login.php (1877B)
1 <?php 2 if (!isset($_SERVER['HTTP_REFERER'])){ 3 header('location: /index.php'); 4 exit; 5 } 6 7 session_start(); 8 9 $root = realpath($_SERVER['DOCUMENT_ROOT']); 10 include "$root/php/db.php"; 11 12 function connect() { 13 # POST via HTML form 14 if ($_SERVER['REQUEST_METHOD'] == 'POST') { 15 # Connect using root, user will have a "session" 16 $db = Database::get_connection(); 17 18 verify_user($db); 19 } 20 } 21 22 # See if user even exists in database 23 function verify_user($db) { 24 # Fetch user from Users table 25 $user_query = "SELECT Username FROM Users WHERE UserName='$_POST[user]'"; 26 $get_user = mysqli_query($db, $user_query); 27 28 # User exists if row returned 29 $user_rows = mysqli_num_rows($get_user); 30 if ($user_rows > 0) verify_pass($db); else echo 'User not found'; 31 } 32 33 # Verify the password stored using BCRYPT hash algorithm 34 function verify_pass($db) { 35 # Get password hash associated with the user 36 # Stored as CHAR(61) in the database and is generated when somebody with administrator privileges creates user 37 $pass_query = "SELECT Password FROM Users WHERE UserName = '$_POST[user]'"; 38 $get_pass = mysqli_query($db, $pass_query); 39 $result = mysqli_fetch_assoc($get_pass); 40 $hash = $result['Password']; 41 42 # Verify the hash using password_verify 43 if (password_verify($_POST['pwd'], $hash)) { 44 # We can now store POST variables as SESSION 45 $_SESSION['user'] = $_POST['user']; 46 $_SESSION['pwd'] = $_POST['pwd']; 47 48 # User is now logged in 49 # Keep this in session variable so we can skip login page if already logged in 50 $_SESSION['is_logged_in'] = 1; 51 } 52 else echo 'Password incorrect'; 53 } 54 55 connect(); 56 ?>