public static function doLogin($username, $submitted_password, $allow_login, $ip, $db) { if ($allow_login) { //Checking to see if the Username exists in the database $stmt = $db->prepare("SELECT * FROM user_accounts WHERE username=? LIMIT 1"); $stmt->execute(array($username)); $loginInfo = $stmt->fetch(PDO::FETCH_ASSOC); if (isset($loginInfo['uid'])) { if ($loginInfo['lockdown'] == 1) { setAlert('danger', 'Account Locked', 'This account has been locked by an Administrator, and cannot be used to log in.'); } elseif (password_verify($submitted_password, $loginInfo['password'])) { //Password is valid - Setting a blank session hash string $random_string = generateRandom(32); $_SESSION['sid'] = $random_string; $stmt = $db->prepare('INSERT INTO sessions (sid,uid,expire) VALUES (?,?,?)'); $stmt->execute(array($random_string, $loginInfo['uid'], time())); // Adding the most recent login time to the database information $stmt = $db->prepare('UPDATE user_accounts SET last_login = ? WHERE uid = ?'); $stmt->execute(array(time(), $loginInfo['uid'])); header('Location: ' . SITE_ADDRESS . '/dashboard'); } else { //The password is invalid - adding this request to the brute table User::bruteInsert($ip, $username, $db); $_SESSION['alert-subtext'] = "The username or password that you have entered is invalid."; } } else { //The username doesn't exist User::bruteInsert($ip, $username, $db); $_SESSION['alert-subtext'] = "The username or password that you have entered is invalid."; } } else { //This ip is brute-banned. They cannot log in. setAlert('danger', 'IP Address Banned', 'The IP Address you are connecting from has been temporarily banned due to repeated failed login attempts. Please try again later.'); } }