function CheckLogin($connection, $level)
{
// Check if all session variables are set
sec_session_start();
// specifically check our username and hashed password
if (isset($_SESSION['username'], $_SESSION['secondpw'])) {
$username = $_SESSION['username'];
$secondpw = $_SESSION['secondpw'];
$username = $connection->escape_string($username);
//$secondpw = $connection->escape_string($secondpw);
// Get the user-agent string of the user.
//$user_browser = $_SERVER['HTTP_USER_AGENT'];
$sql = "SELECT HashPassword,Salt from Users WHERE UserName = '******' AND Confirmed = '1' AND Level >= '" . $level . "' AND idUsers > 0;";
// parallel assignment short cut
list($result, $valid) = DoQuery($sql, $connection);
// output only if we have anything
if ($result && $valid) {
$row = mysqli_fetch_array($result);
$password = $row['HashPassword'];
$salt = $row['Salt'];
// don't share the hashed pw either
$options = ['cost' => 11, 'salt' => $salt];
$newhash = password_hash($password, PASSWORD_BCRYPT, $options);
// check stored hash against the regenerated value
if ($secondpw == $newhash) {
return true;
} else {
return false;
}
} else {
return false;
}
} else {
return false;
}
}
function login()
{
require_once 'DBConnect.php';
require_once 'DBCalls.php';
require_once 'secSession.php';
sec_session_start();
$username = isset($_SESSION['username']) ? $_SESSION['username'] : false;
$userType = isset($_SESSION['userType']) ? $_SESSION['userType'] : false;
if ($userType == "reader") {
$con = new DBConnect('marketplace');
} else {
if ($userType == "author") {
$con = new DBConnect('workbench');
} else {
$con = false;
}
}
if ($con) {
$calls = new DBCalls();
$loggedIn = $calls->loginCheck($con);
} else {
$loggedIn = false;
}
$GLOBALS['username'] = $username;
$GLOBALS['userType'] = $userType;
return $loggedIn;
}
function logout()
{
sec_session_start();
$_SESSION = array();
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
session_destroy();
unset($_SESSION);
session_regenerate_id(true);
header('Location: ' . htmlspecialchars($_SERVER['PHP_SELF']));
}
function logout()
{
if (session_status() == PHP_SESSION_NONE) {
sec_session_start();
}
if (isset($_SESSION['user'])) {
unset($_SESSION['user']);
}
if (isset($_SESSION['timeout'])) {
unset($_SESSION['timeout']);
}
}
function load($page = 'admins.php', $pid = -1)
{
# Begin URL with protocol, domain, and current directory.
$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
# Remove trailing slashes then append page name to URL and the president id.
$url = rtrim($url, '/\\');
$url .= '/' . $page;
# Execute redirect then quit.
sec_session_start();
$_SESSION['pid'] = $pid;
header("Location: {$url}");
exit;
}
<!--
Copyright (c) 2015 Blink
All Rights Reserved
This product is protected by copyright and distributed under
licenses restricting copying, distribution, and decompilation.
Gerardo López | Iván Nolasco | Renato Andres
-->
<?php
include_once '../assets/includes/db_conexion.php';
include_once '../assets/includes/funciones.php';
sec_session_start();
$user = $_SESSION['username'];
$elidespecial = $_SESSION['user_id'];
$idusr = $_SESSION['user_id'];
$avatar = '';
if ($stmt = $mysqli->prepare("SELECT usuarios_tb.avatar, usuarios_tb.nombres, usuarios_tb.apellidos, usuarios_tb.nacimiento, usuarios_tb.descripcion, usuarios_tb.correo, usuarios_tb.tipo, usuarios_tb.lang, usuarios_tb.idusuario, user_config.banner, user_config.iduser FROM usuarios_tb INNER JOIN user_config ON usuarios_tb.idusuario = user_config.iduser WHERE usuarios_tb.idusuario = ?")) {
$stmt->bind_param('s', $elidespecial);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($avatar, $nombres, $apellidos, $nacimiento, $descripcion, $correo, $tipo, $lang, $idusuario, $bannero, $iduserconf);
$stmt->fetch();
}
include "auto.php";
include "../assets/includes/lang.php";
// DISEÑO DEL PERFIL
$super = "";
$cambe = "";
private function getMemberFromCookie()
{
global $db;
if (!isset($_SESSION)) {
sec_session_start();
}
if (login_check($db) === true) {
$sec_session_id_weedo = $_COOKIE["sec_session_id_weedo"];
if ($sec_session_id_weedo == "") {
return false;
}
session_id($sec_session_id_weedo);
session_name("sec_session_id_weedo");
if (isset($_SESSION["memberID"])) {
$member = new Member($_SESSION["memberID"]);
} else {
$member = new Member(1);
}
return $member;
} else {
$member = new Member(1);
return $member;
}
}
function check_login()
{
$email = filter_var($_POST["InputEmail"], FILTER_SANITIZE_EMAIL);
$connection = connect_to_mysql();
$result = mysqli_query($connection, "SELECT * FROM users WHERE email = '" . $email . "'");
$row = mysqli_fetch_array($result);
if ($_POST["InputEmail"] == "" || $_POST["InputPW1"] == "") {
$GLOBALS['emptyFields'] = true;
} else {
if ($_POST["InputEmail"] != $email) {
$GLOBALS['emailNotValid'] = true;
} else {
if (!password_verify($_POST["InputPW1"], $row["password"])) {
$GLOBALS['wrongCredentials'] = true;
} else {
sec_session_start($email);
header("Location: temp.php");
exit;
}
}
}
}
<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if (login($email, $password, $mysqli) == true) {
// Login success
header('Location: ../protected_page.php');
} else {
// Login failed
header('Location: ../index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
