-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathvalidate_users.php
49 lines (43 loc) · 1.29 KB
/
validate_users.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php
require "database.php";
session_start();
// Check to see whether the username exists.
if (isset($_POST['username']) and isset($_POST['password'])) {
// Use a prepared statement
$stmt = $mysqli->prepare("SELECT COUNT(*), id, crypted_password, administrator FROM users WHERE username=?");
if(!$stmt){
printf("Query Prep Failed: %s\n", $mysqli->error);
exit;
}
// Bind the parameter
$user = $_POST['username'];
$stmt->bind_param('s', $user);
$stmt->execute();
// Bind the results
$stmt->bind_result($cnt, $user_id, $pwd_hash, $administrator);
$stmt->fetch();
$pwd_guess = $_POST['password'];
// Compare the submitted password to the actual password hash
if( $cnt == 1 && crypt($pwd_guess, $pwd_hash)==$pwd_hash){
// Login succeeded!
$_SESSION['logged_in'] = true;
$_SESSION['user_id'] = $user_id;
$_SESSION['username'] = $user;
$_SESSION['token'] = md5(uniqid(rand(), true));
$_SESSION['admin'] = $administrator;
header("Location: main.php");
exit;
}
elseif ($cnt == 0) {
header("Location: login.php?error=nousername&username=" . $_POST['username']);
exit;
}
else{
// Login failed; redirect back to the login screen
header("Location: login.php?error=badpassword&username=" . $_POST['username']);
exit;
}
}
header("Location: login.php?attempts=1");
exit;
?>