serializes

User.php

@@ -11,6 +11,10 @@ class User
 
     protected $db;
 
+    public function __sleep(){
+        return array('is_connected','external_id','id','display_name','auth_method','groups');
+    }
+   
     public function get_id()
     {
         if($this->is_connected){
@@ -36,14 +40,12 @@ class User
     }
     
     public function set_db(PDO $db){
-        $this->$db = $db;
+        
+        $this->db = $db;
     }
 
     public function __construct(PDO $db){
         $this->db = $db;
     }
    
-
- 
-
 }

User_Manager.php

@@ -105,7 +105,7 @@ class User_Manager
             }
         }
 
-        $user = new User();
+        $user = new User($db);
 
         return $user;
     }

User_Sql.php

@@ -18,9 +18,11 @@ class User_Sql extends User {
             $stmt->bindParam(':admin', $adminInt);
             $stmt->bindParam(':active', $activeInt);
 
+        
             $hashed_password = password_hash($password, PASSWORD_BCRYPT);
+            
             $adminInt = $admin? 1 : 0;
-            $activeInt = $activeInt? 1 : 0;
+            $activeInt = $active? 1 : 0;
             $stmt->execute();
 
             return $db->lastInsertId(); 
@@ -29,30 +31,30 @@ class User_Sql extends User {
         public function authentificate($login,$password)
         {
             
-            $sql =  
-            "SELECT id,display_name,
+            $stmt = $this->db->prepare(
+                "SELECT id,display_name,password
                 FROM users 
-            WHERE login='". mysqli_real_escape_string($this->db,$login) . "'
-            AND password=SHA2('". mysqli_real_escape_string($this->db,$password) . "',512)
-            AND auth_method='local';";
+                WHERE login=:login 
+                AND active=1
+                AND auth_method='local'"
+            );
             
-            $rs = $this->db->query($sql);
+            $stmt->bindParam(':login', $login);
+            $stmt->execute();
+            if($r = $stmt->fetch()){
 
-            if($r = $rs->fetch_array(MYSQLI_ASSOC)){
+                    //check password
+                if(password_verify($password,$r["password"])){
                     $this->is_connected = true;
                     $this->display_name = $r["display_name"];
                     $this->id = $r['id'];
                     $this->auth_method = 'sql';
                     
                     return $this;
-    
-            }else{
+                }
+            }
             $this->is_connected = false;
-                return false;
-    
-            }
-
-            return false;
+            return $this;
         }
 
 }