SHOW:
|
|
- or go back to the newest paste.
1 | //Inserisco i dati nel DB | |
2 | $nome = $_GET['nome']; | |
3 | $cognome = $_GET['cognome']; | |
4 | $email = $_GET['email']; | |
5 | $username = $_GET['username']; | |
6 | $password = $_GET['password']; | |
7 | $hash = password_hash($password, PASSWORD_BCRYPT); | |
8 | $sql = "INSERT INTO clienti (nome, cognome, email, username, password) | |
9 | VALUES (:nome, :cognome, :email, :username, :password)"; | |
10 | $req = $dbh->prepare($sql); | |
11 | $req->execute( | |
12 | array( | |
13 | ":nome" => $nome, | |
14 | ":cognome" => $cognome, | |
15 | ":email" => $email, | |
16 | ":username" => $username, | |
17 | ":password" => $hash, | |
18 | ) | |
19 | ); | |
20 | ||
21 | ||
22 | ||
23 | //login | |
24 | ||
25 | require_once 'includes/connect-db.php'; | |
26 | ||
27 | session_start(); | |
28 | $_SESSION['loggato'] = false; | |
29 | ||
30 | - | $username = $_REQUEST['username']; |
30 | + | // non utilizzare mai $_REQUEST |
31 | - | $password = $_REQUEST['password']; |
31 | + | $username = $_POST['username']; |
32 | $password = $_POST['password']; | |
33 | - | $sql = "SELECT * FROM clienti WHERE username = :username AND password = :password"; |
33 | + | |
34 | $sql = "SELECT password FROM clienti WHERE username = :username"; | |
35 | $req = $dbh->prepare($sql); | |
36 | ||
37 | $req->execute( | |
38 | - | ":username" => $_REQUEST['username'], |
38 | + | |
39 | - | ":password" => $_REQUEST['password'] |
39 | + | ":username" => $username |
40 | ) | |
41 | ); | |
42 | ||
43 | $utente = $req->fetch(PDO::FETCH_ASSOC); | |
44 | ||
45 | - | if($utente != null) { |
45 | + | if(isset($utente['password']) && password_verify($password, $utente['password'])) { |
46 | $_SESSION['loggato'] = true; | |
47 | - | $_SESSION['utente'] = $utente; |
47 | + | $_SESSION['utente'] = $username; // inserisci solo la username e non la password in sessione |
48 | Header('Location: index.php'); | |
49 | } else { | |
50 | Header('Location: login.php?error=true'); | |
51 | } |