Professional CodeIgniter, Thomas Myer
Chapter 9: Security and Performance
269
function verifyUser($u,$pw){
$this-
>
db-
>
select(`id,username');
$this-
>
db-
>
where(`username',$this-
>
db-
>
escape($u));
$this-
>
db-
>
where(`password', $this-
>
db-
>
escape($pw));
$this-
>
db-
>
where(`status', `active');
$this-
>
db-
>
limit(1);
$Q = $this-
>
db-
>
get(`admins');
if ($Q-
>
num_rows()
>
0){
$row = $Q-
>
row_array();
$this-
>
session-
>
set_userdata(`userid',$row[`id']);
$this-
>
session-
>
set_userdata(`username',$row[`username']);
}else{
$this-
>
session-
>
set_flashdata(`error', `Sorry, your username or password is
incorrect!');
}
}
You can do the same with
getUser()
-- simply escape the incoming
$id
variable.
function getUser($id){
$data = array();
$options = array(`id' =
>
$this-
>
db-
>
escape($id));
$Q = $this-
>
db-
>
getwhere(`admins',$options,1);
if ($Q-
>
num_rows()
>
0){
$data = $Q-
>
row_array();
}
$Q-
>
free_result();
return $data;
}
For
addUser()
and
updateUser()
, you ' re going to deploy a new function,
xss_clean()
, which is part
of the Security helper (which you autoloaded back in Chapter 3 ). The
xss_clean()
function converts
malicious - looking JavaScript or other suspicious characters into entity references.
function addUser(){
$data = array(`username' =
>
xss_clean($_POST[`username']),
`email' =
>
xss_clean($_POST[`email']),
`status' =
>
xss_clean($_POST[`status']),
`password' =
>
xss_clean($_POST[`password'])
);
$this-
>
db-
>
insert(`admins',$data);
}
function updateUser(){
$data = array(`username' =
>
xss_clean($_POST[`username']),
`email' =
>
xss_clean($_POST[`email']),
`status' =
>
xss_clean($_POST[`status']),
`password' =
>
xss_clean($_POST[`password'])
);
$this-
>
db-
>
where(`id',$this-
>
db-
>
escape($_POST[`id']));
$this-
>
db-
>
update(`admins',$data);
}
c09.indd 269
c09.indd 269
6/10/08 5:37:58 PM
6/10/08 5:37:58 PM