<?php session_start(); include 'db_config.php'; include 'include/query.php'; include 'include/users.php'; // Interpret the Request $username = $AD_SQL->real_escape_string($_REQUEST['username']); $password = $AD_SQL->real_escape_string($_REQUEST['password']); $salt = AD_random_salt(); $hash = AD_hash_password($password, $salt); // Query the Database and Log In AD_call('create_user', $username, $hash, $salt); $_SESSION['username'] = $username;
<?php session_start(); include 'db_config.php'; include 'include/query.php'; include 'include/users.php'; // Failure for any reason results in the message "incorrect username or password" // We return same failure result regardless of the reason for failure // so that we don't help password crackers figure out if they got the // wrong password, the wrong username or the wrong argument names. // Interpret the Request $username = $AD_SQL->real_escape_string($_REQUEST['username']); $password = $AD_SQL->real_escape_string($_REQUEST['password']); // Query the Database and Generate Output if ($rows = AD_call_silent('read_user', $username)) { $hash = AD_hash_password($password, $rows[0]['password_salt']); if (strcmp($hash, $rows[0]['password_hash']) == 0) { // Save session variables that only the server can modify. $_SESSION['username'] = $rows[0]['name']; } else { echo "incorrect username or password P"; } } else { echo "incorrect username or password U"; } ?>