PHP5 CMS Framework Development; Martin Brampton (McGraw Hill Osborne)

[ Pobierz całość w formacie PDF ]
.');$my = null;$mambothandler = aliroMambotHandler::getInstance();$database = aliroDatabase::getInstance();[ 43 ]Administrators, Users, and Guests$username = $database->getEscaped($username);$escpasswd = $database->getEscaped($passwd);$remember = $remember ? true : false;$loginfo = new aliroLoginDetails($username, $escpasswd,$remember);$checkuser = true;$logresults = $mambothandler->trigger('requiredLogin',array($loginfo));}Aliro has retained within the code the clever play on words of mambot that wasinvented to describe plug ins used in the Mambo CMS.Architecturally, plug insare an implementation of the observer pattern, as discussed in the opening chapter.The class aliroMambotHandler is the singleton handler for all plug ins currentlyavailable in the system.It will soon be needed.The general database is accessed via its own singleton class, initially only to providefor escaping the text data for login.This is a critical step since, along with handlingspecial characters that might legitimately arise, it is the protection against SQLinjection.It is done using the database interface, which is preferable to using PHPsince the whole object is to prevent the submission of data that will subvertSQL statements.Login details are bundled together into an instance of aliroLoginDetails, whichhas no significant functionality, but is used to provide a defined interface for theauthentication plug ins.Now, it's time to actually check the user information, andthis is handled by one or more plug ins.All the plug ins that are installed to monitorthe event requiredLogin are invoked by the trigger method of the handler.Whatthen happens is that every relevant plug in executes the event, each one returning aresult.The results are formed into an array, and returned to the point at which theplug ins were triggered.In the case of requiredLogin, the plug ins must return a message if there issomething wrong; they may return user objects if the login has been successful,otherwise null.If any of the plug ins returns a message, then all such messages arepassed back to the browser and the login fails.If at least one plug in returns a userobject and none returns a message, the login is successful.If the default user processing suite for Aliro is installed, there is a single plug in forlogin, and it calls a method in the authenticator to check the username and passwordagainst the user table in the database.But this plug in can be either supplemented orreplaced with alternative plug ins to carry out user authentication in different ways,such as by reference to an LDAP system or anything else that may be suitable.Thedefault authentication method is:[ 44 ]Chapter 2function authenticate (&$message, &$my, $username, $passwd,$remember=null){$message = '';$database = aliroDatabase::getInstance();$my = new mosUser();$database->setQuery("SELECT id, gid, block, name, username, email,sendEmail, usertype FROM #__users WHEREusername='$username'");if ($database->loadObject($my)){if ($my->block > 10){$message = T_('Your login has been blocked.Please contact theadministrator.');return false;}$database = aliroCoreDatabase::getInstance();$database->setQuery("SELECT COUNT(*) FROM #__core_users WHEREid=$my->id AND password=MD5(CONCAT(salt,'$passwd'))");if ($database->loadResult()){unset($my->block);return true;}}$message = T_('Incorrect username or password.Please try again.');return false;}The first step is to look up the general users table on the $username key, includinga check against the user being blocked, either because they are not authenticatedyet or as a result of administrator action.Provided the first check is successful, thepassword check is carried out on the core users table, using the ID obtained from thegeneral user table as key.The given password is combined with the user's salt, andthen MD5 hashed before checking against the stored hashed password.According tothe result, either an error message is set or a good return is made.Supposing the Remember me box has been ticked, the action this provokes dependson whether login succeeds.If it does, then the name and password used are stored ina long lived cookie.At present, Aliro stores the password in plain text, but if it is safeto assume that the PHP mcrypt range of functions are generally available, tit wouldbe better to use two way encryption using the individual salt allocated to the useras a key.Whenever a request is made that is not recognized as a continuation of[ 45 ]Administrators, Users, and Guestsan existing session, a check is made to see whether there is such a cookie, and if soits details are used for an immediate login.If that login fails, then any such cookie isdeleted as invalid.Where a user object is returned by one of the plug ins, it must have an ID property,which is used as a key to update the user table in the database with a time stamp forthe latest visit by that user [ Pobierz całość w formacie PDF ]

Linki