personal-website/docs/www/login.php

<?php
$COMMONS = $_SERVER['DOCUMENT_ROOT'] . "/../common";

include_once($COMMONS."/header.php");
include_once($COMMONS."/utils.php");

display_header("Login");

// Define previous attempt and error variables and set to empty values.
$emailOld = $passwordOld = "";
$emailErr = $passwordErr = "";

/**
 * Process the information, and if there are no errors, log the user in.
 */
function attempt_login($email, $password) {
	// Access global variables
	global $emailOld;
	global $passwordOld;
	global $emailErr;
	global $passwordErr;
	global $conn;

	// Check DB connection
	if($conn == null){
		printf("
			<article>
				<h1>Failed DB connection, cannot proceed!</h1>
				If you see this error in production,
				please shoot me an email with helpful details.
			</article>");
		include_once($GLOBALS['COMMONS']."/footer.php");
		die();
	}

	// Sanitize inputs
	$email = sanitize_input($email);
	$password = sanitize_input($password);

	// Check if both fields are filled, if not, set appropriate error messages.
	if (empty($email))
		$emailErr = "Please enter your email";
	if (empty($password))
		$passwordErr = "Please enter your password";

	// If either of the fields were empty,
	// set old values for prefill and return.
	if(!empty($emailErr) || !empty($passwordErr)) {
		$emailOld = $email;
		$passwordOld = $password;
		return;
	}

	// Prepare and bind the sql statement
	$stmt = $conn->prepare("SELECT user_id, username, email, password
		FROM users WHERE email = :email;");
	$stmt->bindParam(":email", $email);

	// Execute the statement
	$stmt->execute();

	// Fetch the values
	$result = $stmt->fetch(PDO::FETCH_ASSOC);

	// If the user isn't in the database, set errors, old values, and return.
	if(!$result) {
		$emailOld = $email;
		$passwordOld = $password;
		$emailErr = "This user either doesn't exist,
					or has a different password.";
		return;
	}

	// Load results to variables
	$db_id = $result["user_id"];
	$db_username = $result["username"];
	$db_email = $result["email"];
	$db_password = $result["password"];

	// If user entered incorrect password, set errors, old values, and return.
	// Keep the error string the same as non-existing so that an attacker
	// cannot asses whether a given user has an account.
	if(!password_verify($password, $db_password)){
		$emailOld = $email;
		$passwordOld = $password;
		$emailErr = "This user either doesn't exist,
					or has a different password.";
		return;
	}

	$_SESSION["user_id"] = $db_id;
	$_SESSION["user_name"] = $db_username;
	$_SESSION["user_email"] = $db_email;
}

/**
 * If user sent the form, process it.
 * Either login user or set error message variables.
 */
if ($_SERVER["REQUEST_METHOD"] == "POST") {
	attempt_login($_POST["email"], $_POST["password"]);
}
?>

<article>
	<form method="post" action="<?php
		echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
		<h2> Login: </h2>
		<table class="noborder-table"><tr>
			<td> Email: </td>
			<td>
				<input type="text" name="email" tabindex="1"
				autofocus="autofocus" value="<?php echo $emailOld;?>">
			</td>
			<td>
				<?php echo $emailErr; ?>
			</td>
		</tr><tr>
			<td> Password: </td>
			<td>
				<input type="password" name="password" tabindex="2"
				value="<?php echo $passwordOld?>">
			</td><td>
				<?php echo $passwordErr; ?>
			</td>
		</tr></table>
		<input type="submit" tabindex="3" value="Send">
	</form>
</article>

<?php
include_once($COMMONS."/footer.php");
?>
Added logging in 2024-04-27 21:09:42 +02:00			`<?php`
			`$COMMONS = $_SERVER['DOCUMENT_ROOT'] . "/../common";`

			`include_once($COMMONS."/header.php");`
more object-oriented approach 2024-04-28 17:37:00 +02:00			`include_once($COMMONS."/utils.php");`

dynamic blogs and delayed header display 2024-04-28 15:21:09 +02:00			`display_header("Login");`
Added logging in 2024-04-27 21:09:42 +02:00
			`// Define previous attempt and error variables and set to empty values.`
			`$emailOld = $passwordOld = "";`
			`$emailErr = $passwordErr = "";`

