Tạo mạng xã hội với PHP - part 12 pot

This is used to perform a basic form of user authentication, to allow them to reset the password: private function resetPassword $user, $key { $this->registry->getObject'template'->ge

Trang 1

Remember me

Our current implementation of an authentication system relies on SESSION data,

which expires at the end of a user's session (either a specific time-limit set by the

server, or when the user closes their browser, whichever occurs first) Many users

want to be remembered when they log in to certain sites they use on a regular basis,

to save the trouble of continually logging in every day, or even several times a day

This can be achieved by combining sessions with cookies However, as cookies last

for longer periods of time and are stored on the user's computer (whereas sessions

are stored on the server) cookie authentication will need to be more advanced One

option would be to store a random salted hash of the time the user logged in, within

the cookie If we simply relied on the user ID being stored in the cookie, it would be

easy for users to create fake cookies, and thus take control of other users accounts

Help! I've forgotten!

Some of our users will probably forget their login details, particularly if they haven't

used our site for a while If we don't have provisions for this, then we will lose users

There are three types of reminder we should include:

• Username reminder

• Password reminder

• Resend e-mail verification message

Let's look at implementing these features in our authentication controller

Username

If the user forgets his/her username, they simply supply their e-mail address, and

we e-mail them a reminder:

private function forgotUsername()

{

if( isset( $_POST['email'] ) && $_POST['email'] != '' )

{

$e = $this->registry->getObject('db')->sanitizeData( $_

POST['email'] );

$sql = "SELECT * FROM users WHERE email='{$e}'";

$this->registry->getObject('db')->executeQuery( $sql );

if( $this->registry->getObject('db')->numRows() == 1 )

{

$data = $this->registry->getObject('db')->getRows();

// email the user

$this->registry->getObject('mailout')->startFresh();

Trang 2

[ 93 ]

$this->registry->getObject('mailout')->setTo( $_

POST['email'] );

$this->registry->getObject('mailout')->setSender( $this-

>registry->getSetting('adminEmailAddress') );

$this->registry->getObject('mailout')->setFromName( $this-

>registry->getSetting('cms_name') );

$this->registry->getObject('mailout')->setSubject(

'Username details for ' $this->registry-

>getSetting('sitename') );

$this->registry->getObject('mailout')-

>buildFromTemplates('authenticate/username.tpl.php');

$tags = $this->values;

$tags[ 'sitename' ] = $this->registry-

>getSetting('sitename');

$tags['username'] = $data['username'];

$tags['siteurl'] = $this->registry->getSetting('site_

url');

>replaceTags( $tags );

>setMethod('sendmail');

$this->registry->getObject('mailout')->send();

// tell them that we emailed them

$this->registry->errorPage('Username reminder sent',

'We have sent you a reminder of your username, to the

email address we have on file');

}

else

{

// no user found

$this->registry->getObject('template')-

>buildFromTemplates( 'header.tpl.php', 'authenticate/

username/main.tpl.php', 'footer.tpl.php');

$this->registry->getObject('template')-

>addTemplateBit('error_message', 'authenticate/username/

error.tpl.php');

}

else

{

// form template

$this->registry->getObject('template')->buildFromTemplates(

'header.tpl.php', 'authenticate/username/main.tpl.php',

'footer.tpl.php');

$this->registry->getObject('template')->getPage()-

>addTag('error_message', '');

}

This material is copyright and is licensed for the sole use by RAYMOND ERAZO on 25th October 2010

3146 KERNAN LAKE CIRCLE, JACKSONVILLE, 32246

Download from www.eBookTM.com

Trang 3

If the user forgets his/her password, they enter their username, and we generate a

password reset key, and e-mail them a link to reset the password:

private function forgotPassword()

{

if( isset( $_POST['username'] ) && $_POST['username'] != '' )

{

$u = $this->registry->getObject('db')->sanitizeData( $_

POST['username'] );

$sql = "SELECT * FROM users WHERE username='{$u}'";

{

// have they requested a new password recently?

if( $data['reset_expires'] > date('Y-m-d h:i:s') )

{

// inform them

$this->registry->errorPage('Error sending password

request', 'You have recently requested a password

reset link, and as such you must wait a short while

before requesting one again This is for security

reasons.');

}

else

{

// update their row

$changes = array();

$rk = $this->generateKey();

$changes['reset_key'] = $rk;

$changes['reset_expires'] = date( 'Y-m-d h:i:s',

time()+86400 );

$this->registry->getObject('db')->updateRecords(

'users', $changes, 'ID=' $data['ID'] );

