<?php

/**

* admin_validate.php validation page for access to administrative area

*

* Processes form data from admin_login.php to process administrator login requests.

* Forwards user to admin_dashboard.php, upon successful login.

*

* @package nmAdmin

* @author Bill Newman <williamnewman@gmail.com>

* @version 2.21 2015/12/07

* @link http://www.newmanix.com/

* @license http://www.apache.org/licenses/LICENSE-2.0

* @see admin_login.php

* @see admin_dashboard.php

* @todo none

*/

require 'includes/config.php'; #provides configuration, pathing, error handling, db credentials

if (isset($_POST['em']) && isset($_POST['pw']))

{//if POST is set, prepare to process form data

//next check for specific issues with data

if(!ctype_graph($_POST['pw']))

{//data must be alphanumeric or punctuation only

feedback("Illegal characters were entered. (error code #" . createErrorCode(THIS_PAGE,__LINE__) . ")","error");

header('Location:' . ADMIN_PATH . 'admin_login.php');

die;

}

if(!onlyEmail($_POST['em']))

{//login must be a legal email address only

feedback("Illegal characters were entered. (error code #" . createErrorCode(THIS_PAGE,__LINE__) . ")","error");

header('Location:' . ADMIN_PATH . 'admin_login.php');

die;

}

$iConn = @mysqli_connect(DB_HOST,DB_USER,DB_PASSWORD,DB_NAME) or die(myerror(__FILE__,__LINE__,mysqli_connect_error()));

$Email = dbIn($_POST['em'],$iConn);

$MyPass = dbIn($_POST['pw'],$iConn);

$sql = sprintf("select AdminID,FirstName,Privilege,NumLogins from " . PREFIX . "Admin WHERE Email='%s' AND AdminPW=SHA('%s')",$Email,$MyPass);

$result = mysqli_query($iConn,$sql) or die(myerror(__FILE__,__LINE__,mysqli_error($iConn)));

if(mysqli_num_rows($result) > 0) # had to be a match

{# valid user, create session vars, redirect!

$row = mysqli_fetch_array($result); #no while statement, should be single record

startSession(); #wrapper for session_start()

$AdminID = (int)$row["AdminID"]; # use (int) cast to for conversion to integer

$_SESSION["AdminID"] = $AdminID; # create session variables to identify admin

$_SESSION["FirstName"] = dbOut($row["FirstName"]); #use dbOut() to clean strings, replace escaped quotes

$_SESSION["Privilege"] = dbOut($row["Privilege"]);

$NumLogins = (int)$row["NumLogins"];

$NumLogins+=1; # increment number of logins, then prepare to update record!

# update Admin record, recording new number of logins, and new LastLogin date/time

$sql = sprintf("UPDATE " . PREFIX . "Admin set NumLogins=%d, LastLogin=NOW() WHERE AdminID=%d",$NumLogins,$AdminID);

@mysqli_query($iConn,$sql) or die(myerror(__FILE__,__LINE__,mysqli_error($iConn)));

if(isset($_SESSION['red']) && $_SESSION['red'] != "")

{#check to see if we'll be redirecting to a requesting page

$red = $_SESSION['red']; #redirect back to original page

$_SESSION['red'] == ''; #clear session var

@mysqli_free_result($result);

@mysqli_close($iConn);

feedback("Login Successful!", "notice");

header('Location:' . $red);

die;

}else{

# successful login! Redirect to admin page

feedback("Login Successful!", "notice");

@mysqli_free_result($result);

@mysqli_close($iConn);

header('Location:' . ADMIN_PATH . 'admin_dashboard.php');

die;

}

}else{# failed login, redirect

feedback("Login and/or Password are incorrect.","warning");

@mysqli_free_result($result);

@mysqli_close($iConn);

header('Location:' . ADMIN_PATH . 'admin_login.php');

die;

}

}else{//post data not sent

feedback("Required data not sent. (error code #" . createErrorCode(THIS_PAGE,__LINE__) . ")","error");

header('Location:' . ADMIN_PATH . 'admin_login.php');

die;

}

?>