<?php // User tries to log in include 'db_config.php'; include 'include/query.php'; include 'include/password.php'; include 'include/output.php'; session_start(); // Interpret the Request $email = $LT_SQL->real_escape_string($_REQUEST['email']); $password = $LT_SQL->real_escape_string($_REQUEST['password']); // Query the Database and Generate Output if ($rows = LT_call_silent('read_user_login', $email)) { $hash = LT_hash_password($password, $rows[0]['salt']); if (strcmp($hash, $rows[0]['hash']) == 0) { // the server associates the user with this session $_SESSION['user'] = $rows[0]['id']; // the database remembers that the user logged in LT_call('update_user_logged_in', $rows[0]['id'], 1); // return the user as a json object LT_output_object($rows[0], array('boolean' => array('subscribed'), 'integer' => array('id'), 'blocked' => array('hash', 'salt'))); exit; } } // We return same failure result regardless of the reason for failure so that // we don't help password crackers figure out if they got the wrong password // or the wrong username or the wrong argument names. header('HTTP/1.1 401 Unauthorized', true, 401); exit("Invalid username or password."); ?>
<?php // Admin changes his password include 'db_config.php'; include 'include/query.php'; include 'include/password.php'; session_start(); if (!isset($_SESSION['admin'])) { header('HTTP/1.1 401 Unauthorized', true, 401); exit('You are not logged in.'); } // Interpret the Request $login = $LT_SQL->real_escape_string($_SESSION['admin']); $password = $LT_SQL->real_escape_string($_REQUEST['password']); $salt = LT_random_salt(); $hash = LT_hash_password($password, $salt); // Query the Database LT_call('update_admin_password', $login, $hash, $salt);
$database = $LT_SQL->real_escape_string($_REQUEST['database']); $admin_login = $LT_SQL->real_escape_string($_REQUEST['admin_login']); $admin_password = $LT_SQL->real_escape_string($_REQUEST['admin_password']); $LT_SQL->query("CREATE DATABASE IF NOT EXISTS {$database}") or die("Query failed: " . $LT_SQL->error); $LT_SQL->query("USE {$database}") or die("Query failed: " . $LT_SQL->error); // Create the Database Schema (tables and stored procedures) $LT_SQL->autocommit(FALSE); if ($LT_SQL->multi_query(file_get_contents('include/schema.sql'))) { do { $result = $LT_SQL->store_result(); if ($LT_SQL->errno != 0) { $LT_SQL->rollback(); die("Query failed: " . $LT_SQL->error); } } while ($LT_SQL->more_results() && $LT_SQL->next_result()); $LT_SQL->commit(); } else { $LT_SQL->rollback(); die("Query failed: " . $LT_SQL->error); } // Create an Administrator Account $salt = LT_random_salt(); $hash = LT_hash_password($admin_password, $salt); $query = "CALL create_admin('{$admin_login}', '{$hash}', '{$salt}')"; $LT_SQL->query($query) or die('Query failed: ' . $LT_SQL->error); $LT_SQL->commit(); // Create db_config.php file_put_contents('db_config.php', "<?php\n" . "\t\$LT_SQL = new mysqli('{$location}', '{$username}', '{$password}', '{$database}');\n" . "?>\n"); ?>