forked from Philipinho/Simple-PHP-Blog
-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
login.php
77 lines (65 loc) · 2.97 KB
/
login.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<?php
require_once 'includes.php';
// Set a temporary variable to track if there is a login error (e.g. username / password mismatch or missing in the login request.)
$login_error = false;
# Turn on debug mode, and show all errors.
if (DEBUG_MODE == true) {
error_reporting(E_ALL);
ini_set("display_errors", 1);
}
$tpl = new Template('templates/' . TEMPALTE); // Creates the tpl object so we can reuse it
$intFunctions = new internalFunctions; // Creates the internalFunction object so we can call various functions (e.g. sending the header & footer)
$intFunctions->callHeader(); // Call for the header
// Lets check to see if the call was a HTTP POST request
// If it is, display the admin page
// If it is NOT, display the login page
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Now to check if the username field is not empty, otherwise throw an error.
if (empty(trim($_POST["username"]))) {
$login_error = true;
} else {
// We have data for a username, now lets save it in a SQL safe string (e.g. automatically add escape characters, etc.)
$username = mysqli_real_escape_string($dbcon, $_POST['username']);
}
// Do the same for the password field.
if (empty(trim($_POST["password"]))) {
$login_error = true;
} else {
// And again save the password in a SQL safe string
$password = mysqli_real_escape_string($dbcon, $_POST['password']);
}
if ($login_error) {
print $tpl->render('login', array(
'url_path' => SITE_URL,
'LoginFailed' => true
));
} else {
// Build the SQL statement to get the user details (so we can then verify the user exists AND that the password is valid)
$sql = "SELECT `id`, `username`, `password`, `displayname` FROM users WHERE username = '$username'";
// Request the data from the SQL server, process it AND count the number of rows.
$result = mysqli_query($dbcon, $sql);
$row = mysqli_fetch_assoc($result);
$row_count = mysqli_num_rows($result);
// Check that the user only exists once in the SQL database AND that the password is matching.
if ($row_count == 1 && password_verify($password, $row['password'])) {
// This part we store some information in the PHP session information, so we can use it as a later time (e.g. the user ID)
$_SESSION['displayname'] = $row['displayname'];
$_SESSION['userid'] = $row['id'];
$_SESSION['username'] = $username;
$_SESSION["loggedin"] = true;
// Now we redirect the user to the admin portal.
header("location: admin.php");
} else {
print $tpl->render('login', array(
'url_path' => SITE_URL,
'LoginFailed' => true
));
}
}
} else {
print $tpl->render('login', array(
'url_path' => SITE_URL,
'Login' => true
));
}
$intFunctions->callFooter();