$ErrCode = $_GET['ErrCode']; $Field = $_GET['Field']; $getError = $Mysql->query("SELECT * FROM errorcodes WHERE ErrorString='{$ErrCode}'"); $rsError = $getError->fetch_assoc(); $RetVal = $rsError[$Field]; echo $RetVal; break; case "signIn": $Username = $_GET['Username']; $Password = md5($_GET['Password']); $getUser = $Mysql->query("SELECT * FROM users WHERE EmailAddress='{$Username}' AND Password='******'"); if ($getUser->num_rows == 0) { echo "<ERR>System.InternalTarget.signIn.AccessDenied"; } else { $rsSession = $getUser->fetch_assoc(); $newSession = createUserSession($rsSession['Id']); $_SESSION['CLICKA_currentSessionId'] = $newSession; $_SESSION['CLICKA_currentUserId'] = $rsSession['Id']; setcookie("CLICKA_currentSessionId", $newSession, time() + 604800); echo $newSession; } break; case "setSessionVar": $SessionId = $_GET['SessionId']; $VarName = $_GET['VarName']; $VarVal = $_GET['VarVal']; $getExisting = $Mysql->query("SELECT * FROM users_sessions_vars WHERE SessionId='{$SessionId}' AND VarName='{$VarName}'"); if ($getExisting->num_rows == 0) { $addVar = $Mysql->query("INSERT INTO users_sessions_vars (SessionId,VarName,VarVal) VALUES ('{$SessionId}','{$VarName}','{$VarVal}')"); } else { $updateVar = $Mysql->query("UPDATE users_sessions_vars SET VarVal='{$VarVal}' WHERE SessionId='{$SessionId}' AND VarName='{$VarName}'");
function doLogin($username, $password) { $correctLogin = false; $errMsgId = 1; //Look for username row $result = preparedStmt("SELECT id, username, level, enabled, failed_logins, password, salt FROM users WHERE username=?", array("s", "{$username}")); $userData = $result ? $result[0] : 0; //If username exists if ($userData) { $userId = $userData['id']; $pwHash = hash('sha256', $password . "{" . $userData['salt'] . "}"); //If account is disabled - send error if (!$userData['enabled']) { $errMsgId = 2; } else { if ($userData['password'] == $pwHash) { $correctLogin = true; $level = $userData['level']; //'Remember me' checkbox - http://tycoontalk.freelancer.com/php-forum/47470-tip-passwords-security-remember-me.html if ($_POST['rememberme']) { $cookieHash = hash('sha256', $userData['password'] . "{" . $userData['salt'] . "}"); //Hash of pw hash+salt $expire = time() + 7776000; //90 days setcookie('sg_timesheetUN', $userData['username'], $expire, "/"); //Make available from root setcookie('sg_timesheetPW', $cookieHash, $expire, "/"); } } } //Log failed attempts & disable account after 10 wrong tries if (!$correctLogin && $userData['enabled']) { $failedLogins = $userData['failed_logins'] + 1; if ($failedLogins > 9) { $result = preparedStmt("UPDATE users SET enabled=0 WHERE id=?", array("i", $userId)); } $result = preparedStmt("UPDATE users SET failed_logins={$failedLogins} WHERE id=?", array("i", $userId)); } } // Successful - Flatten incorrect logins and start session if ($correctLogin) { $result = preparedStmt("UPDATE users SET failed_logins=0 WHERE id=?", array("s", $userId)); createUserSession($userData['username'], $level); } return array("success" => $correctLogin, "msgId" => $errMsgId); }
<?php session_start(); if (!isset($_SESSION["username"])) { $isRememberedLogin = ""; //Test for remember me cookie if (isset($_COOKIE['sg_timesheetUN'], $_COOKIE['sg_timesheetPW'])) { $username = $_COOKIE['sg_timesheetUN']; //Look for username row $result = preparedStmt("SELECT username, password, level, enabled, salt FROM users WHERE username=?", array("s", $username)); $userData = $result ? $result[0] : 0; if ($userData) { if ($userData['enabled']) { $cookieHash = hash('sha256', $userData['password'] . "{" . $userData['salt'] . "}"); //Hash of pw hash+salt if ($cookieHash == $_COOKIE['sg_timesheetPW']) { $isRememberedLogin = true; createUserSession($username, $userData['level']); } } } } if (!$isRememberedLogin) { $_SESSION["deniedURL"] = getPageURL(); header("Location:login_page.php"); exit; } }