require("common.php"); // This variable will be used to re-display

1. require("common.php");
2.  
3. // This variable will be used to re-display the user's username to them in the
4. // login form if they fail to enter the correct password. It is initialized here
5. // to an empty value, which will be shown if the user has not submitted the form.
6. $submitted_username = '';
7.  
8. // This if statement checks to determine whether the login form has been submitted
9. // If it has, then the login code is run, otherwise the form is displayed
10. if(!empty($_GET))
11. {
12. // This query retreives the user's information from the database using
13. // their username.
14. $query = "
15. SELECT
16. id,
17. username,
18. password,
19. salt,
20. email
21. FROM users
22. WHERE
23. username = :username
24. ";
25.  
26. // The parameter values
27. $query_params = array(
28. ':username' => $_GET['username']
29. );
30.  
31. try
32. {
33. // Execute the query against the database
34. $stmt = $db->prepare($query);
35. $result = $stmt->execute($query_params);
36. }
37. catch(PDOException $ex)
38. {
39. // Note: On a production website, you should not output $ex->getMessage().
40. // It may provide an attacker with helpful information about your code.
41. die("Failed to run query: " . $ex->getMessage());
42. }
43.  
44. // This variable tells us whether the user has successfully logged in or not.
45. // We initialize it to false, assuming they have not.
46. // If we determine that they have entered the right details, then we switch it to true.
47. $login_ok = false;
48.  
49. // Retrieve the user data from the database. If $row is false, then the username
50. // they entered is not registered.
51. $row = $stmt->fetch();
52. if($row)
53. {
54. // Using the password submitted by the user and the salt stored in the database,
55. // we now check to see whether the passwords match by hashing the submitted password
56. // and comparing it to the hashed version already stored in the database.
57. $check_password = hash('sha256', $_GET['password'] . $row['salt']);
58. for($round = 0; $round < 65536; $round++)
59. {
60. $check_password = hash('sha256', $check_password . $row['salt']);
61. }
62.  
63. if($check_password === $row['password'])
64. {
65. // If they do, then we flip this to true
66. $login_ok = true;
67. }
68. }
69.  
70. // If the user logged in successfully, then we send them to the private members-only page
71. // Otherwise, we display a login failed message and show the login form again
72. if($login_ok)
73. {
74. // Here I am preparing to store the $row array into the $_SESSION by
75. // removing the salt and password values from it. Although $_SESSION is
76. // stored on the server-side, there is no reason to store sensitive values
77. // in it unless you have to. Thus, it is best practice to remove these
78. // sensitive values first.
79. unset($row['salt']);
80. unset($row['password']);
81.  
82. // This stores the user's data into the session at the index 'user'.
83. // We will check this index on the private members-only page to determine whether
84. // or not the user is logged in. We can also use it to retrieve
85. // the user's details.
86. $_SESSION['user'] = $row;
87.  
88. // Redirect the user to the private members-only page.
89.  
90. $query = "
91. INSERT
92. INTO
93. 'users' ('time')
94. VALUES
95. date('Y-m-d')
96. ";
97. die("1");
98. }
99. else
100. {
101. // Tell the user they failed
102. print("2");
103.  
104. // Show them their username again so all they have to do is enter a new
105. // password. The use of htmlentities prevents XSS attacks. You should
106. // always use htmlentities on user submitted values before displaying them
107. // to any users (including the user that submitted them). For more information:
108. // http://en.wikipedia.org/wiki/XSS_attack
109. $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
110. }
111. }