function signin() { // user already logged in if (isLogged()) { header('Location: ' . Path::admin()); exit; } global $tpl; global $_CONFIG; if (!canLogin()) { global $tpl; $tpl->assign('page_title', 'Error'); $tpl->assign('menu_links', Path::menu('error')); $tpl->assign('error_title', 'You’re in jail'); $tpl->assign('error_content', 'You have been banned after too many bad attemps. <div class="espace-top">Please try later.</div>'); $tpl->draw('error'); exit; } if (!empty($_POST['login']) && !empty($_POST['password'])) { if (!empty($_POST['token']) && acceptToken($_POST['token'])) { if (check_auth(htmlspecialchars($_POST['login']), $_POST['password'])) { loginSucceeded(); $cookiedir = ''; if (dirname($_SERVER['SCRIPT_NAME']) != '/') { $cookiedir = dirname($_SERVER["SCRIPT_NAME"]) . '/'; } session_set_cookie_params(0, $cookiedir, $_SERVER['HTTP_HOST']); session_regenerate_id(TRUE); // check if we need to redirect the user $target = isset($_GET['target']) && targetIsAllowed($_GET['target']) ? Path::$_GET['target']() : './'; header('Location: ' . $target); exit; } loginFailed(); errorPage('The given username or password was wrong. <br />If you do not remberer your login informations, just delete the file <code>' . basename($_CONFIG['settings']) . '</code>.', 'Invalid username or password'); } loginFailed(); errorPage('The received token was empty or invalid.', 'Invalid security token'); } $tpl->assign('page_title', 'Sign in'); $tpl->assign('menu_links', Path::menu('signin')); $tpl->assign('target', isset($_GET['target']) && targetIsAllowed($_GET['target']) ? htmlspecialchars($_GET['target']) : NULL); $tpl->assign('token', getToken()); $tpl->draw('form.signin'); exit; }
<?php require_once "../util/functions.php"; $pdo = connectDb(); $userId = $_POST["user_id"]; $password = $_POST["password"]; session_start(); if (isset($_SESSION['user_id']) && isLogined($userId, $_SESSION['user_id']) && canLogin($userId, $password, $pdo)) { //セッションにセットされていたらログイン済み header('location: logined.php'); exit; } else { //セッションにセットされていなかったらログイン判断 if (canLogin($userId, $password, $pdo)) { //userIdで検索できればログイン可能 $_SESSION['user_id'] = $userId; header('location: auth_check_complete.php'); exit; } else { //検索できなければ未登録ユーザー。 header('location: auth_check_error.php'); exit; } } function canLogin($userId, $password, $pdo) { $sql = "SELECT * FROM user where user_id = :user_id and password = :password"; $stmt = $pdo->prepare($sql); $stmt->bindValue(':user_id', $userId); $stmt->bindValue(':password', $password); $stmt->execute();