Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Updated, correct version of the login function
- function login($username, $password, $mysqli) {
- date_default_timezone_set('Europe/Bucharest');
- // Using prepared statements means that SQL injection is not possible.
- if ($stmt = $mysqli->prepare("SELECT user_id, password, salt, privilages
- FROM users
- WHERE username = '$username'")) {
- // Execute the prepared query.
- $stmt->execute();
- $stmt->store_result();
- // Get variables from result.
- $stmt->bind_result($user_id, $db_password, $salt, $privilage);
- $stmt->fetch();
- // Hash the password with the unique salt.
- $password = trim($password);
- $password = hash('sha512', $password . $salt);
- if ($stmt->num_rows == 1) {
- // If the user exists we check if the account is locked
- // from too many login attempts
- if (checkbrute($user_id, $mysqli) == true) {
- // Account is locked
- // Send an email to user saying their account is locked
- return false;
- } else {
- // Check if the password in the database matches
- // the password the user submitted.
- if ($db_password == $password) {
- // Password is correct!
- // Get the user-agent string of the user.
- $user_browser = $_SERVER['HTTP_USER_AGENT'];
- // XSS protection as we might print this value
- $user_id = preg_replace("/[^0-9]+/", "", $user_id);
- $_SESSION['user_id'] = $user_id;
- // XSS protection as we might print this value
- $username = preg_replace("/[^a-zA-Z0-9_\-]+/",
- "",
- $username);
- $_SESSION['username'] = $username;
- $_SESSION['privilages'] = $privilages;
- $_SESSION['login_string'] = hash('sha512',
- $password . $user_browser);
- // Login successful.
- return true;
- } else {
- // Password is not correct
- // We record this attempt in the database
- $now = time();
- return false;
- }
- }
- } else {
- // No user exists.
- return false;
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
