Geek asks and answers

This is a safe method, oop

    $salt = $this->get_salt($username);

    if (is_null($salt)) {
        return FALSE;
    }

    $password = sha1(SITE_KEY . $password . $salt);
    $sth = $this->db->prepare("SELECT id, username, active FROM user WHERE username = ? AND password = ?");
    $sth->setFetchMode(PDO::FETCH_OBJ);
    $sth->execute(array($username, $password));

    if (($result = $sth->fetch()) !== FALSE) {
        return $result;
    }

    return FALSE;

Here's what bothers me:

I misunderstood the login method. I just don't think this should return this object. I may be mistaken, and what you are doing is perfectly fine, but I doubt it. You return the full user object from the database, password, and all, to a potentially unsafe script. Someone could potentially create a new file and then do something like var_dump ($ userObject); and have all this information

, , "magic" . , . auth "active", , , login.php script, .

: , . , , , - . , , - . .

, , - . , . , , . , , , . , , stackoverflow, , .

- , ? , :

$user = $auth->login('username, password)

if ($user) {
//do some additional checks... set session variables
}
+3
2

, , , .

-, . . , .

-, ? , . , , , . (, ). , . . ...

-, - , . .

. . . PHPASS PHP-PasswordLib...

: :

. , . , , , , , . , , script. - , - var_dump ($ userObject);

. , var_dump($userObject), $this->db->prepare("SELECT * FROM user"); , . , , , . ( ). , , SP. ( - ).

, , far script. , , , (chroot jails PHP ..).

, "magic" -. , . auth- "active", , , login.php script, - .

? ? ( , )...? , , ...

: , , , . -, - , - . , , - . .

- ...

, , - . , . , , . , , , , . , , stackoverflow, , .

, . , - . , , , (, ). . , (, ), , , .

: One Time Pad. :

encrypted = plaintext XOR key

. , , . , . , . . , ...

+8

. , bcrypt -. , , (, - , 1 , 1, ).

, ( ), PDO placeholders (:placeholder not ?).

, User , ( , !).

+1

More articles:


All Articles