patternphpMinor
Changing a user's password
Viewed 0 times
changinguserpassword
Problem
I wrote this class for the project I'm currently working on. It's basically used to change a user's password. I'd like to know your thoughts on the basic structure/design of this class and how it can be improved, or if you'd have written it differently.
```
class Recover_password{
//class by sami
private $conn;
private $password_one;
private $password_two;
function initialize_connection($conn){
if($conn instanceof PDO){
$this->conn = $conn;
}else{
echo "Connection problem accured";
}
}
function is_posted(){
if(isset($_POST["change_password"])){
$this->is_empty();
}else{
echo "nothing's being posted!";
}
}
private function is_empty(){
foreach($_POST as $post_value){
if(!empty($post_value)){
$is_empty = false;
}else{
echo "Field/s are empty";
break;
}
}
if(isset($is_empty)){
$this->set_values();
}
}
private function set_values(){
$this->password_one = strip_tags(stripslashes(trim($_POST["password_two"], '"')));
$this->password_two = strip_tags(stripslashes(trim($_POST["password_one"], '"')));
if($this->password_one == $this->password_two){
if( (strlen($this->password_one) > 10) or (strlen($this->password_two) > 10) ){
$this->password_one = md5($this->password_one);
$this->change_password_to_new();
}else{
$this->show_message("The password you provided is too weak");
}
}else{
$this->show_message("Please make sure the passwords match");
}
}
private function change_password_to_new(){
$insert_pass_query = $this->conn->prepare("update registered_users set user_password = :user_password where username = :username");
if( $insert_pass_query->execute
```
class Recover_password{
//class by sami
private $conn;
private $password_one;
private $password_two;
function initialize_connection($conn){
if($conn instanceof PDO){
$this->conn = $conn;
}else{
echo "Connection problem accured";
}
}
function is_posted(){
if(isset($_POST["change_password"])){
$this->is_empty();
}else{
echo "nothing's being posted!";
}
}
private function is_empty(){
foreach($_POST as $post_value){
if(!empty($post_value)){
$is_empty = false;
}else{
echo "Field/s are empty";
break;
}
}
if(isset($is_empty)){
$this->set_values();
}
}
private function set_values(){
$this->password_one = strip_tags(stripslashes(trim($_POST["password_two"], '"')));
$this->password_two = strip_tags(stripslashes(trim($_POST["password_one"], '"')));
if($this->password_one == $this->password_two){
if( (strlen($this->password_one) > 10) or (strlen($this->password_two) > 10) ){
$this->password_one = md5($this->password_one);
$this->change_password_to_new();
}else{
$this->show_message("The password you provided is too weak");
}
}else{
$this->show_message("Please make sure the passwords match");
}
}
private function change_password_to_new(){
$insert_pass_query = $this->conn->prepare("update registered_users set user_password = :user_password where username = :username");
if( $insert_pass_query->execute
Solution
basic structure/design
I would not echo in a class, but throw an exception instead. That way, the calling class can decide how to handle these problems, and your class will thus be more flexible.
Your class also does two things: It changes a password, and it redirects. I would leave the redirection to the calling class as well (but this is probably a matter of taste).
The
If only one of the two fields is filled in by the user,
In this case it doesn't really matter, because it will not do anything. But then your function could be simplified to:
An alternative way would be to move that check into
Note that I rearranged the if statements for more readability, and used the
Naming
Misc
\' why not let them? In addition to annoying users, this could also lead to real problems, because you have to use those exact filter functions everywhere where the user supplies a password, as otherwise some users will not be able to login.
I would not echo in a class, but throw an exception instead. That way, the calling class can decide how to handle these problems, and your class will thus be more flexible.
Your class also does two things: It changes a password, and it redirects. I would leave the redirection to the calling class as well (but this is probably a matter of taste).
is_emptyThe
is_empty function doesn't seem to be working correctly. If only one of the two fields is filled in by the user,
Field/s are empty is echoed, but set_values is called anyways. In this case it doesn't really matter, because it will not do anything. But then your function could be simplified to:
private function is_empty(){
foreach($_POST as $post_value){
if(empty($post_value)){
echo "Field/s are empty";
break;
}
}
$this->set_values();
}An alternative way would be to move that check into
set_values, where all the other checks also take place:if ($this->password_one == "" || $this->password_two == "") {
$this->show_message("Field/s are empty");
} else if($this->password_one != $this->password_two){
$this->show_message("Please make sure the passwords match");
}else if (strlen($this->password_one) show_message("The password you provided is too weak");
} else {
$this->password_one = md5($this->password_one);
$this->change_password_to_new();
}Note that I rearranged the if statements for more readability, and used the
shoe_message method for all messages, instead of using echo.Naming
is_posteddoesn't seem like an optimal name, although I have problems coming up with a better name.
- PHP class names should be in CamelCase
Misc
- I would not change a user password. If a user wants their password to be
"
\' why not let them? In addition to annoying users, this could also lead to real problems, because you have to use those exact filter functions everywhere where the user supplies a password, as otherwise some users will not be able to login.
- in
set_values, theor (strlen($this->password_two) > 10check is unnecessary, aspassword_oneandpassword_twoare equal andpassword_oneis already checked.
- security:
md5isn't really considered good enough anymore. If possible, you should use bcrypt (password_hashin PHP) or pbkdf2 instead.
Code Snippets
private function is_empty(){
foreach($_POST as $post_value){
if(empty($post_value)){
echo "Field/s are empty";
break;
}
}
$this->set_values();
}if ($this->password_one == "" || $this->password_two == "") {
$this->show_message("Field/s are empty");
} else if($this->password_one != $this->password_two){
$this->show_message("Please make sure the passwords match");
}else if (strlen($this->password_one) <= 10) {
$this->show_message("The password you provided is too weak");
} else {
$this->password_one = md5($this->password_one);
$this->change_password_to_new();
}Context
StackExchange Code Review Q#79973, answer score: 4
Revisions (0)
No revisions yet.