2024-04-27 21:09:42 +02:00
|
|
|
<?php
|
|
|
|
$COMMONS = $_SERVER['DOCUMENT_ROOT'] . "/../common";
|
|
|
|
|
|
|
|
include_once($COMMONS."/header.php");
|
2024-04-28 17:37:00 +02:00
|
|
|
|
2024-04-28 15:21:09 +02:00
|
|
|
display_header("Login");
|
2024-04-27 21:09:42 +02:00
|
|
|
|
|
|
|
// Define previous attempt and error variables and set to empty values.
|
2024-05-04 23:02:24 +02:00
|
|
|
$usernameOld = $passwordOld = "";
|
|
|
|
$usernameErr = $passwordErr = "";
|
2024-04-27 21:09:42 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Process the information, and if there are no errors, log the user in.
|
|
|
|
*/
|
2024-05-04 23:02:24 +02:00
|
|
|
function attempt_login($conn, $username, $password) {
|
2024-04-27 21:09:42 +02:00
|
|
|
// Access global variables
|
2024-05-04 23:02:24 +02:00
|
|
|
global $usernameOld;
|
2024-04-27 21:09:42 +02:00
|
|
|
global $passwordOld;
|
2024-05-04 23:02:24 +02:00
|
|
|
global $usernameErr;
|
2024-04-27 21:09:42 +02:00
|
|
|
global $passwordErr;
|
|
|
|
|
|
|
|
// Check DB connection
|
|
|
|
if($conn == null){
|
|
|
|
printf("
|
|
|
|
<article>
|
|
|
|
<h1>Failed DB connection, cannot proceed!</h1>
|
|
|
|
If you see this error in production,
|
|
|
|
please shoot me an email with helpful details.
|
|
|
|
</article>");
|
|
|
|
include_once($GLOBALS['COMMONS']."/footer.php");
|
|
|
|
die();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Sanitize inputs
|
2024-05-04 23:02:24 +02:00
|
|
|
$username = sanitize_input($username);
|
2024-04-27 21:09:42 +02:00
|
|
|
$password = sanitize_input($password);
|
|
|
|
|
|
|
|
// Check if both fields are filled, if not, set appropriate error messages.
|
2024-05-04 23:02:24 +02:00
|
|
|
if (empty($username))
|
2024-05-05 20:25:40 +02:00
|
|
|
$usernameErr = "Please enter your username.";
|
2024-04-27 21:09:42 +02:00
|
|
|
if (empty($password))
|
2024-05-05 20:25:40 +02:00
|
|
|
$passwordErr = "Please enter your password.";
|
2024-04-27 21:09:42 +02:00
|
|
|
|
|
|
|
// If either of the fields were empty,
|
|
|
|
// set old values for prefill and return.
|
2024-05-04 23:02:24 +02:00
|
|
|
if(!empty($usernameErr) || !empty($passwordErr)) {
|
|
|
|
$usernameOld = $username;
|
2024-04-27 21:09:42 +02:00
|
|
|
$passwordOld = $password;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Prepare and bind the sql statement
|
2024-05-05 20:25:40 +02:00
|
|
|
$stmt = $conn->prepare("SELECT user_id, password,
|
2024-05-04 23:02:24 +02:00
|
|
|
created_at, permissions FROM users WHERE username = :username;");
|
|
|
|
$stmt->bindParam(":username", $username);
|
2024-04-27 21:09:42 +02:00
|
|
|
|
|
|
|
// Execute the statement
|
|
|
|
$stmt->execute();
|
|
|
|
|
|
|
|
// Fetch the values
|
|
|
|
$result = $stmt->fetch(PDO::FETCH_ASSOC);
|
|
|
|
|
|
|
|
// If the user isn't in the database, set errors, old values, and return.
