diff options
author | Cflip <36554078+cflip@users.noreply.github.com> | 2021-01-23 11:24:05 -0700 |
---|---|---|
committer | Cflip <36554078+cflip@users.noreply.github.com> | 2021-01-23 11:24:05 -0700 |
commit | 19a3704acbf9801c0b1491a84828496ef46bc840 (patch) | |
tree | aff00dc7753eb9dff38d4e556f633fd17e0dff79 /signin.php | |
parent | 6a2867481359b185b32955be4de5c3bee4cdc269 (diff) |
Form cleanup and better password hashing
Diffstat (limited to 'signin.php')
-rw-r--r-- | signin.php | 68 |
1 files changed, 42 insertions, 26 deletions
@@ -1,29 +1,39 @@ -<?php - -include_once 'includes/db_inc.php'; -include_once 'header.php'; +<?php include_once 'header.php';?> -echo '<section><h2>Sign in</h2>'; - -if ($_SERVER['REQUEST_METHOD'] != 'POST') { - echo ' - <form action="" method="post"> +<section> + <h2>Sign in</h2> + <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="post"> <label for="user_name">Username: </label><br> <input type="text" name="user_name"><br> <label for="user_pass">Password: </label><br> <input type="password" name="user_pass"><br> <input type="submit" name="submit"> </form> - '; -} else { - $errors = array(); - if (!isset($_POST['user_name'])) { +<?php + +include_once 'includes/db_inc.php'; + +function validate($data) { + $data = trim($data); + $data = stripslashes($data); + $data = htmlspecialchars($data); + return $data; +} + +if ($_SERVER['REQUEST_METHOD'] == 'POST') { + $errors = array(); + + if (empty($_POST['user_name'])) { $errors[] = 'Please provide a username.'; + } else { + $user_name = validate($_POST['user_name']); } - if (!isset($_POST['user_pass'])) { + if (empty($_POST['user_pass'])) { $errors[] = 'Please provide a password.'; + } else { + $user_pass = $_POST['user_pass']; } if (!empty($errors)) { @@ -33,28 +43,34 @@ if ($_SERVER['REQUEST_METHOD'] != 'POST') { } echo '</ul>'; } else { - $sql = "SELECT user_id, user_name FROM users WHERE user_name = '" . mysqli_real_escape_string($dbc, $_POST['user_name']) . "' AND user_pass = '" . sha1($_POST['user_pass']) ."'"; + $pass_hash = password_hash($user_pass, PASSWORD_DEFAULT); + + $sql = "SELECT user_id, user_name, user_pass FROM users WHERE user_name = '" . $user_name . "';"; $result = mysqli_query($dbc, $sql); if (!$result) { - echo 'An error occurred while signing in.'; - echo mysqli_error($dbc); + echo 'An error occurred while signing in: ' . mysqli_error($dbc); } else { if (mysqli_num_rows($result) == 0) { - echo 'There is no user with that username/password combination! Please try again'; + echo 'There is no user with that name. Did you mean to <a href="register.php">create a new account?</a>'; } else { - $_SESSION['signed_in'] = true; - while ($row = mysqli_fetch_assoc($result)) { - $_SESSION['user_id'] = $row['user_id']; - $_SESSION['user_name'] = $row['user_name']; - } + if (!password_verify($user_pass, $row['user_pass'])) { + echo 'Password does not match!'; + } else { + $_SESSION['signed_in'] = true; + $_SESSION['user_id'] = $row['user_id']; + $_SESSION['user_name'] = $row['user_name']; - echo 'You are now signed in as ' . $_SESSION['user_name']; + header("Location: index.php"); + } + } } } } } +?> + +</section> -echo '</section>'; -include_once 'footer.php';
\ No newline at end of file +<?php include_once 'footer.php';?>
\ No newline at end of file |