From 3b593a8490ff765c30bf7d49b906f59550999599 Mon Sep 17 00:00:00 2001
From: Gnieark <gnieark@free.fr>
Date: Thu, 18 Apr 2019 23:40:05 +0200
Subject: [PATCH] serializes

---
 User.php         | 10 ++++++----
 User_Manager.php |  2 +-
 User_Sql.php     | 50 +++++++++++++++++++++++++-----------------------
 3 files changed, 33 insertions(+), 29 deletions(-)

diff --git a/User.php b/User.php
index 88de0ba..13c3914 100644
--- a/User.php
+++ b/User.php
@@ -11,6 +11,10 @@ class User
 
     protected $db;
 
+    public function __sleep(){
+        return array('is_connected','external_id','id','display_name','auth_method','groups');
+    }
+   
     public function get_id()
     {
         if($this->is_connected){
@@ -36,14 +40,12 @@ class User
     }
     
     public function set_db(PDO $db){
-        $this->$db = $db;
+        
+        $this->db = $db;
     }
 
     public function __construct(PDO $db){
         $this->db = $db;
     }
    
-
- 
-
 }
diff --git a/User_Manager.php b/User_Manager.php
index 3ce508c..520a42a 100644
--- a/User_Manager.php
+++ b/User_Manager.php
@@ -105,7 +105,7 @@ class User_Manager
             }
         }
 
-        $user = new User();
+        $user = new User($db);
 
         return $user;
     }
diff --git a/User_Sql.php b/User_Sql.php
index c9cdf8c..3a8c41a 100644
--- a/User_Sql.php
+++ b/User_Sql.php
@@ -18,9 +18,11 @@ class User_Sql extends User {
             $stmt->bindParam(':admin', $adminInt);
             $stmt->bindParam(':active', $activeInt);
 
+        
             $hashed_password = password_hash($password, PASSWORD_BCRYPT);
+            
             $adminInt = $admin? 1 : 0;
-            $activeInt = $activeInt? 1 : 0;
+            $activeInt = $active? 1 : 0;
             $stmt->execute();
 
             return $db->lastInsertId(); 
@@ -28,31 +30,31 @@ class User_Sql extends User {
 
         public function authentificate($login,$password)
         {
-        
-            $sql =  
-            "SELECT id,display_name,
-            FROM users 
-            WHERE login='". mysqli_real_escape_string($this->db,$login) . "'
-            AND password=SHA2('". mysqli_real_escape_string($this->db,$password) . "',512)
-            AND auth_method='local';";
-    
-            $rs = $this->db->query($sql);
             
-            if($r = $rs->fetch_array(MYSQLI_ASSOC)){
-                $this->is_connected = true;
-                $this->display_name = $r["display_name"];
-                $this->id = $r['id'];
-                $this->auth_method = 'sql';
-                
-                return $this;
-    
-            }else{
-                $this->is_connected = false;
-                return false;
-    
+            $stmt = $this->db->prepare(
+                "SELECT id,display_name,password
+                FROM users 
+                WHERE login=:login 
+                AND active=1
+                AND auth_method='local'"
+            );
+            
+            $stmt->bindParam(':login', $login);
+            $stmt->execute();
+            if($r = $stmt->fetch()){
+
+                    //check password
+                if(password_verify($password,$r["password"])){
+                    $this->is_connected = true;
+                    $this->display_name = $r["display_name"];
+                    $this->id = $r['id'];
+                    $this->auth_method = 'sql';
+                    
+                    return $this;
+                }
             }
-
-            return false;
+            $this->is_connected = false;
+            return $this;
         }
 
 }
\ No newline at end of file