[kummu4help]

hi ,

i'm newly recruited in our company. i know a little bit of php. i've a requirement to design a class for maintaining users for a site. i just have to identify the suitable functions that the class may supposed to have in order to maintain user's who r coming to our site. i've identified the following functions till now. can u pls add any more additions or can suggest any modifications..

>a function that identifies whether user is a registered user or visitor.

>a function that validates whether user has permission to view the requested page.

>a function that allows us to store user information in log file. This function stores all the actions performed by user in his session.

>a function that allows creation of new user
>a function to update user information
>a function to remove a specified user from mailing list etc...

>A function that allows us to identify no.of failed login attempts by a user, so that we can block the user from logging in for a particular period of time.

This post has been edited by kummu4help: 13 August 2008 - 03:03 AM

[no2pencil]

Logging, & security. Check & verify all $_POST or $_GET values.

[kummu4help]

no2pencil, on 13 Aug, 2008 - 03:07 AM, said:

Logging, & security. Check & verify all $_POST or $_GET values.

i've functions for logging but tell me what type of security functions should i add to my class.. i don't know much about security

[pemcconnell]

Can you post the code you currently have?

[kummu4help]

hi pemcconnell,

my assignment is to identify the required functions. that's it. i haven't started anycoding . i have to submit documentation to my superior. i did that as in the forum. he is asking some more improvement.. so searching forums.
as i already told in the forum i am very new in this arena.. it is my 1st month with this language rather any real time development..

[pemcconnell]

Allo there

This will need a lot of work, and would be better if you broke it up into pages as a pose to keeping it all in one class:

>a function that identifies whether user is a registered user or visitor.

Assuming there is a login page - get that page to assign a SESSION to the user upon successful login.
(Standard sessions include username, userid, userlevel)
Then you can check if the session exists.
i.e.
if($_SESSION['username']){
$userstatus = 'user';
}else{
$userstatus = 'visitor';
}

>a function that validates whether user has permission to view the requested page.
Assuming there is a login page - get that page to assign a SESSION to the user upon successful login. - Assign a user level to the user database table
if((int)$_SESSION['userlevel']>1){
$userlevel = 'Admin';
}else{
$userlevel = 'Non-Admin';
}
>a function that allows us to store user information in log file. This function stores all the actions performed by user in his session.
It would probibly be easier / more secure to log this info into the database

E.g. When a user has posted a topic
$sql = "INSERT INTO tblstats (userId, action, time) VALUES (".$_SESSION['userid'].", 'postedtopic', NOW())";
mysql_query($sql);

>a function that allows creation of new user
This will need to be a page of its own - Simple MySQL INSERT statement to insert the users information into the database

>a function to update user information
This will need to be a page of its own - Simple MySQL UPDATE statement to insert the users information into the database
You can use the $_SESSION['userid'] in the WHERE statement

>a function to remove a specified user from mailing list etc...
$sql = 'DELETE FROM tbluser WHERE userid = '.$_SESSION['userid']; //removes user completely
$sql = 'DELETE FROM tblmailinglist WHERE userid = '.$_SESSION['userid']; //removes user from mailing list
mysql_query($sql);

>A function that allows us to identify no.of failed login attempts by a user, so that we can block the user from logging in for a particular period of time.
You can use a $_SESSION for this, and increment the value per failed login

e.g.
$_SESSION['failedlogin'] = (int)$_SESSION['failedlogin'] + 1;

This post has been edited by pemcconnell: 14 August 2008 - 04:26 AM

[pemcconnell]

As for security add a function that will clean your strings, and for any integers simply add a (int) before the variable to force hacker injection strings to a 0.