policies.authenticate

1. <?php
2. ini_set('display_errors',1);
3. include_once 'config.php';
4.  
5. $message = null;
6.  
7. $password_passed = 0;
8.  
9.  
10. if ($_POST['user'] && $_POST['password']) {
11.     $username = $_POST['user'];
12.     $userpassword = $_POST['password'];
13.    
14.     $sql = "SELECT * FROM users WHERE user = '" . $username . "' AND pass = '" . sha1($userpassword) . "'";
15.  
16.     $user = mysqli_query($_SESSION['dbconn'],$sql);
17.  
18.     if ($user) {
19.         $password_passed = 1;
20.         $record = mysqli_fetch_array($user);
21.     }
22.    
23.     if (!$password_passed) {
24.  
25.         $message = 'Wrong username and/or password.';
26.     } else {
27.         $_SESSION['user']['userid'] = $record['user'];
28.         $_SESSION['user']['admin'] = $record['admin'];
29.     }
30.  
31.     if ($password_passed) {
32.  
33.         $sql2 = "UPDATE users SET last_login = '" . date('Y-m-d H:i') . "' WHERE user = '" . $username . "'";
34.         mysqli_query($_SESSION['dbconn'],$sql2);
35.         $_SESSION['message'] = array('info',"Welcome, " . $_SESSION['user']['userid']);
36.         $_SESSION['loggedin'] = 1;
37.      
38.         header("Location: " . SITEHOME);
39.     } else {
40.         $_SESSION['message'] = array('warning',$message);
41.         header("Location: " . SITEHOME);
42.     }
43. } else {
44.     $_SESSION['message'] = array('warning',"Login failed. Please check your login data.");
45.     header("Location: " . SITEHOME);
46. }
47. ?>