/
admin_validate.php
90 lines (80 loc) · 3.72 KB
/
admin_validate.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
<?php
/**
* admin_validate.php validation page for access to administrative area
*
* Processes form data from admin_login.php to process administrator login requests.
* Forwards user to admin_dashboard.php, upon successful login.
*
* @package nmAdmin
* @author Bill Newman <williamnewman@gmail.com>
* @version 2.21 2015/12/07
* @link http://www.newmanix.com/
* @license http://www.apache.org/licenses/LICENSE-2.0
* @see admin_login.php
* @see admin_dashboard.php
* @todo none
*/
require 'includes/config.php'; #provides configuration, pathing, error handling, db credentials
if (isset($_POST['em']) && isset($_POST['pw']))
{//if POST is set, prepare to process form data
//next check for specific issues with data
if(!ctype_graph($_POST['pw']))
{//data must be alphanumeric or punctuation only
feedback("Illegal characters were entered. (error code #" . createErrorCode(THIS_PAGE,__LINE__) . ")","error");
header('Location:' . ADMIN_PATH . 'admin_login.php');
die;
}
if(!onlyEmail($_POST['em']))
{//login must be a legal email address only
feedback("Illegal characters were entered. (error code #" . createErrorCode(THIS_PAGE,__LINE__) . ")","error");
header('Location:' . ADMIN_PATH . 'admin_login.php');
die;
}
$iConn = @mysqli_connect(DB_HOST,DB_USER,DB_PASSWORD,DB_NAME) or die(myerror(__FILE__,__LINE__,mysqli_connect_error()));
$Email = dbIn($_POST['em'],$iConn);
$MyPass = dbIn($_POST['pw'],$iConn);
$sql = sprintf("select AdminID,FirstName,Privilege,NumLogins from " . PREFIX . "Admin WHERE Email='%s' AND AdminPW=SHA('%s')",$Email,$MyPass);
$result = mysqli_query($iConn,$sql) or die(myerror(__FILE__,__LINE__,mysqli_error($iConn)));
if(mysqli_num_rows($result) > 0) # had to be a match
{# valid user, create session vars, redirect!
$row = mysqli_fetch_array($result); #no while statement, should be single record
startSession(); #wrapper for session_start()
$AdminID = (int)$row["AdminID"]; # use (int) cast to for conversion to integer
$_SESSION["AdminID"] = $AdminID; # create session variables to identify admin
$_SESSION["FirstName"] = dbOut($row["FirstName"]); #use dbOut() to clean strings, replace escaped quotes
$_SESSION["Privilege"] = dbOut($row["Privilege"]);
$NumLogins = (int)$row["NumLogins"];
$NumLogins+=1; # increment number of logins, then prepare to update record!
# update Admin record, recording new number of logins, and new LastLogin date/time
$sql = sprintf("UPDATE " . PREFIX . "Admin set NumLogins=%d, LastLogin=NOW() WHERE AdminID=%d",$NumLogins,$AdminID);
@mysqli_query($iConn,$sql) or die(myerror(__FILE__,__LINE__,mysqli_error($iConn)));
if(isset($_SESSION['red']) && $_SESSION['red'] != "")
{#check to see if we'll be redirecting to a requesting page
$red = $_SESSION['red']; #redirect back to original page
$_SESSION['red'] == ''; #clear session var
@mysqli_free_result($result);
@mysqli_close($iConn);
feedback("Login Successful!", "notice");
header('Location:' . $red);
die;
}else{
# successful login! Redirect to admin page
feedback("Login Successful!", "notice");
@mysqli_free_result($result);
@mysqli_close($iConn);
header('Location:' . ADMIN_PATH . 'admin_dashboard.php');
die;
}
}else{# failed login, redirect
feedback("Login and/or Password are incorrect.","warning");
@mysqli_free_result($result);
@mysqli_close($iConn);
header('Location:' . ADMIN_PATH . 'admin_login.php');
die;
}
}else{//post data not sent
feedback("Required data not sent. (error code #" . createErrorCode(THIS_PAGE,__LINE__) . ")","error");
header('Location:' . ADMIN_PATH . 'admin_login.php');
die;
}
?>