', FILTER_CALLBACK, array('options'=>"mysql_real_escape_string"));
			$this->updateUserLoginInfo();
			return $this->_userID;
		} else {
			return false;
		}
	} else {
		return false;
	} 
}

public function updateUserLoginInfo()
{
	$query = "UPDATE `users` SET `date_last_login`=NOW(), `last_ip`='{$this->_ipAddress}', `last_user_agent`='{$this->_userAgent}' WHERE `user_id`={$this->_userId} LIMIT 1";
	return MysqlDBConnection::query($query);
}

public function changePassword($password)
{
	$pass = encrypt_password($this->_username, $password);
	$query = "UPDATE `users` SET `hash`='{$pass['hash']}', `salt`={$pass['salt']} WHERE `user_id`={$this->_userId} LIMIT 1";
	return MysqlDBConnection::query($query);
}

public function encryptPassword($username, $password)
{
	$salt = uniqid(time()+rand(1,99));
	$hash = sha1($username.$salt.$password);
	$result['salt'] = $seed;
	$result['hash'] = $hash;
	return $result;
}

public function getUserInfo()
{
	$query = "SELECT `user_id`, `username`, `access_level`, `date_registered`, `date_last_login` FROM `users` WHERE `user_id`={$this->_userID} LIMIT 1";
	return MysqlDBConnection::selectQuery($query);
}
}

?>

Thanks!

anakadote · Apr 30, 2010

After some consideration, I've changed the constructor to accept an optional $userId parameter, for if the user is already logged-in. I've then updated the login() method to accept the $username and $password for the purpose of logging-in.

<?php

class User
{
	protected $_userId;
	protected $_username;
	protected $_password;
	protected $_accessLevel;
	protected $_ipAddress;
	protected $_userAgent;
	protected $_dbLink;

public function __construct($userId = null)
{
	@session_start();

	require_once('MysqlDBConnection.php');
	$this->_dbLink = MysqlDBConnection::getInstance(DB_HOST, DB_NAME, DB_USER, DB_PASS);

	if($userId) $this->_userId = $userId;
}

public function login($username, $password)
{
	$this->_username = $username;
	$this->_password = $password;

	$query = "SELECT `user_id`, `salt`, `hash` FROM `users` WHERE `username`='{$this->_username}' LIMIT 1";
	$result = MysqlDBConnection::selectQuery($query);
	if($result > 0){
		if($result['hash'] === sha1($this->_username.$result['salt'].$this->_password)){
			$this->_userID = $result['user_id'];
			$this->_ipAddress = filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_CALLBACK, array('options'=>"mysql_real_escape_string"));
			$this->_userAgent = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT', FILTER_CALLBACK, array('options'=>"mysql_real_escape_string"));
			$this->updateUserLoginInfo();

			$userInfo = $user->getUserInfo();
			$_SESSION['user_id'] = $userInfo['user_id'];
			$_SESSION['username'] = $userInfo['username'];
			$_SESSION['access_level'] = $userInfo['access_level'];
			return $this->_userID;
		} else {
			return false;
		}
	} else {
		return false;
	} 
}

public function isLoggedIn()
{
	return (isset($_SESSION['user_id'])) ? true : false;
}

public function logOut()
{
	$_SESSION = array();
	@session_destroy();
	setcookie (session_name(), '', time()-300, '/', '', 0);
}

public function updateUserLoginInfo()
{
	$query = "UPDATE `users` SET `date_last_login`=NOW(), `last_ip`='{$this->_ipAddress}', `last_user_agent`='{$this->_userAgent}' WHERE `user_id`={$this->_userId} LIMIT 1";
	return MysqlDBConnection::query($query);
}

public function changePassword($password)
{
	$pass = encrypt_password($this->_username, $password);
	$query = "UPDATE `users` SET `hash`='{$pass['hash']}', `salt`={$pass['salt']} WHERE `user_id`={$this->_userId} LIMIT 1";
	return MysqlDBConnection::query($query);
}

public function encryptPassword($username, $password)
{
	$salt = uniqid(time()+rand(1,99));
	$hash = sha1($username.$salt.$password);
	$result['salt'] = $seed;
	$result['hash'] = $hash;
	return $result;
}

public function getUserInfo()
{
	$query = "SELECT `user_id`, `username`, `access_level`, `date_registered`, `date_last_login` FROM `users` WHERE `user_id`={$this->_userID} LIMIT 1";
	return MysqlDBConnection::selectQuery($query);
}
}

?>