summaryrefslogtreecommitdiff
path: root/signin.php
diff options
context:
space:
mode:
authorCflip <36554078+cflip@users.noreply.github.com>2021-01-23 11:24:05 -0700
committerCflip <36554078+cflip@users.noreply.github.com>2021-01-23 11:24:05 -0700
commit19a3704acbf9801c0b1491a84828496ef46bc840 (patch)
treeaff00dc7753eb9dff38d4e556f633fd17e0dff79 /signin.php
parent6a2867481359b185b32955be4de5c3bee4cdc269 (diff)
Form cleanup and better password hashing
Diffstat (limited to 'signin.php')
-rw-r--r--signin.php68
1 files changed, 42 insertions, 26 deletions
diff --git a/signin.php b/signin.php
index 287eeda..4355afe 100644
--- a/signin.php
+++ b/signin.php
@@ -1,29 +1,39 @@
-<?php
-
-include_once 'includes/db_inc.php';
-include_once 'header.php';
+<?php include_once 'header.php';?>
-echo '<section><h2>Sign in</h2>';
-
-if ($_SERVER['REQUEST_METHOD'] != 'POST') {
- echo '
- <form action="" method="post">
+<section>
+ <h2>Sign in</h2>
+ <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="post">
<label for="user_name">Username: </label><br>
<input type="text" name="user_name"><br>
<label for="user_pass">Password: </label><br>
<input type="password" name="user_pass"><br>
<input type="submit" name="submit">
</form>
- ';
-} else {
- $errors = array();
- if (!isset($_POST['user_name'])) {
+<?php
+
+include_once 'includes/db_inc.php';
+
+function validate($data) {
+ $data = trim($data);
+ $data = stripslashes($data);
+ $data = htmlspecialchars($data);
+ return $data;
+}
+
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+ $errors = array();
+
+ if (empty($_POST['user_name'])) {
$errors[] = 'Please provide a username.';
+ } else {
+ $user_name = validate($_POST['user_name']);
}
- if (!isset($_POST['user_pass'])) {
+ if (empty($_POST['user_pass'])) {
$errors[] = 'Please provide a password.';
+ } else {
+ $user_pass = $_POST['user_pass'];
}
if (!empty($errors)) {
@@ -33,28 +43,34 @@ if ($_SERVER['REQUEST_METHOD'] != 'POST') {
}
echo '</ul>';
} else {
- $sql = "SELECT user_id, user_name FROM users WHERE user_name = '" . mysqli_real_escape_string($dbc, $_POST['user_name']) . "' AND user_pass = '" . sha1($_POST['user_pass']) ."'";
+ $pass_hash = password_hash($user_pass, PASSWORD_DEFAULT);
+
+ $sql = "SELECT user_id, user_name, user_pass FROM users WHERE user_name = '" . $user_name . "';";
$result = mysqli_query($dbc, $sql);
if (!$result) {
- echo 'An error occurred while signing in.';
- echo mysqli_error($dbc);
+ echo 'An error occurred while signing in: ' . mysqli_error($dbc);
} else {
if (mysqli_num_rows($result) == 0) {
- echo 'There is no user with that username/password combination! Please try again';
+ echo 'There is no user with that name. Did you mean to <a href="register.php">create a new account?</a>';
} else {
- $_SESSION['signed_in'] = true;
-
while ($row = mysqli_fetch_assoc($result)) {
- $_SESSION['user_id'] = $row['user_id'];
- $_SESSION['user_name'] = $row['user_name'];
- }
+ if (!password_verify($user_pass, $row['user_pass'])) {
+ echo 'Password does not match!';
+ } else {
+ $_SESSION['signed_in'] = true;
+ $_SESSION['user_id'] = $row['user_id'];
+ $_SESSION['user_name'] = $row['user_name'];
- echo 'You are now signed in as ' . $_SESSION['user_name'];
+ header("Location: index.php");
+ }
+ }
}
}
}
}
+?>
+
+</section>
-echo '</section>';
-include_once 'footer.php'; \ No newline at end of file
+<?php include_once 'footer.php';?> \ No newline at end of file