daily pastebin goal
38%
SHARE
TWEET

Untitled

a guest Aug 14th, 2016 27 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. require("common.php");
  2.      
  3.     // This variable will be used to re-display the user's username to them in the
  4.     // login form if they fail to enter the correct password.  It is initialized here
  5.     // to an empty value, which will be shown if the user has not submitted the form.
  6.     $submitted_username = '';
  7.      
  8.     // This if statement checks to determine whether the login form has been submitted
  9.     // If it has, then the login code is run, otherwise the form is displayed
  10.     if(!empty($_GET))
  11.     {
  12.         // This query retreives the user's information from the database using
  13.         // their username.
  14.         $query = "
  15.             SELECT  
  16.                 id,
  17.                 username,
  18.                 password,
  19.                 salt,
  20.                 email
  21.             FROM users
  22.             WHERE
  23.                 username = :username
  24.         ";
  25.          
  26.         // The parameter values
  27.         $query_params = array(
  28.             ':username' => $_GET['username']
  29.         );
  30.          
  31.         try
  32.         {
  33.             // Execute the query against the database
  34.             $stmt = $db->prepare($query);
  35.             $result = $stmt->execute($query_params);
  36.         }
  37.         catch(PDOException $ex)
  38.         {
  39.             // Note: On a production website, you should not output $ex->getMessage().
  40.             // It may provide an attacker with helpful information about your code.  
  41.             die("Failed to run query: " . $ex->getMessage());
  42.         }
  43.          
  44.         // This variable tells us whether the user has successfully logged in or not.
  45.         // We initialize it to false, assuming they have not.
  46.         // If we determine that they have entered the right details, then we switch it to true.
  47.         $login_ok = false;
  48.          
  49.         // Retrieve the user data from the database.  If $row is false, then the username
  50.         // they entered is not registered.
  51.         $row = $stmt->fetch();
  52.         if($row)
  53.         {
  54.             // Using the password submitted by the user and the salt stored in the database,
  55.             // we now check to see whether the passwords match by hashing the submitted password
  56.             // and comparing it to the hashed version already stored in the database.
  57.             $check_password = hash('sha256', $_GET['password'] . $row['salt']);
  58.             for($round = 0; $round < 65536; $round++)
  59.             {
  60.                 $check_password = hash('sha256', $check_password . $row['salt']);
  61.             }
  62.              
  63.             if($check_password === $row['password'])
  64.             {
  65.                 // If they do, then we flip this to true
  66.                 $login_ok = true;
  67.             }
  68.         }
  69.          
  70.         // If the user logged in successfully, then we send them to the private members-only page
  71.         // Otherwise, we display a login failed message and show the login form again
  72.         if($login_ok)
  73.         {
  74.             // Here I am preparing to store the $row array into the $_SESSION by
  75.             // removing the salt and password values from it.  Although $_SESSION is
  76.             // stored on the server-side, there is no reason to store sensitive values
  77.             // in it unless you have to.  Thus, it is best practice to remove these
  78.             // sensitive values first.
  79.             unset($row['salt']);
  80.             unset($row['password']);
  81.              
  82.             // This stores the user's data into the session at the index 'user'.
  83.             // We will check this index on the private members-only page to determine whether
  84.             // or not the user is logged in.  We can also use it to retrieve
  85.             // the user's details.
  86.             $_SESSION['user'] = $row;
  87.              
  88.             // Redirect the user to the private members-only page.
  89.  
  90.             $query = "
  91.             INSERT  
  92.             INTO
  93.              'users' ('time')
  94.             VALUES
  95.                 date('Y-m-d')
  96.         ";
  97.             die("1");      
  98.         }
  99.         else
  100.         {
  101.             // Tell the user they failed
  102.             print("2");
  103.              
  104.             // Show them their username again so all they have to do is enter a new
  105.             // password.  The use of htmlentities prevents XSS attacks.  You should
  106.             // always use htmlentities on user submitted values before displaying them
  107.             // to any users (including the user that submitted them).  For more information:
  108.             // http://en.wikipedia.org/wiki/XSS_attack
  109.             $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
  110.         }
  111.     }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top