$ErrCode = $_GET['ErrCode'];
$Field = $_GET['Field'];
$getError = $Mysql->query("SELECT * FROM errorcodes WHERE ErrorString='{$ErrCode}'");
$rsError = $getError->fetch_assoc();
$RetVal = $rsError[$Field];
echo $RetVal;
break;
case "signIn":
$Username = $_GET['Username'];
$Password = md5($_GET['Password']);
$getUser = $Mysql->query("SELECT * FROM users WHERE EmailAddress='{$Username}' AND Password='******'");
if ($getUser->num_rows == 0) {
echo "<ERR>System.InternalTarget.signIn.AccessDenied";
} else {
$rsSession = $getUser->fetch_assoc();
$newSession = createUserSession($rsSession['Id']);
$_SESSION['CLICKA_currentSessionId'] = $newSession;
$_SESSION['CLICKA_currentUserId'] = $rsSession['Id'];
setcookie("CLICKA_currentSessionId", $newSession, time() + 604800);
echo $newSession;
}
break;
case "setSessionVar":
$SessionId = $_GET['SessionId'];
$VarName = $_GET['VarName'];
$VarVal = $_GET['VarVal'];
$getExisting = $Mysql->query("SELECT * FROM users_sessions_vars WHERE SessionId='{$SessionId}' AND VarName='{$VarName}'");
if ($getExisting->num_rows == 0) {
$addVar = $Mysql->query("INSERT INTO users_sessions_vars (SessionId,VarName,VarVal) VALUES ('{$SessionId}','{$VarName}','{$VarVal}')");
} else {
$updateVar = $Mysql->query("UPDATE users_sessions_vars SET VarVal='{$VarVal}' WHERE SessionId='{$SessionId}' AND VarName='{$VarName}'");
function doLogin($username, $password)
{
$correctLogin = false;
$errMsgId = 1;
//Look for username row
$result = preparedStmt("SELECT id, username, level, enabled, failed_logins, password, salt FROM users WHERE username=?", array("s", "{$username}"));
$userData = $result ? $result[0] : 0;
//If username exists
if ($userData) {
$userId = $userData['id'];
$pwHash = hash('sha256', $password . "{" . $userData['salt'] . "}");
//If account is disabled - send error
if (!$userData['enabled']) {
$errMsgId = 2;
} else {
if ($userData['password'] == $pwHash) {
$correctLogin = true;
$level = $userData['level'];
//'Remember me' checkbox - http://tycoontalk.freelancer.com/php-forum/47470-tip-passwords-security-remember-me.html
if ($_POST['rememberme']) {
$cookieHash = hash('sha256', $userData['password'] . "{" . $userData['salt'] . "}");
//Hash of pw hash+salt
$expire = time() + 7776000;
//90 days
setcookie('sg_timesheetUN', $userData['username'], $expire, "/");
//Make available from root
setcookie('sg_timesheetPW', $cookieHash, $expire, "/");
}
}
}
//Log failed attempts & disable account after 10 wrong tries
if (!$correctLogin && $userData['enabled']) {
$failedLogins = $userData['failed_logins'] + 1;
if ($failedLogins > 9) {
$result = preparedStmt("UPDATE users SET enabled=0 WHERE id=?", array("i", $userId));
}
$result = preparedStmt("UPDATE users SET failed_logins={$failedLogins} WHERE id=?", array("i", $userId));
}
}
// Successful - Flatten incorrect logins and start session
if ($correctLogin) {
$result = preparedStmt("UPDATE users SET failed_logins=0 WHERE id=?", array("s", $userId));
createUserSession($userData['username'], $level);
}
return array("success" => $correctLogin, "msgId" => $errMsgId);
}
<?php
session_start();
if (!isset($_SESSION["username"])) {
$isRememberedLogin = "";
//Test for remember me cookie
if (isset($_COOKIE['sg_timesheetUN'], $_COOKIE['sg_timesheetPW'])) {
$username = $_COOKIE['sg_timesheetUN'];
//Look for username row
$result = preparedStmt("SELECT username, password, level, enabled, salt FROM users WHERE username=?", array("s", $username));
$userData = $result ? $result[0] : 0;
if ($userData) {
if ($userData['enabled']) {
$cookieHash = hash('sha256', $userData['password'] . "{" . $userData['salt'] . "}");
//Hash of pw hash+salt
if ($cookieHash == $_COOKIE['sg_timesheetPW']) {
$isRememberedLogin = true;
createUserSession($username, $userData['level']);
}
}
}
}
if (!$isRememberedLogin) {
$_SESSION["deniedURL"] = getPageURL();
header("Location:login_page.php");
exit;
}
}
