The PHP Anthology Volume 2, Chapter 1 - Access Control

First, let's develop a class for sessions. All code will use this class to access sessions, rather than using the $_SESSION variable directly. This has the advantage that if we ever want to switch to an alternative session handling mechanism, such as one we've built ourselves, we simply need to modify the class, rather than rewriting a lot of code. We can provide an interface to the $_SESSION variable with a few simple methods:

Example 1.4. Session/Session.php (in SPLIB)    
   
<?php    
/**    
* A wrapper around PHP's session functions    
* <code>    
* $session = new Session();    
* $session->set('message','Hello World!');    
* echo ( $session->get('message'); // Displays 'Hello World!'    
* </code>    
* @package SPLIB    
* @access public    
*/    
class Session {    
 /**    
  * Session constructor<br />    
  * Starts the session with session_start()    
  * <b>Note:</b> that if the session has already started,    
  * session_start() does nothing    
  * @access public    
  */    
 function Session()    
 {    
   session_start();    
 }    
   
 /**    
  * Sets a session variable    
  * @param string name of variable    
  * @param mixed value of variable    
  * @return void    
  * @access public    
  */    
 function set($name, $value)    
 {    
   $_SESSION[$name] = $value;    
 }    
   
 /**    
  * Fetches a session variable    
  * @param string name of variable    
  * @return mixed value of session varaible    
  * @access public    
  */    
 function get($name)    
 {    
   if (isset($_SESSION[$name])) {    
     return $_SESSION[$name];    
   } else {    
     return false;    
   }    
 }    
   
 /**    
  * Deletes a session variable    
  * @param string name of variable    
  * @return void    
  * @access public    
  */    
 function del($name)    
 {    
   unset($_SESSION[$name]);    
 }    
   
 /**    
  * Destroys the whole session    
  * @return void    
  * @access public    
  */    
 function destroy()    
 {    
   $_SESSION = array();    
   session_destroy();    
 }    
}    
?>

Next, we build an authentication class, called Auth, which will use the MySQL class we saw in earlier chapters, as well as the above Session class.

We begin by defining a few constants that will make it easy to customize this class for different environments:

Example 1.5. AccessControl/Auth.php (in SPLIB) (excerpt)    
   
// Name to use for login variable e.g. $_POST['login']    
@define('USER_LOGIN_VAR', 'login');    
// Name to use for password variable e.g. $_POST['password']    
@define('USER_PASSW_VAR', 'password');    
   
# Modify these constants to match your user login table    
// Name of users table    
@define('USER_TABLE', 'user');    
// Name of login column in table    
@define('USER_TABLE_LOGIN', 'login');    
// Name of password column in table    
@define('USER_TABLE_PASSW', 'password');

The first two constants are for the names of the user name and password fields of the login form we'll build in a moment. The next three provide details of the table in which user information is stored.

Next come the properties and constructor for the class:

Example 1.6. AccessControl/Auth.php (in SPLIB) (excerpt)    
   
/**    
* Authentication class<br />    
* Automatically authenticates users on construction<br />    
* <b>Note:</b> requires the Session/Session class be available    
* @access public    
* @package SPLIB    
*/    
class Auth {    
 /**    
  * Instance of database connection class    
  * @access private    
  * @var object    
  */    
 var $db;    
   
 /**    
  * Instance of Session class    
  * @access private    
  * @var Session    
  */    
 var $session;    
   
 /**    
  * Url to re-direct to in not authenticated    
  * @access private    
  * @var string    
  */    
 var $redirect;    
   
 /**    
  * String to use when making hash of username and password    
  * @access private    
  * @var string    
  */    
 var $hashKey;    
   
 /**    
  * Are passwords being encrypted    
  * @access private    
  * @var boolean    
  */    
 var $md5;    
   
 /**    
  * Auth constructor    
  * Checks for valid user automatically    
  * @param object database connection    
  * @param string URL to redirect to on failed login    
  * @param string key to use when making hash of user name and    
  *               password    
  * @param boolean if passwords are md5 encrypted in database    
  *               (optional)    
  * @access public    
  */    
 function Auth(&$db, $redirect, $hashKey, $md5 = true)    
 {    
   $this->db       = &$db;    
   $this->redirect = $redirect;    
   $this->hashKey  = $hashKey;    
   $this->md5      = $md5;    
   $this->session  = &new Session();    
   $this->login();    
 }

The $db parameter accepts an instance of the MySQL class, which we created in Chapter 3, PHP and MySQL.

The $redirect parameter specifies a URL to which visitors will be redirected if they aren't logged in, or if their user name or password is incorrect. This might be a login form, for example.

The $hashKey parameter is a seed we provide to double check the user names and passwords of users who are already logged in. I'll explain this in more detail later.

The $md5 parameter tells the class whether we've used MD5 encryption to store the passwords in the database.