Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Updated, correct version of the login function
- function login($username, $password, $mysqli) {
- date_default_timezone_set('Europe/Bucharest');
- // Using prepared statements means that SQL injection is not possible.
- if ($stmt = $mysqli->prepare("SELECT user_id, password, salt, privilages
- FROM users
- WHERE username = '$username'")) {
- // Execute the prepared query.
- $stmt->execute();
- $stmt->store_result();
- // Get variables from result.
- $stmt->bind_result($user_id, $db_password, $salt, $privilage);
- $stmt->fetch();
- // Hash the password with the unique salt.
- $password = trim($password);
- $password = hash('sha512', $password . $salt);
- if ($stmt->num_rows == 1) {
- // TODO
- // If the user exists we check if the account is locked
- // from too many login attempts
- if (checkbrute($user_id, $mysqli) == true) {
- // Account is locked
- // Send an email to user saying their account is locked
- return false;
- } else {
- // Check if the password in the database matches
- // the password the user submitted.
- if ($db_password == $password) {
- $date = date('Y-m-d H:i:s', time());
- $ip = $_SERVER['REMOTE_ADDR'];
- $result = $mysqli->query("SELECT ip
- FROM login
- WHERE username = '".$username."'");
- // If that user is not logged in already, log him
- if ($result->num_rows == 0) {
- $mysqli->query("INSERT INTO login(ip, username, date)
- VALUES ('$ip', '$username', '$date')");
- // If the user is already logged on another pc, update the ip
- } else {
- $mysqli->query("UPDATE login SET ip='$ip', date='$date' WHERE username='".$username."'");
- }
- // Login successful.
- return true;
- } else {
- // Password is not correct
- // We record this attempt in the database
- $now = date('H:i:s', time());
- //$mysqli->query("INSERT INTO login_attempts(user_id, time)
- // VALUES ('$user_id', '$now')");
- return false;
- }
- }
- } else {
- // No user exists.
- return false;
- }
- }
- }
Add Comment
Please, Sign In to add comment