daily pastebin goal
61%
SHARE
TWEET

Untitled

a guest Aug 14th, 2016 73 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Ezt a kódot át lehetne úgy alakítani, hogy mikor az urlben rákérdezek, hogy ?username=pistike akkor kiírja, hogy létezik-e ez a felhasználó?
  2.  
  3.  
  4. require("common.php");
  5.      
  6.     // This variable will be used to re-display the user's username to them in the
  7.     // login form if they fail to enter the correct password.  It is initialized here
  8.     // to an empty value, which will be shown if the user has not submitted the form.
  9.     $submitted_username = '';
  10.      
  11.     // This if statement checks to determine whether the login form has been submitted
  12.     // If it has, then the login code is run, otherwise the form is displayed
  13.     if(!empty($_GET))
  14.     {
  15.         // This query retreives the user's information from the database using
  16.         // their username.
  17.         $query = "
  18.             SELECT  
  19.                 id,
  20.                 username,
  21.                 password,
  22.                 salt,
  23.                 email
  24.             FROM users
  25.             WHERE
  26.                 username = :username
  27.         ";
  28.          
  29.         // The parameter values
  30.         $query_params = array(
  31.             ':username' => $_GET['username']
  32.         );
  33.          
  34.         try
  35.         {
  36.             // Execute the query against the database
  37.             $stmt = $db->prepare($query);
  38.             $result = $stmt->execute($query_params);
  39.         }
  40.         catch(PDOException $ex)
  41.         {
  42.             // Note: On a production website, you should not output $ex->getMessage().
  43.             // It may provide an attacker with helpful information about your code.  
  44.             die("Failed to run query: " . $ex->getMessage());
  45.         }
  46.          
  47.         // This variable tells us whether the user has successfully logged in or not.
  48.         // We initialize it to false, assuming they have not.
  49.         // If we determine that they have entered the right details, then we switch it to true.
  50.         $login_ok = false;
  51.          
  52.         // Retrieve the user data from the database.  If $row is false, then the username
  53.         // they entered is not registered.
  54.         $row = $stmt->fetch();
  55.         if($row)
  56.         {
  57.             // Using the password submitted by the user and the salt stored in the database,
  58.             // we now check to see whether the passwords match by hashing the submitted password
  59.             // and comparing it to the hashed version already stored in the database.
  60.             $check_password = hash('sha256', $_GET['password'] . $row['salt']);
  61.             for($round = 0; $round < 65536; $round++)
  62.             {
  63.                 $check_password = hash('sha256', $check_password . $row['salt']);
  64.             }
  65.              
  66.             if($check_password === $row['password'])
  67.             {
  68.                 // If they do, then we flip this to true
  69.                 $login_ok = true;
  70.             }
  71.         }
  72.          
  73.         // If the user logged in successfully, then we send them to the private members-only page
  74.         // Otherwise, we display a login failed message and show the login form again
  75.         if($login_ok)
  76.         {
  77.             // Here I am preparing to store the $row array into the $_SESSION by
  78.             // removing the salt and password values from it.  Although $_SESSION is
  79.             // stored on the server-side, there is no reason to store sensitive values
  80.             // in it unless you have to.  Thus, it is best practice to remove these
  81.             // sensitive values first.
  82.             unset($row['salt']);
  83.             unset($row['password']);
  84.              
  85.             // This stores the user's data into the session at the index 'user'.
  86.             // We will check this index on the private members-only page to determine whether
  87.             // or not the user is logged in.  We can also use it to retrieve
  88.             // the user's details.
  89.             $_SESSION['user'] = $row;
  90.              
  91.             // Redirect the user to the private members-only page.
  92.  
  93.             $query = "
  94.             INSERT  
  95.             INTO
  96.              'users' ('time')
  97.             VALUES
  98.                 date('Y-m-d')
  99.         ";
  100.             die("1");      
  101.         }
  102.         else
  103.         {
  104.             // Tell the user they failed
  105.             print("2");
  106.              
  107.             // Show them their username again so all they have to do is enter a new
  108.             // password.  The use of htmlentities prevents XSS attacks.  You should
  109.             // always use htmlentities on user submitted values before displaying them
  110.             // to any users (including the user that submitted them).  For more information:
  111.             // http://en.wikipedia.org/wiki/XSS_attack
  112.             $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
  113.         }
  114.     }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top