function verifyLogin()
{
    // Redirect to HTTPS
    redirectToHTTPS();
    // Perhaps the user is already logged in
    if (isset($_SESSION['username'])) {
        return $_SESSION['userID'];
    }
    // Empty error message
    $message = '';
    // User is attempting to log in.  Verify credentials.
    if (isset($_REQUEST['username']) && isset($_REQUEST['password'])) {
        $username = $_REQUEST['username'];
        $password = $_REQUEST['password'];
        try {
            $db = new PDO("mysql:host=localhost;dbname=Island_Cars;charset=utf8", "root", "200337226");
            $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
            // Get the information about the user.  This includes the
            // hashed password, which will be prefixed with the salt.
            $statement = $db->prepare("SELECT * FROM Users where UserName = '******'");
            $statement->execute();
            // Was this a real user?
            if ($row = $statement->fetch()) {
                // Validate the password
                $hashword = $row['Password'];
                //if (strpos(crypt($password, $hashword), $hashword)) {
                if ($hashword == $password) {
                    $_SESSION['username'] = $row['UserName'];
                    $_SESSION['userID'] = htmlspecialchars($row['userID']);
                } else {
                    echo "Password incorrect: " . $hashword . " " . crypt($password, $hashword);
                    require 'Login/View/failed_login.php';
                    exit;
                }
            } else {
                echo "No username found";
                require 'Login/View/failed_login.php';
                exit;
            }
        } catch (PDOException $exception) {
            require "Login/View/failed_login.php";
            exit;
        }
        // We're logged in, so change session ID.  If the session ID was
        // stolen before we switched to HTTPS, it will do no good now.
        changeSessionID();
        return;
        // Right role
    } else {
        require 'Login/View/mainpage.php';
        exit;
    }
}
Beispiel #2
0
*/
if(session_id() == ''):
	ob_start();
	session_start();
endif;

/*
*
*	REQUIRED FILES
*
*/
require_once 'inc/functions.php';
require_once 'inc/globalVars.php';

if($domain!='localhost')
	redirectToHTTPS();

/*
*
*	DEFINE SQL
*
*/
$connection = mysql_connect($sqlHost, $sqlUsername, $sqlPassword) or die("Error connecting to database server");
mysql_select_db($sqlDatabase, $connection) or die("Error selecting database.");

/*
*
*	PAGE/METHOD VARIABLES
*
*/
#remove the directory path we don't want 
function verifyLogin($role)
{
    // Redirect to HTTPS
    redirectToHTTPS();
    // Perhaps the user is already logged in
    if (isset($_SESSION['username'])) {
        // Does the user belong to the appropriate role?
        if ($role == '' || isset($_SESSION['roles']) && in_array($role, $_SESSION['roles'])) {
            return $_SESSION['uid'];
            // Logged in, right role
        } else {
            /*require 'views/badRole.php';*/
            // Logged in, wrong role
            exit;
        }
    }
    // Empty error message
    $message = '';
    // User is attempting to log in.  Verify credentials.
    if (isset($_REQUEST['username']) && isset($_REQUEST['password'])) {
        $username = $_REQUEST['username'];
        $password = $_REQUEST['password'];
        try {
            $db = new PDO("mysql:host=localhost;dbname=Grad_Prog_V5;charset=utf8", "root", "200337226");
            $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
            // Get the information about the user.  This includes the
            // hashed password, which will be prefixed with the salt.
            $statement = $db->prepare("SELECT uid, username, hashword, role FROM users where username = '******'");
            $statement->execute();
            // Was this a real user?
            if ($row = $statement->fetch()) {
                // Validate the password
                $hashword = $row['hashword'];
                if (crypt($password, $hashword) == $hashword) {
                    $_SESSION['username'] = $row['username'];
                    $_SESSION['uid'] = htmlspecialchars($row['uid']);
                    $_SESSION['role'] = $row['role'];
                } else {
                    require 'View/failed_login.php';
                    exit;
                }
            } else {
                require 'View/failed_login.php';
                exit;
            }
        } catch (PDOException $exception) {
            require "View/failed_login.php";
            exit;
        }
        // We're logged in, so change session ID.  If the session ID was
        // stolen before we switched to HTTPS, it will do no good now.
        changeSessionID();
        if ($role == '' || in_array($role, $_SESSION['roles'])) {
            return;
            // Right role
        } else {
            require 'View/mainpage.php';
            exit;
        }
    } else {
        require 'View/mainpage.php';
        exit;
    }
}