Added logging in

assets/common/styles.css

@@ -72,6 +72,11 @@ code {
 	white-space: pre;
 }
 
+.noborder-table td, .noborder-table th {
+  border: none;
+  text-align: left;
+}
+
 #header {
 	border-bottom: double;
 }

docs/common/config.php

@@ -0,0 +1,19 @@
+<?php
+/**
+ * This file is for storing your personal information (such as database login).
+ * These constants will be most likely used in header.php
+ * for logging in to different internal services.
+ * It is critical that if you enter your details here,
+ * you do not commit the changes into any public repository.
+ * In the original repository [https://github.com/Zeftax/personal-homepage.git]
+ * this file is set to not track any changes, but it is better to check and
+ *  be safe, than leak your internal logins and have people screwing with
+ *  your database.
+ */
+
+// SQL database login info (Place your info here).
+define("SQL_HOSTNAME", "");
+define("SQL_USERNAME", "");
+define("SQL_PASSWORD", "");
+define("SQL_DATABASE", "");
+?>

docs/common/header.php

@@ -1,4 +1,41 @@
 <!DOCTYPE html>
+<?php
+// Include config file
+include_once("config.php");
+
+// Start session
+session_start();
+
+// PDO Mysql connection object
+$conn = "";
+
+/** Attempt to connect to sql database
+ */
+function attempt_sql_connect() {
+	// access global $conn
+	global $conn;
+
+	// Load the global login constants
+	$sql_hostname = SQL_HOSTNAME;
+	$sql_database = SQL_DATABASE;
+	$sql_username = SQL_USERNAME;
+	$sql_password = SQL_PASSWORD;
+
+	try {
+		//Try connecting to the SQL database
+		$conn = new PDO("mysql:host=$sql_hostname;dbname=$sql_database",
+			$sql_username, $sql_password);
+		// set the PDO error mode to exception
+		$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+	} catch(PDOException $e) {
+		$conn = null;
+		return;
+	}
+}
+
+attempt_sql_connect();
+
+?>
 
 <html lang="en">
 	<head>

docs/www/login.php

@@ -0,0 +1,146 @@
+
+<?php
+$PageTitle="Login";
+
+$COMMONS = $_SERVER['DOCUMENT_ROOT'] . "/../common";
+
+include_once($COMMONS."/header.php");
+
+// Define previous attempt and error variables and set to empty values.
+$emailOld = $passwordOld = "";
+$emailErr = $passwordErr = "";
+
+/**
+ * Sanitize a given input string to be safe to display and process.
+ */
+function sanitize_input($data) {
+	// Remove unnecessary whitespace characters
+	$data = trim($data);
+	// Remove backslashes
+	$data = stripslashes($data);
+	// Escape all special characters to HTML entities
+	$data = htmlspecialchars($data);
+	return $data;
+}
+
+/**
+ * Process the information, and if there are no errors, log the user in.
+ */
+function attempt_login($email, $password) {
+	// Access global variables
+	global $emailOld;
+	global $passwordOld;
+	global $emailErr;
+	global $passwordErr;
+	global $conn;
+
+	// Check DB connection
+	if($conn == null){
+		printf("
+			<article>
+				<h1>Failed DB connection, cannot proceed!</h1>
+				If you see this error in production,
+				please shoot me an email with helpful details.
+			</article>");
+		include_once($GLOBALS['COMMONS']."/footer.php");
+		die();
+	}
+
+	// Sanitize inputs
+	$email = sanitize_input($email);
+	$password = sanitize_input($password);
+
+	// Check if both fields are filled, if not, set appropriate error messages.
+	if (empty($email))
+		$emailErr = "Please enter your email";
+	if (empty($password))
+		$passwordErr = "Please enter your password";
+
+	// If either of the fields were empty,
+	// set old values for prefill and return.
+	if(!empty($emailErr) || !empty($passwordErr)) {
+		$emailOld = $email;
+		$passwordOld = $password;
+		return;
+	}
+
+	// Prepare and bind the sql statement
+	$stmt = $conn->prepare("SELECT user_id, username, email, password
+		FROM users WHERE email = :email;");
+	$stmt->bindParam(":email", $email);
+
+	// Execute the statement
+	$stmt->execute();
+
+	// Fetch the values
+	$result = $stmt->fetch(PDO::FETCH_ASSOC);
+
+	// If the user isn't in the database, set errors, old values, and return.
+	if(!$result) {
+		$emailOld = $email;
+		$passwordOld = $password;
+		$emailErr = "This user either doesn't exist,
+					or has a different password.";
+		return;
+	}
+
+	// Load results to variables
+	$db_id = $result["user_id"];
+	$db_username = $result["username"];
+	$db_email = $result["email"];
+	$db_password = $result["password"];
+
+	// If user entered incorrect password, set errors, old values, and return.
+	// Keep the error string the same as non-existing so that an attacker
+	// cannot asses whether a given user has an account.
+	if(!password_verify($password, $db_password)){
+		$emailOld = $email;
+		$passwordOld = $password;
+		$emailErr = "This user either doesn't exist,
+					or has a different password.";
+		return;
+	}
+
+	$_SESSION["user_id"] = $db_id;
+	$_SESSION["user_name"] = $db_username;
+	$_SESSION["user_email"] = $db_email;
+}
+
+/**
+ * If user sent the form, process it.
+ * Either login user or set error message variables.
+ */
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
+	attempt_login($_POST["email"], $_POST["password"]);
+}
+?>
+
+<article>
+	<form method="post" action="<?php
+		echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
+		<h2> Login: </h2>
+		<table class="noborder-table"><tr>
+			<td> Email: </td>
+			<td>
+				<input type="text" name="email" tabindex="1"
+				autofocus="autofocus" value="<?php echo $emailOld;?>">
+			</td>
+			<td>
+				<?php echo $emailErr; ?>
+			</td>
+		</tr><tr>
+			<td> Password: </td>
+			<td>
+				<input type="password" name="password" tabindex="2"
+				value="<?php echo $passwordOld?>">
+			</td><td>
+				<?php echo $passwordErr; ?>
+			</td>
+		</tr></table>
+		<input type="submit" tabindex="3" value="Send">
+	</form>
+</article>
+
+<?php
+include_once($COMMONS."/footer.php");
+?>