// email the user

$this->registry->getObject('mailout')->startFresh();

$this->registry->getObject('mailout')->setTo( $_

POST['email'] );

$this->registry->getObject('mailout')->setSender(

$this->registry->getSetting('adminEmailAddress') );

$this->registry->getObject('mailout')->setFromName(

$this->registry->getSetting('cms_name') );

$this->registry->getObject('mailout')->setSubject(

'Password reset request for ' $this->registry-

>getSetting('sitename') );

Trang 4

[ 95 ]

>buildFromTemplates('authenticate/password.tpl.php');

$tags = $this->values;

$tags[ 'sitename' ] = $this->registry-

>getSetting('sitename');

$tags['username'] = $data['username'];

$url = $this->registry->buildURL( 'authenticate',

'reset-password', $data['ID'], $rk );

$tags['url'] = $url;

$tags['siteurl'] = $this->registry->getSetting('site_

url');

$this->registry->getObject('mailout')->replaceTags(

$tags );

>setMethod('sendmail');

$this->registry->getObject('mailout')->send();

// tell them that we emailed them

$this->registry->errorPage('Password reset link sent',

'We have sent you a link which will allow you to

reset your account password');

}

else

{

// no user found

$this->registry->getObject('template')-

>buildFromTemplates( 'header.tpl.php', 'authenticate/

password/main.tpl.php', 'footer.tpl.php');

$this->registry->getObject('template')-

>addTemplateBit('error_message', 'authenticate/password/

error.tpl.php');

}

else

{

// form template

$this->registry->getObject('template')->buildFromTemplates(

'header.tpl.php', 'authenticate/password/main.tpl.php',

'footer.tpl.php');

$this->registry->getObject('template')->getPage()-

>addTag('error_message', '');

}

The link is used to verify the user (as it is sent to their e-mail address) where they can

reset the password

Trang 5

Let them reset the password

The password is then reset by the user entering a new password, assuming their

reset key is correct Control is passed from the framework to our authentication

controller, which calls the resetPassword method This method takes two

parameters, the user's ID and the reset key This is used to perform a basic

form of user authentication, to allow them to reset the password:

private function resetPassword( $user, $key )

{

$this->registry->getObject('template')->getPage()->addTag(

'user', $user );

$this->registry->getObject('template')->getPage()->addTag('key',

$key );

$sql = "SELECT * FROM users WHERE ID={$user} AND reset_

key='{$key}'";

{

if( $data['reset_expiry'] > date('Y-m-d h:i:s') )

{

We can have a problem with either a user repeatedly requesting password reset

links maliciously for another user, as when the user tried to reset their password a

new key would be generated Similarly, a user could use trial and error (brute force

attacking) to try and guess a reset key and subsequently reset the user's password

To prevent these issues, only one key should be issued in a 24 hour period, and it

should expire after this time If the key they have supplied has expired, we need to

tell them that

$this->registry->errorPage('Reset link expired', 'Password

reset links are only valid for 24 hours This link is

out of date and has expired.');

}

else

{

If their key is valid, we then check to see whether they have completed the form and

submitted a new password:

if( isset( $_POST['password'] ) )

{

Trang 6

[ 97 ]

If they have completed the form, we need to check that the password is at least seven

characters long, and that it has been confirmed:

if( strlen( $_POST['password'] ) < 6 )

{

$this->registry->errorPage( 'Password too short', 'Sorry, your password was too short, passwords must be greater than 6 characters'); }

else {

if( $_POST['password'] != $_POST['password_confirm'] ) {

$this->registry->errorPage( 'Passwords do not match', 'Your password and password confirmation do not match, please try again.'); }

else {

We then hash the password, and update the user's database record: // reset the password $changes = array(); $changes['password_hash'] = md5( $_ POST['passowrd'] ); $this->registry->getObject('db')->updateRecords( 'users', $changes, 'ID=' $user ); $this->registry->errorPage('Password reset', 'Your password has been reset to the one you entered');

}

else {

If the key is valid, and the user hasn't submitted the new password form, we show them the form: // show the form $this->registry->getObject('template')- >buildFromTemplates( 'header.tpl.php', 'authenticate/ password/reset.tpl.php', 'footer.tpl.php');

Trang 7

}

else

{

Finally, if they key was invalid, we tell them that:

$this->registry->errorPage('Invalid details', 'The password

reset link was invalid');

}

I've lost my e-mail verification message

If we verify our users' e-mail addresses, we would also want to be able

to resend this verification message, in case they delete the original Why

not try and implement this feature in our authentication controller?

