personal-website/docs/www/login.php

134 lines
3.3 KiB
PHP
Raw Normal View History

2024-04-27 21:09:42 +02:00
<?php
$COMMONS = $_SERVER['DOCUMENT_ROOT'] . "/../common";
include_once($COMMONS."/header.php");
2024-04-28 17:37:00 +02:00
include_once($COMMONS."/utils.php");
display_header("Login");
2024-04-27 21:09:42 +02:00
// Define previous attempt and error variables and set to empty values.
$emailOld = $passwordOld = "";
$emailErr = $passwordErr = "";
/**
* Process the information, and if there are no errors, log the user in.
*/
function attempt_login($email, $password) {
// Access global variables
global $emailOld;
global $passwordOld;
global $emailErr;
global $passwordErr;
global $conn;
// Check DB connection
if($conn == null){
printf("
<article>
<h1>Failed DB connection, cannot proceed!</h1>
If you see this error in production,
please shoot me an email with helpful details.
</article>");
include_once($GLOBALS['COMMONS']."/footer.php");
die();
}
// Sanitize inputs
$email = sanitize_input($email);
$password = sanitize_input($password);
// Check if both fields are filled, if not, set appropriate error messages.
if (empty($email))
$emailErr = "Please enter your email";
if (empty($password))
$passwordErr = "Please enter your password";
// If either of the fields were empty,
// set old values for prefill and return.
if(!empty($emailErr) || !empty($passwordErr)) {
$emailOld = $email;
$passwordOld = $password;
return;
}
// Prepare and bind the sql statement
$stmt = $conn->prepare("SELECT user_id, username, email, password
FROM users WHERE email = :email;");
$stmt->bindParam(":email", $email);
// Execute the statement
$stmt->execute();
// Fetch the values
$result = $stmt->fetch(PDO::FETCH_ASSOC);
// If the user isn't in the database, set errors, old values, and return.
if(!$result) {
$emailOld = $email;
$passwordOld = $password;
$emailErr = "This user either doesn't exist,
or has a different password.";
return;
}
// Load results to variables
$db_id = $result["user_id"];
$db_username = $result["username"];
$db_email = $result["email"];
$db_password = $result["password"];
// If user entered incorrect password, set errors, old values, and return.
// Keep the error string the same as non-existing so that an attacker
// cannot asses whether a given user has an account.
if(!password_verify($password, $db_password)){
$emailOld = $email;
$passwordOld = $password;
$emailErr = "This user either doesn't exist,
or has a different password.";
return;
}
$_SESSION["user_id"] = $db_id;
$_SESSION["user_name"] = $db_username;
$_SESSION["user_email"] = $db_email;
}
/**
* If user sent the form, process it.
* Either login user or set error message variables.
*/
if ($_SERVER["REQUEST_METHOD"] == "POST") {
attempt_login($_POST["email"], $_POST["password"]);
}
?>
<article>
<form method="post" action="<?php
echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
<h2> Login: </h2>
<table class="noborder-table"><tr>
<td> Email: </td>
<td>
<input type="text" name="email" tabindex="1"
autofocus="autofocus" value="<?php echo $emailOld;?>">
</td>
<td>
<?php echo $emailErr; ?>
</td>
</tr><tr>
<td> Password: </td>
<td>
<input type="password" name="password" tabindex="2"
value="<?php echo $passwordOld?>">
</td><td>
<?php echo $passwordErr; ?>
</td>
</tr></table>
<input type="submit" tabindex="3" value="Send">
</form>
</article>
<?php
include_once($COMMONS."/footer.php");
?>