public static function login($username, $password)
{
/* We load the $dbConn variable as global to use it inside the function. */
global $dbConn;
/*
* We first need to sanitize the variables we got in order to avoid
* SQL injection attacks from malicious users.
*/
$username = $dbConn->real_escape_string($username);
$password = $dbConn->real_escape_string($password);
/*
* We need to get the user's salt based on his username in order to
* continue with his password authentication.
*/
$result = $dbConn->query("SELECT * FROM `accounts` WHERE `username`='{$username}';");
$salt = "";
$storedHash = "";
/* We get the salt and the stored hash. */
if ($result) {
/* We ensure that the username exists. */
if ($result->num_rows > 0) {
$row = $result->fetch_array();
$salt = $row["salt"];
$storedHash = $row["password"];
} else {
/* If the username does not exist we display a general
* error about invalid credentials and we exit because
* its a potential security risk to disclose more
* information about the nature of the error.
*/
new Message(12);
return;
}
}
/* We must now replicate the process we used at registration and
* create the hashed password in order to match it with the one
* used in the registration.
*/
$hashedPassword = hash("sha256", $salt . $password . $salt);
/* We now need to compare the storedHash with the one he entered
* (the user) as a password in order to login. If they match it's
* the correct user (or someone who knows his credentials).
*/
if ($hashedPassword != $storedHash) {
new Message(12);
return;
}
/* We log the user in so the system knows who he is and that he is online. */
User::logInUser($username);
/* We redirect him to his wallet dashboard. */
Redirect::phpRedirect("wallet");
}
<?php
require_once './src/connection.php';
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$user = User::logInUser($_POST['email'], $_POST['password']);
if ($user !== false) {
$_SESSION['userId'] = $user->getId();
header('Location: showUser.php');
} else {
echo 'Błędne dane logowania';
}
}
?>
<form action="login.php" method="POST">
<label>
Email:
<input type="email" name="email">
</label>
<br>
<label>
Password:
<input type="password" name="password">
</label>
<input type="submit">
</form>
<br>
<a href="register.php">Zarejestruj sie</a><br>
if (isset($_POST["login"])) {
if (empty($_POST["email"])) {
$email_error = "Ei saa olla tühi";
} else {
//muutuja puhastamine
$email = cleanInput($_POST["email"]);
}
if (empty($_POST["password"])) {
$password_error = "Ei saa olla tühi";
} else {
$password = cleanInput($_POST["password"]);
}
//Login sisse
if ($password_error == "" && $email_error == "") {
$hash = hash("sha512", $password);
$login_response = $User->logInUser($email, $hash);
if (isset($login_response->success)) {
$_SESSION["user_id"] = $login_response->success->user->id;
$_SESSION["user_email"] = $login_response->success->user->email;
$_SESSION["login_message"] = $login_response->success->message;
}
}
}
if (isset($_POST["create"])) {
if (empty($_POST["firstname"])) {
$firstname_error = "Kohustuslik väli";
} else {
$firstname = cleanInput($_POST["firstname"]);
}
if (empty($_POST["lastname"])) {
$lastname_error = "Kohustuslik väli";