Summary

In this chapter, we looked at allowing users to sign up to Dino Space, by developing

registration logic to create a user account and their custom social profile A user

account on its own isn't enough—our users need to be able to log in to the user

account, so that they can benefit from the site To facilitate this we also created

an authentication registry class

Because e-mail sending is going to be a task we need to do frequently, as illustrated

by the four use cases in this chapter, we also developed a simple e-mail sending

class, to make it easy for us to generate and send e-mails as and when we need to

Now that we can have users on our social network, and they can log in to access

our social network, let's start developing some social features for it!

Trang 8

Friends and Relationships

We now have a social networking site, where the only feature is that users can sign

up, log in, and log out This is, of course, the first step to any such site, as we need

users Now that we have users, we need some way for them to be able to connect to

one another For this to be possible, we need to be able to see the users on the site,

search the users on the site, and subsequently request to connect to them

In this chapter, you will learn:

• How to allow users to invite their friends to the site

• How to automatically invite a user's contacts to befriend them on the site,

by connecting to other websites

• How to list users on the site

• How to search for users on the site and display the resulting users

• How to allow users to connect with one another as friends or other types

of relationship (for example, as colleagues)

Let's get started

Inviting friends

Although users of Dino Space are going to sign up and connect with other users on

the site, to help them build up their profile on the site more quickly and to help us

increase our user base, we can allow our users to invite friends and contacts who

they know from outside of the social network to join and connect with them At the

same time, we can also see if these people have already signed up to the site, and

inform the user of this

Trang 9

There are two main ways we can do this:

• Asking our users to enter a friend's name and e-mail address

• Asking our users to enter their details for their webmail, connecting

to their address book, and obtaining a list of their contacts

Once we have a name and an e-mail address we can either:

• Send the user an e-mail inviting them to join Dino Space to connect with

their friend

• Inform the user that someone with that e-mail address has already signed

up and suggest they connect with them directly, or automatically connect

them (this is another reason e-mail verification from Chapter 3 is useful,

otherwise it could be any user with our friends e-mail address, and not

actually our friend)

A note on privacy

When a user gives us details of a friend who isn't on their site, their credentials or access to their online contacts, or a list of their contacts,

we shouldn't keep a copy of this without their explicit permission A suitable privacy policy should be clear on the website, indicating what happens with any data they enter into the website

Manually inviting friends

If John thinks his friend Bill, who keeps a pet pterodactyl, would benefit from using

Dino Space, he may want to recommend the site to him To allow users to invite

other users we need to:

1 Request John to enter Bill's name and e-mail address

2 Check to see if Bill's e-mail address exists in the website (that is, is Bill

already a member)

3 If Bill is already a member, we suggest that John connect with him and show

him Bill's profile

4 If Bill hasn't already joined Dino Space, we want to validate this data and

display a template message to John showing the invitation message, which

he can edit and personalise

5 We allow John to edit the message

6 Once John clicks on Send, we e-mail the invitation to Bill dynamically

inserting John's details so Bill knows who it was that invited him

Trang 10

[ 101 ]

Invitation controller

To manually invite friends, we need an invitation controller to take and process the

user's requests This controller would then present the user with an invitation form,

for the user to enter their friend's details On submitting the form, the controller

will check to see if the friend is already a member (by looking up the friend's e-mail

address in the user's table) If the friend isn't a member, the personalized invitation

message will have the friend's details inserted into it, and will then be e-mailed to

the friend

If you do implement this feature, you will also need a number of template files to

make up the view, and an e-mail template for sending the invitation to the friend

Automatically inviting friends

Most social networking websites offer the user the chance to enter their details for

their webmail login, to have the site automatically invite their contacts to use the site

In the past, this would be done by scripts that would connect to the various websites

using libraries such as cURL, pretending to be a user, to obtain the contacts list This

technique isn't ideal, as the code obviously needs to be updated each time the site

changes how it works

Thankfully, most e-mail providers realise this is a useful feature, and so they have

provided APIs that developers can interact with to obtain a list of contacts to e-mail

Of course, APIs change, but changes are generally announced in advance, and there

is normally a wealth of resources for developers

Google Friend Connect

Google has a service that aims to allow users to invite their friends from a number of

social networking sites (currently Orkut and Plaxo) as well as contacts from Google

Talk and friends with a known e-mail address

This service also provides a number of other "gadgets" that can add social

functionality to your site, including commenting and rating content, as well

as providing some interesting reporting tools

More information on this is available on the Google Friend Connect website:

Định dạng
Số trang	10
Dung lượng	3,41 MB