-
Notifications
You must be signed in to change notification settings - Fork 57
Expand file tree
/
Copy pathDataBase.php
More file actions
140 lines (124 loc) · 4.07 KB
/
DataBase.php
File metadata and controls
140 lines (124 loc) · 4.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
<?php
require "DataBaseConfig.php";
class DataBase
{
public $connect;
public $data;
private $sql;
protected $servername;
protected $username;
protected $password;
protected $databasename;
// Whitelist of allowed table names to prevent table-name injection
private $allowed_tables = ['users'];
public function __construct()
{
$this->connect = null;
$this->data = null;
$this->sql = null;
$dbc = new DataBaseConfig();
$this->servername = $dbc->servername;
$this->username = $dbc->username;
$this->password = $dbc->password;
$this->databasename = $dbc->databasename;
}
/**
* Establish DB connection, return mysqli object or false
*/
function dbConnect()
{
$this->connect = mysqli_connect($this->servername, $this->username, $this->password, $this->databasename);
if (!$this->connect) {
return false;
}
// set charset to avoid charset-related injection issues
mysqli_set_charset($this->connect, 'utf8mb4');
return $this->connect;
}
/**
* Basic cleaning for display / storage. Prepared statements handle SQL safety.
*/
function prepareData($data)
{
$data = trim($data);
// remove control characters but DO NOT rely on this for SQL safety
$data = filter_var($data, FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW);
return $data;
}
/**
* Validate / whitelist table name.
*/
private function validateTable($table)
{
return in_array($table, $this->allowed_tables, true);
}
/**
* Login using prepared statements
*/
function logIn($table, $username, $password)
{
// validate table name
if (!$this->validateTable($table)) {
return false;
}
// clean inputs (not for SQL safety — prepared statements handle that)
$username = $this->prepareData($username);
$password = $this->prepareData($password);
// prepared statement: select hashed password for username
$this->sql = "SELECT username, password FROM " . $table . " WHERE username = ? LIMIT 1";
if (!$stmt = mysqli_prepare($this->connect, $this->sql)) {
return false;
}
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
if (!$result) {
mysqli_stmt_close($stmt);
return false;
}
if ($row = mysqli_fetch_assoc($result)) {
$dbusername = $row['username'];
$dbpassword = $row['password']; // hashed password in DB
mysqli_stmt_close($stmt);
if (password_verify($password, $dbpassword)) {
return true;
} else {
return false;
}
} else {
mysqli_stmt_close($stmt);
return false;
}
}
/**
* Sign up using prepared statements
*/
function signUp($table, $fullname, $email, $username, $password)
{
// validate table name
if (!$this->validateTable($table)) {
return false;
}
// simple cleaning
$fullname = $this->prepareData($fullname);
$username = $this->prepareData($username);
$email = $this->prepareData($email);
$password = $this->prepareData($password);
// validate email
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
return false;
}
// hash password
$passwordHash = password_hash($password, PASSWORD_DEFAULT);
// prepared insert
$this->sql = "INSERT INTO " . $table . " (fullname, username, password, email) VALUES (?, ?, ?, ?)";
if (!$stmt = mysqli_prepare($this->connect, $this->sql)) {
return false;
}
mysqli_stmt_bind_param($stmt, "ssss", $fullname, $username, $passwordHash, $email);
$exec = mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
return $exec ? true : false;
}
}
?>