Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- CREATE TABLE users(
- id INT AUTO_INCREMENT,
- username VARCHAR(50) NOT NULL,
- password VARCHAR(100) NOT NULL,
- PRIMARY KEY(id) );
- <?php
- $dsn = 'mysql:host=localhost;dbname=educate'; //Data source Name
- $username = 'root';
- $password = '';
- $options = array(PDO::MYSQL_ATTR_INIT_COMMAND=> 'SET NAMES utf8');
- $conn = new PDO($dsn, $username, $password,$options);
- ?>
- <?php
- session_start();
- if(!empty($_SESSION['username'])) {
- header('location:plan.php');
- }
- require 'connection.php';
- if(isset($_POST['login'])) {
- $user = $_POST['username'];
- $pass = $_POST['password'];
- if(empty($user) || empty($pass)) {
- $message = 'All field are required';
- } else {
- $query = $conn->prepare("SELECT username, password FROM users WHERE
- username=? AND password=? ");
- $query->execute(array($user,$pass));
- $row = $query->fetch(PDO::FETCH_BOTH);
- if($query->rowCount() > 0) {
- $_SESSION['username'] = $user;
- header('location:plan.php');
- } else {
- $message = "Username/Password is wrong";
- }
- }
- }
- ?>
- <!DOCTYPE html>
- <html>
- <head>
- </head>
- <body>
- <?php
- if(isset($message)) {
- echo $message;
- }
- ?>
- <form action="#" method="post">
- Username: <input type="text" name="username" placeholder="username">
- <br/><br/>
- Password: <input type="password" name="password" placeholder="password">
- <br/><br/>
- <input type="submit" name="login" value="Login">
- </form>
- </html>
- <?php
- session_start();
- session_destroy();
- header('location: login.php');
- ?>
- <?php
- session_start();
- if(isset($_SESSION['username'])) {
- echo "Welcome <strong>".$_SESSION['username']."</strong><br/>";
- } else {
- header('location: login.php');
- }
- ?>
- <a href="logout.php">Logout</a>
- session_start();
- if(!empty($_SESSION['username'])) {
- header('location:plan.php');
- }
- <--! Make user send request to your site without knowing -->
- <img src="http://yoursite.com/plan.php?do=evil">
- $_SESSION['username'] = $user;
- $_SESSION['valid_until'] = time() + 60*60; //1hr from now
- $_SESSION['csrf_token'] = 'long_random_string'; //research how to build this
- header("X-CSRF: $_SESSION[csrf_token]");
- header('location:plan.php');
- session_start();
- $logged_in = false;
- if(isset($_SESSION['username'])){
- if(!$_SESSION['valid_until'] >= time()) $logged_in = false;
- $request_headers = apache_request_headers();
- $csrf = isset($request_headers["X-CSRF"])? $request_headers["X-CSRF"] : null;
- if($_SESSION['csrf_token']!==$csrf) $logged_in = false;
- }
- if($logged_in){/*give access*/}
- else{/*block access*/}
- $user = $_POST['username'];
- $pass = $_POST['password'];
- ...
- $query = $conn->prepare("SELECT username, password FROM users WHERE
- username=? AND password=? ");
- $query->execute(array($user,$pass));
- $password = password_hash($_POST['password'],PASSWORD_DEFAULT);
- $query = $conn->prepare("SELECT username, password FROM users WHERE username=?");
- ... // <-execute query and capture password in $db_pass
- if($query->rowCount() > 0 && password_verify($_POST['password'],$db_pass)){
- //credentials are correct
- }else{/*user unknown or password incorrect*/}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement