Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- session_start();
- // To log into the database
- $dbuser = "t2015t16";
- $dbpass = "7Badeore";
- // For creating/using database
- $dbname = "t2015t16";
- $serverLoc = "homepages.cs.ncl.ac.uk:3306";
- // Connect to database with these parameters
- // If fail, display message
- $connect = mysql_connect("homepages.cs.ncl.ac.uk", $dbuser, $dbpass) or die("Connection to database failed");
- // Use database with name $dbname if fail display message.
- // period ( . ) is used for string concatenation(spelling?)
- mysql_select_db($dbname, $connect) or die($dbname . " database not found " . $dbuser);
- @$username="$_POST[userName]";
- @$password="$_POST[userPassword]";
- $sql = '
- SELECT
- U.userPassword
- FROM cf_users U
- WHERE U.userName = "' . mysql_real_escape_string($username) . '"
- LIMIT 1
- ;';
- $r = mysql_fetch_assoc(mysql_query($sql));
- $sql = '
- SELECT
- U.userSalt
- FROM cf_users U
- WHERE U.userName = "' . mysql_real_escape_string($username) . '"
- LIMIT 1
- ;';
- $r2 = mysql_fetch_assoc(mysql_query($sql));
- // Get salt
- $salt = $r2['userSalt'];
- $hash = $salt . $password; //Passwords are stored as a salt appended to the hash of the users password (it is hashed clientside before being sent, so no hashing of password is done here)
- // Hash the password as we did before
- $hash = hash('sha256', $hash);
- if ( $hash == $r['userPassword'] )
- {
- $_SESSION["username"]=$username;
- $sql = '
- SELECT
- U.userID, U.departmentID, U.position, U.accessLevel
- FROM cf_users U
- WHERE U.userName = "' . mysql_real_escape_string($username) . '"
- LIMIT 1
- ;';
- $r2 = mysql_fetch_assoc(mysql_query($sql));
- echo "userID=$r2[userID]&departmentID=$r2[departmentID]&position=$r2[position]&accessLevel=$r2[accessLevel]&sid=".session_id()."&questionnaireComp=".questionnaireCompleted();
- } else
- {
- echo "INVALID_LOGIN";
- }
- mysql_close($connect);
- function questionnaireCompleted()
- {
- $sql = '
- SELECT
- U.postCode
- FROM cf_users U
- WHERE U.userName = "' . mysql_real_escape_string($_POST['userName']) . '"
- LIMIT 1
- ;';
- $r1 = mysql_fetch_assoc(mysql_query($sql));
- if($r1['postCode']=="")
- {
- return "false";
- } else
- {
- return "true";
- }
- }
- ?>
Add Comment
Please, Sign In to add comment