| « For The Love Of God, Use Keys! | Attention Developers: The Problem Isn’t Technical » |
Have you ever written code like this?
<?php
class VerifyLogin extends UserObject
{
function verifyCredentials()
{
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$passwordhash = MD5($username . $password); // Salt our PW Hash
$sql = 'SELECT id FROM userTable WHERE username = ' . $username . ' AND password = ' . $passwordhash . ' LIMIT 1';
$resource = mysql_query($sql);
if(mysql_numrows($resource) > 0)
{
$array = mysql_fetch_row($resource);
$this->userID = $array[0];
$this->loggedIn = true;
return true;
}
else
return false;
}
}
?>
The problem here ought to be clear: we’re using a class exactly like we would in some procedural code. This is a problem.
Let’s ignore the security implications of the above code for just a moment, and focus on just the use of the superglobal. By using the $_POST superglobal array, we’re effectively doing two things:
This isn’t what objects are for. Objects are designed to take data and hold it, then act on that data. For example, our user object should information about that user. You might have methods that can act on that user, like promoting them to administrator or verifying their login credentials. In the latter case, you would need to take $_POST data but it would be much better to pass it in directly than to rely on the superglobal inside the object itself.
A better code snippet from a user object would look something like this:
<?php
class VerifyLogin extends UserObject
{
function verifyCredentials($username,$password)
{
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$passwordhash = MD5($username . $password); // Salt our PW Hash
$sql = 'SELECT id FROM userTable WHERE username = ' . $username . ' AND password = ' . $passwordhash . ' LIMIT 1';
$resource = mysql_query($sql);
if(mysql_numrows($resource) > 0)
{
$array = mysql_fetch_row($resource);
$this->userID = $array[0];
$this->loggedIn = true;
return true;
}
else
return false;
}
}
?>
In this example, we get to select where the $username and $password variables come from. Likely they’ll come from a posted form, but we have the ability to determine that for ourselves. This class is much better, because it is a true blueprint of an object.
There are some legitimate uses of superglobals in classes. One example is the use of the $_SESSION superglobal, which is often used for things like a user object. But I urge you to do so sparingly, when appropriate, rather than relying heavily on superglobals which are subject to change and may not give you the data you expect.
Brandon Savage is the author of Mastering Object Oriented PHP and Practical Design Patterns in PHP
Posted on 12/15/2008 at 1:41 pm
There are currently no comments.
| « For The Love Of God, Use Keys! | Attention Developers: The Problem Isn’t Technical » |