|
|
|
|
if(!$result) {
|
2024-05-04 23:02:24 +02:00
|
|
|
$usernameOld = $username;
|
2024-04-27 21:09:42 +02:00
|
|
|
$passwordOld = $password;
|
2024-05-04 23:02:24 +02:00
|
|
|
$usernameErr = "This user either doesn't exist,
|
2024-04-27 21:09:42 +02:00
|
|
|
or has a different password.";
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Load results to variables
|
|
|
|
$db_id = $result["user_id"];
|
|
|
|
$db_password = $result["password"];
|
2024-05-04 23:02:24 +02:00
|
|
|
$db_permissions = $result["permissions"];
|
2024-04-27 21:09:42 +02:00
|
|
|
|
|
|
|
// If user entered incorrect password, set errors, old values, and return.
|
|
|
|
// Keep the error string the same as non-existing so that an attacker
|
|
|
|
// cannot asses whether a given user has an account.
|
|
|
|
if(!password_verify($password, $db_password)){
|
2024-05-04 23:02:24 +02:00
|
|
|
$usernameOld = $username;
|
2024-04-27 21:09:42 +02:00
|
|
|
$passwordOld = $password;
|
2024-05-04 23:02:24 +02:00
|
|
|
$usernameErr = "This user either doesn't exist,
|
2024-04-27 21:09:42 +02:00
|
|
|
or has a different password.";
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-05-04 23:02:24 +02:00
|
|
|
// Set the session logged in user.
|
2024-05-05 20:25:40 +02:00
|
|
|
$_SESSION["current_user"] = new User($db_id, $username, $db_permissions);
|
2024-04-27 21:09:42 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2024-05-04 23:08:47 +02:00
|
|
|
* If user sent the form, process it. This starts a session.
|
2024-05-04 23:02:24 +02:00
|
|
|
* Either login user and redirect to index or set error message variables.
|
2024-04-27 21:09:42 +02:00
|
|
|
*/
|
2024-05-04 23:02:24 +02:00
|
|
|
if (isset($_POST["submit"])) {
|
2024-05-04 23:08:47 +02:00
|
|
|
session_start();
|
2024-05-04 23:02:24 +02:00
|
|
|
// Log user out
|
|
|
|
$_SESSION["current_user"] = null;
|
|
|
|
// Attempt to log in
|
|
|
|
attempt_login($conn, $_POST["username"], $_POST["password"]);
|
|
|
|
// If login succeeded, go to index
|
|
|
|
if($_SESSION["current_user"] != null) {
|
|
|
|
header("Location: "."http://www.zdenekborovec-dev.cz");
|
|
|
|
}
|
2024-04-27 21:09:42 +02:00
|
|
|
}
|
|
|
|
?>
|
|
|
|
|
|
|
|
<article>
|
|
|
|
<form method="post" action="<?php
|
|
|
|
echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
|
|
|
|
<h2> Login: </h2>
|
|
|
|
<table class="noborder-table"><tr>
|
2024-05-05 20:34:28 +02:00
|
|
|
<td><label for="username">Username:</label></td>
|
2024-04-27 21:09:42 +02:00
|
|
|
<td>
|
2024-05-04 23:02:24 +02:00
|
|
|
<input type="text" name="username" tabindex="1"
|
|
|
|
autofocus="autofocus" value="<?php echo $usernameOld;?>">
|
2024-04-27 21:09:42 +02:00
|
|
|
</td>
|
|
|
|
<td>
|
2024-05-04 23:02:24 +02:00
|
|
|
<?php echo $usernameErr; ?>
|
2024-04-27 21:09:42 +02:00
|
|
|
</td>
|
|
|
|
</tr><tr>
|
2024-05-05 20:34:28 +02:00
|
|
|
<td><label for="password">Password:</label></td>
|
2024-04-27 21:09:42 +02:00
|
|
|
<td>
|
|
|
|
<input type="password" name="password" tabindex="2"
|
|
|
|
value="<?php echo $passwordOld?>">
|
|
|
|
</td><td>
|
|
|
|
<?php echo $passwordErr; ?>
|
|
|
|
</td>
|
|
|
|
</tr></table>
|
2024-05-04 23:02:24 +02:00
|
|
|
<input name="submit" type="submit" tabindex="3" value="Send">
|
2024-04-27 21:09:42 +02:00
|
|
|
</form>
|
|
|
|
</article>
|
|
|
|
|
|
|
|
<?php
|
|
|
|
include_once($COMMONS."/footer.php");
|
|
|
|
?>
|