			`/**`
			`* Process the information, and if there are no errors, log the user in.`
			`*/`
			`function attempt_login($email, $password) {`
			`// Access global variables`
			`global $emailOld;`
			`global $passwordOld;`
			`global $emailErr;`
			`global $passwordErr;`
			`global $conn;`

			`// Check DB connection`
			`if($conn == null){`
			`printf("`
			`<article>`
			`<h1>Failed DB connection, cannot proceed!</h1>`
			`If you see this error in production,`
			`please shoot me an email with helpful details.`
			`</article>");`
			`include_once($GLOBALS['COMMONS']."/footer.php");`
			`die();`
			`}`

			`// Sanitize inputs`
			`$email = sanitize_input($email);`
			`$password = sanitize_input($password);`

			`// Check if both fields are filled, if not, set appropriate error messages.`
			`if (empty($email))`
			`$emailErr = "Please enter your email";`
			`if (empty($password))`
			`$passwordErr = "Please enter your password";`

			`// If either of the fields were empty,`
			`// set old values for prefill and return.`
			`if(!empty($emailErr) \|\| !empty($passwordErr)) {`
			`$emailOld = $email;`
			`$passwordOld = $password;`
			`return;`
			`}`

			`// Prepare and bind the sql statement`
			`$stmt = $conn->prepare("SELECT user_id, username, email, password`
			`FROM users WHERE email = :email;");`
			`$stmt->bindParam(":email", $email);`

			`// Execute the statement`
			`$stmt->execute();`

			`// Fetch the values`
			`$result = $stmt->fetch(PDO::FETCH_ASSOC);`

			`// If the user isn't in the database, set errors, old values, and return.`
			`if(!$result) {`
			`$emailOld = $email;`
			`$passwordOld = $password;`
			`$emailErr = "This user either doesn't exist,`
			`or has a different password.";`
			`return;`
			`}`

			`// Load results to variables`
			`$db_id = $result["user_id"];`
			`$db_username = $result["username"];`
			`$db_email = $result["email"];`
			`$db_password = $result["password"];`

			`// If user entered incorrect password, set errors, old values, and return.`
			`// Keep the error string the same as non-existing so that an attacker`
			`// cannot asses whether a given user has an account.`
			`if(!password_verify($password, $db_password)){`
			`$emailOld = $email;`
			`$passwordOld = $password;`
			`$emailErr = "This user either doesn't exist,`
			`or has a different password.";`
			`return;`
			`}`

			`$_SESSION["user_id"] = $db_id;`
			`$_SESSION["user_name"] = $db_username;`
			`$_SESSION["user_email"] = $db_email;`
			`}`

			`/**`
			`* If user sent the form, process it.`
			`* Either login user or set error message variables.`
			`*/`
			`if ($_SERVER["REQUEST_METHOD"] == "POST") {`
			`attempt_login($_POST["email"], $_POST["password"]);`
			`}`
			`?>`

			`<article>`
			`<form method="post" action="<?php`
			`echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">`
			`<h2> Login: </h2>`
			`<table class="noborder-table"><tr>`
			`<td> Email: </td>`
			`<td>`
			`<input type="text" name="email" tabindex="1"`
			`autofocus="autofocus" value="<?php echo $emailOld;?>">`
			`</td>`
			`<td>`
			`<?php echo $emailErr; ?>`
			`</td>`
			`</tr><tr>`
			`<td> Password: </td>`
			`<td>`
			`<input type="password" name="password" tabindex="2"`
			`value="<?php echo $passwordOld?>">`
			`</td><td>`
			`<?php echo $passwordErr; ?>`
			`</td>`
			`</tr></table>`
			`<input type="submit" tabindex="3" value="Send">`
			`</form>`
			`</article>`

			`<?php`
			`include_once($COMMONS."/footer.php");`
			`?>`