public static function login($username, $password) { /* We load the $dbConn variable as global to use it inside the function. */ global $dbConn; /* * We first need to sanitize the variables we got in order to avoid * SQL injection attacks from malicious users. */ $username = $dbConn->real_escape_string($username); $password = $dbConn->real_escape_string($password); /* * We need to get the user's salt based on his username in order to * continue with his password authentication. */ $result = $dbConn->query("SELECT * FROM `accounts` WHERE `username`='{$username}';"); $salt = ""; $storedHash = ""; /* We get the salt and the stored hash. */ if ($result) { /* We ensure that the username exists. */ if ($result->num_rows > 0) { $row = $result->fetch_array(); $salt = $row["salt"]; $storedHash = $row["password"]; } else { /* If the username does not exist we display a general * error about invalid credentials and we exit because * its a potential security risk to disclose more * information about the nature of the error. */ new Message(12); return; } } /* We must now replicate the process we used at registration and * create the hashed password in order to match it with the one * used in the registration. */ $hashedPassword = hash("sha256", $salt . $password . $salt); /* We now need to compare the storedHash with the one he entered * (the user) as a password in order to login. If they match it's * the correct user (or someone who knows his credentials). */ if ($hashedPassword != $storedHash) { new Message(12); return; } /* We log the user in so the system knows who he is and that he is online. */ User::logInUser($username); /* We redirect him to his wallet dashboard. */ Redirect::phpRedirect("wallet"); }
<?php require_once './src/connection.php'; if ($_SERVER['REQUEST_METHOD'] === 'POST') { $user = User::logInUser($_POST['email'], $_POST['password']); if ($user !== false) { $_SESSION['userId'] = $user->getId(); header('Location: showUser.php'); } else { echo 'Błędne dane logowania'; } } ?> <form action="login.php" method="POST"> <label> Email: <input type="email" name="email"> </label> <br> <label> Password: <input type="password" name="password"> </label> <input type="submit"> </form> <br> <a href="register.php">Zarejestruj sie</a><br>
if (isset($_POST["login"])) { if (empty($_POST["email"])) { $email_error = "Ei saa olla tühi"; } else { //muutuja puhastamine $email = cleanInput($_POST["email"]); } if (empty($_POST["password"])) { $password_error = "Ei saa olla tühi"; } else { $password = cleanInput($_POST["password"]); } //Login sisse if ($password_error == "" && $email_error == "") { $hash = hash("sha512", $password); $login_response = $User->logInUser($email, $hash); if (isset($login_response->success)) { $_SESSION["user_id"] = $login_response->success->user->id; $_SESSION["user_email"] = $login_response->success->user->email; $_SESSION["login_message"] = $login_response->success->message; } } } if (isset($_POST["create"])) { if (empty($_POST["firstname"])) { $firstname_error = "Kohustuslik väli"; } else { $firstname = cleanInput($_POST["firstname"]); } if (empty($_POST["lastname"])) { $lastname_error = "Kohustuslik väli";