/**
* Logins the user
* @return null on success and string containing error message on error.
*/
public function login()
{
session_start();
$sql = SqlConnect::getInstance();
$result = $sql->runQuery("SELECT admin, member_id, pass_hash, salt FROM Member where player_tag = '" . $this->player_tag . "';");
if ($result->num_rows == 0) {
return "Username does not exist.";
}
$row = $result->fetch_assoc();
$hash = $row["pass_hash"];
$salt = $row["salt"];
$this->id = $row["member_id"];
$admin = $row["admin"];
echo $admin;
// verify that password matches with stored password
$success = authUtil::verifyPass(HASHALGO, $hash, $salt, $this->player_tag, $this->password);
if ($success) {
$_SESSION["id"] = $this->id;
$_SESSION["player_tag"] = $this->player_tag;
$_SESSION["admin"] = $admin;
return NULL;
} else {
return "Username and password did not match.";
}
}
/**
*
* @return true if the hash password matches with the hash for the username and password
*
*/
public static function verifyPass($algo, $hash, $salt, $username, $password)
{
$attempt = authUtil::makePassHash($algo, $salt, $username, $password);
// Slow equals, so check functions in linear time (more secure than traditional equals)
// Checks if the same size (continues to check equality anyway, for constant time)
$diff = strlen($hash) ^ strlen($attempt);
// Iterates through every character and OR's the XOR'ed value of both string's characters at that iterative point
for ($i = 0; $i < strlen($hash) && $i < strlen($attempt); $i++) {
$diff |= ord($hash[$i]) ^ ord($attempt[$i]);
}
// Return whether or not the strings are different
return $diff === 0;
}
