0

I already made a site for a company that sells clothing and jewellery using an offsite paypal basket. It has a very basic bespoke cms that at the moment only allows the site owner himself to log in. Whilst logged in he is able to add/remove/edit products, and manage a basic news feed on the front page of the site.

I now want to expand the site to allow non-admin users to register, and for them to be able to do things like post comments on the news feed, and also to be able to post on a forum etc, but do not want them to have access to the stuff that the admins can do.

My initial thoughts were to use something like the following:

public function validate_user()
{
    $username = trim($this->input->post('username'));
    $password = trim($this->input->post('password'));
    $password_md5 = md5($password);

    //query database searching for user
    $this->db->where('username', $username);
    $query = $this->db->get('users');

    //if user found in database, set session info
    if ($query->num_rows() == 1) {
        $result = $query->row();
        $output['username'] = TRUE;

        //check if password correct
        if ($result->password == $password_md5) {
            $output['password'] = TRUE;
            if ($result->admin) {
                $admin = TRUE;
            } else {
                $admin = FALSE;
            }

            //set session data for user including validated status
            $data = array(
                'id' => $result->id,
                'username' => $result->username,
                'fname' => $result->fname,
                'lname' => $result->lname,
                'admin' => $admin,
                'validated' => TRUE
            );
            $this->session->set_userdata($data);
        } else {
            $output['password'] = FALSE;
        }
    } else {
        $output['username'] = FALSE;
    }
    return $output;
}

I am conscious of the fact that storing a boolean administrator status value in the session data could be a bad idea for security reasons, and could be exploited. I would be grateful for some advice on whether I'm heading in the right direction with this, and for any suggestions on how I could accomplish a system like the one I've described above.

Thanks in advance.

Improve this question
8
  • why didn't you just install one of the many fully developed e-commerce systems? Commented Nov 22, 2012 at 23:09
  • Have to agree that you better off using one of ready solutions. Storing values in session should not be an issue if you destroy those properly and in time and there is no means for user to high-jack session. Commented Nov 22, 2012 at 23:22
  • I'm happy with the way the site operates already in terms of the way the user can manage products, this question relates specifically to how I can best differentiate different kinds of users, and give them different levels of access to the site. The reason I am not using a ready made solution is that I want to learn how to do this stuff myself. Commented Nov 22, 2012 at 23:26
  • your method is fine. if you want to be safer you can encode the login information and fetch the data from the database again at every load or when attempting to access a restricted page. btw, i suggest using salt for the password encryption Commented Nov 22, 2012 at 23:34
  • using 'ready made' does not stop you learning, and hopefully would stop you doing bad practice - such as how you are hashing the password. Commercially - its suicide not using existing 3rd party opensource software. Commented Nov 23, 2012 at 3:49

1 Answer 1

Reset to default
1
  • use codeigniter form validation first - make sure you have correct data before sending to database
  • I think it would be worth breaking out the check user name into its own method. if that returns true, then call the check the password, etc. this will also make it more flexible later on.

  • try and get in the habit of XSS cleaning the form output, just put TRUE after the field name

    $username = trim($this->input->post('username', TRUE));
  • when you want to do things like reset a password via email, check out Ion Auth https://github.com/benedmunds/CodeIgniter-Ion-Auth
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.