Jump to content
Larry Ullman's Book Forums

Recommended Posts

Going through and making sure every thing is secure, I think I found a flaw.


There is no need for:


for it's redudant and poises a security issue - never trust $_SERVER


All you have to do is this:

// Validate the form data:
if ($form->validate()) {

    // Check against the database:
    $query = 'SELECT id, userType, username, email, pass FROM users WHERE username=:username';
    $stmt = $pdo->prepare($query);
    $result = $stmt->execute(array(':username' => $username->getValue()));
    // Try to fetch the results:
    if ($result) {
        $stmt->setFetchMode(PDO::FETCH_CLASS, 'Member');
        $user = $stmt->fetch();
        $result = false;
    // Verify Stored Hashed Password:
    $result = password_verify($password->getValue(), $user->pass);
    // Store the user in the session and redirect:
    if ($result) {
        // Store in a session:
        $_SESSION['user'] = $user;
        // Redirect:
} // End of form validation IF.

I have been testing this thoroughly and it works ;)



Link to comment
Share on other sites


  • Create New...