Version 0.9 released

Just wanted to let you know that a new version of php user class has just been released. The new version fixes one small bug, and adds a few features.

For more information check the class changelog.

I had good results testing the example files of the new version. :) You are doing a great job!

By the way, maybe you could do some little tutorial, so we can learn all the features that can be used with it. I understand that not all the features are covered on the example files.

Thank you!

I am afraid I have no time for this at this point, as I am going to army in 5 days :)

But I guess with a little experimenting and reading my comments at the class files you can see all the possibilities of the class.

I've just released version 0.91 which fixes a small bug in the user logout function.

If you are using 0.9 please update to the new version.

Overall I think you have a nice class which could be especially useful for newer programmers.  Your example pages however contain the often used flaw of setting a form action attribute (or a redirect) to $_SERVER['PHP_SELF'] which is a well documented XSS vulnerability.  As your class is for implementing security, leaving XSS in the examples is probably not wise, considering the general audience.

Simply Google for XSS $_SERVER['PHP_SELF']
http://xforce.iss.net/xforce/xfdb/26518

Similarly the lack of input validation in the examples and in the class could lead to various problems.

Also, I would remove the inline SQL in favor of parameterized SQL (for example: http://www.expertsrt.net/main/components/com_mambowiki/index.php?title=PHP_MySql_Prepared_Statements_Library) and the more secure mysqli functions.

While you take precautions to prevent common SQL injection, you might want to consider some unexpected injections which can occur, such as those published here:
http://mordred.niama.net/blog/?p=121

Again,pretty darn good start, but a few tweaks could lead to something bullet-proof and very useful to the newer developers.  Possibly something like Reform. http://www.owasp.org/index.php/Category:OWASP_Encoding_Project

Best regards,
Rod





 

Hello, thanks so much for this class!  It's working brilliantly.  I'm on version .91, but I still am experiencing the bug that you said you squashed, the logout with cookies.  If I check the Remember Me? box, I can not logout without manually removing the cookie... I'd appreciate any input you might have.  Thanks!

Hi fellas, and thanks for your input. I will try to check those problems but as I am in the army now I am in lack of time.

I would really appreciate if someone can contribute some code to the project :)

Nikolas - I found the issue.  I was testing this on a subdomain, and I had set the cookie domain to be sub.domain.com.  When I reset the cookie domain to be www.sub.domain.com everything worked fine as it should.  Thx for your code again, it's working great!