Difference between Controller and Model in MVC
I think the is_logged should be placed in the Model for User. Note that the User might be a customer in your case or any class that you have made to model a user of your service.
The valid_email and generate_random_string are more or less utility functions, which you can place in a Utility or Utilities model, so that these are reusable in various controllers in your application.
The hash_password, can be placed in either the User model or Utility model. I am more tempted to place it in Utility model, since its a hashing function and there is nothing the user cares about. However, I can imagine there can be argument(s) otherwise.
The following SO question (though for a different framework) can also serve as a rule of thumb:
generally controllers are used to determine how to handle the http requests made..
There's nothing wrong in creating some functions which directly respond to the http requests.
but if it has anything to do with the DB, its better to place those function in the model, and call them from the controller.
Controller should combine view with model, so every validation shoulde be placed in modelthis is my example from kohana
CONTROLLER
<?php/** * User Controller */class Controller_Admin_User extends Controller_Admin_Template { public function action_index() { $this->template->body = View::factory('admin/user/index') ->set('i', 0) ->bind('users', $users) ->bind('groups', $groups) ->bind('id_user_group', $id_user_group); $model_user = new Model_Admin_User; $users = $model_user->get_users(Arr::get($_GET, 'sort'), Arr::get($_GET, 'order')); $model_usergroup = new Model_Admin_Usergroup; $groups = $model_usergroup->get_user_group(); } public function action_add() { $this->template->body = View::factory('admin/user/form_add') ->bind('error', $error) ->bind('groups', $groups) ->bind('post', $post); $model_usergroup = new Model_Admin_Usergroup; $groups = $model_usergroup->get_user_group(); if($_POST) { $model_user = new Model_Admin_User; if($model_user->save($_POST) == false) { $error = $model_user->error; $post = $_POST; } else { $this->request->redirect('admin/user'); } } }MODEL
class Model_Back_User extends Model { private $qb; public $aliases = array( 'id'=> 'id_user' ); public $error = array( 'name' => null, 'surname' => null, 'login' => null, 'password' => null, 'id_user_group' => null, 'old_password' => null, 'new_password' => null, 'confirm' => null, 'email' => null, 'phone' => null, ); private $rules = array( 'name' => array('not_empty' => null, 'alpha' => null), 'surname' => array('not_empty' => null, 'alpha' => null), 'login' => array('not_empty' => null), 'password' => array('not_empty' => null), 'id_user_group' => array('not_empty' => null), 'email' => array('not_empty' => null, 'email' => null), 'phone' => array('not_empty' => null), 'old_password' => array('not_empty' => null), 'new_password' => array('not_empty' => null), 'confirm' => array('matches' => array('new_password')) ); public function __construct() { $this->qb = new Querybuilder; //parent::__construct(); } public function change_password($data) { $validate = Validate::factory($data) ->filter(true, 'trim') ->rules('old_password', $this->rules['old_password']) ->rules('new_password', $this->rules['new_password']) ->rules('confirm', $this->rules['confirm']) ->callback('old_password', array($this, 'password_exists'), array('id_user'=> $data['id_user'])); if($validate->check() == false) { $this->error = array_merge($this->error, $validate->errors('user')); return false; } $u = Session::instance()->get('user'); $this->edit(array('password'=> $this->password($data['new_password'])), array('id_user'=> $u['id_user'])); return true; } public function password_exists(Validate $valid, $field, $param) { if($this->user_exists(array('password'=> $this->password($valid[$field]), 'id_user'=> $param['id_user'])) == false) { $valid->error($field, 'old password is incorrect', array($valid[$field])); } } public function save($data) { $validate = Validate::factory($data) ->filter(true, 'trim') ->rules('name', $this->rules['name']) ->rules('surname', $this->rules['surname']) ->rules('user_group_id', $this->rules['id_user_group']) ->rules('email', $this->rules['email']) ->rules('phone', $this->rules['phone']); $edit = false; if(isset($data['id_user']) AND Validate::not_empty($data['id_user'])) { $edit = true; } else { $validate->rules('login', $this->rules['login']) ->rules('password', $this->rules['password']); } if($validate->check() == false) { $this->error = array_merge($this->error, $validate->errors('user')); return false; } if($edit == true) { $this->edit( array( 'name' => $data['name'], 'user_group_id' => $data['user_group_id'] ), array( 'id_user'=> $data['id_user'] ) ); return true; } return $this->add( array( 'name' => $data['name'], 'login' => $data['login'], 'password' => $data['password'], 'user_group_id' => $data['user_group_id'] ) ); } protected function add($data) { $data['password'] = $this->password($data['password']); return $this->_db->query(Database::INSERT, $this->qb->insert('user')->set($data)->build_query() ); }View is not so important thats why i dont put this here.