$login_username = strip_tags($_POST['username']); $login_password = strip_

1. $login_username = strip_tags($_POST['username']);
2. $login_password = strip_tags($_POST['password']);
3. $login_secret_code = strip_tags($_POST['secret_code']);
4.  
5. $login_username = stripslashes($login_username);
6. $login_password = stripslashes($login_password);
7. $login_secret_code = stripslashes($login_secret_code);
8.  
9. $login_username = mysqli_real_escape_string($db, $login_username);
10. $login_password = mysqli_real_escape_string($db, $login_password);
11. $login_secret_code = mysqli_real_escape_string($db, $login_secret_code);
12.  
13. $login_ip_addr = $_SERVER['REMOTE_ADDR'];
14.  
15. $get_user_cert = "SELECT * from web_users WHERE username='$login_username' LIMIT 1";
16. $get_user_auth = "SELECT * from web_users_authenticater WHERE username='$login_username' LIMIT 1";
17. $user_ip_upd = "INSERT INTO `web_users`(`user_ip`) VALUES ('$login_ip_addr') WHERE username='$username'";
18.  
19. $login_query = mysqli_query($db, $get_user_cert);
20. $auth_query = mysqli_query($db, $get_user_auth);
21.  
22. $user_data = mysqli_fetch_array($login_query);
23. $auth_data = mysqli_fetch_array($auth_query);
24.  
25. //auth_data
26. $auth_code = $auth_data['auth_code'];
27.  
28. //user_data
29. $id = $user_data['id'];
30. $user_username = $user_data['username'];
31. $user_password = $user_data['password'];
32. $user_admin = $user_data['is_admin'];
33. $user_mod = $user_data['mod'];
34. $is_user = $user_data['user'];
35. $user_email = $user_data['email'];
36. $tokenid = $user_data['tokenid'];
37. $is_auth = $user_data['is_auth'];
38. $confirmed = $user_data['is_confirmed'];
39. $banned = $user_data['is_banned'];
40. $check_secret_code = $user_data['secret_code'];
41.  
42. //gets the users password from the database and converts it back to alphahumerical
43. $hashed_password = password_verify($login_password, $user_password);
44.  
45. //if the username contains illegal characters it throws an error
46. if(preg_match('/[^a-z_\-0-9]/i', $login_username))
47. {
48. die(header('Location: /auth/signin.php?loginFailed=true&reason=username'));
49. }
50.  
51. //if the password matches the records in our database it logs the user in
52. if($hashed_password == true && $login_secret_code == $auth_code){
53. $_SESSION['username'] = $login_username;
54. $_SESSION['id'] = $id;
55. $ipquery = mysqli_query($db, $user_ip_upd);
56. $tokenid = $user_data['tokenid'];
57. LoginLogger($login_username, $tokenid, $set_branch, $user_email, $login_ip_addr, $user_admin);
58.  
59. //if the user
60. if($is_user == 1){
61. $_SESSION['user'] = 1;
62. $_SESSION['email'] = $user_email;
63. $ipquery = mysqli_query($db, $user_ip_upd);
64. $tokenid = $user_data['tokenid'];
65. }
66.  
67. if($user_admin == 1){
68. $_SESSION['admin'] = 1;
69. $_SESSION['email'] = $user_email;
70. $ipquery = mysqli_query($db, $user_ip_upd);
71. $tokenid = $user_data['tokenid'];
72. }
73.  
74. if($user_mod == 1){
75. $_SESSION['is_mod'] = 1;
76. $_SESSION['email'] = $user_email;
77. $ipquery = mysqli_query($db, $user_ip_upd);
78. $tokenid = $user_data['tokenid'];
79. }
80.  
81. if($confirmed == 0){
82. session_destroy();
83. header('Location: /auth/signin.php?loginFailed=true&reason=not_confirmed');
84. }elseif($login_secret_code == ""){
85. header('Location: /auth/signin.php?LoginFailed=true&reason=secret_code');
86. }elseif($banned == 1){
87. session_destroy();
88. header('Location: /auth/signin.php?loginFailed=true&reason=blocked');
89. }elseif($is_auth == 0){
90. header("Location: /auth/handshake.php?tokenid=$tokenid");
91. }elseif($is_auth == 1){
92. //fopen($_SERVER['DOCUMENT_ROOT']."/core/parsher/files/user_data_$user_username.json", "w")or die("We were unable to create your data file, please try again.");
93. header("Location: /gebruikers/profiel.php");
94. }
95. }else{
96. loginFailed($login_username, $tokenid, $set_branch, $user_email, $login_ip_addr, $user_admin);
97. die(header('Location: /auth/signin.php?loginFailed=true&reason=check'));
98. }
99. }