User Login Script

1. <?php
2. if(isset($_POST['g-recaptcha-response']) && !empty($_POST['g-recaptcha-response'])):
3. //your site secret key
4. $secret = '6LfqLSMTAAAAABFcgM8H4ViMHT2WKsKegH8A8bkB';
5. //get verify response data
6. $verifyResponse = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret='.$secret.'&response='.$_POST['g-recaptcha-response']);
7. $responseData = json_decode($verifyResponse);
8. if($responseData->success):
9.  
10. // First we execute our common code to connection to the database and start the session
11. require("common.php");
12.  
13. if(isset($_SESSION['user']))
14. {
15. // If they are not, we redirect them to the login page.
16. header("Location: ../dashboard");
17.  
18. // Remember that this die statement is absolutely critical. Without it,
19. // people can view your members-only content without logging in.
20. die("You are already logged in! Redirecting to Dashboard...");
21. }
22.  
23. // This variable will be used to re-display the user's username to them in the
24. // login form if they fail to enter the correct password. It is initialized here
25. // to an empty value, which will be shown if the user has not submitted the form.
26. $submitted_username = '';
27.  
28. // This if statement checks to determine whether the login form has been submitted
29. // If it has, then the login code is run, otherwise the form is displayed
30. if(!empty($_POST))
31. {
32.  
33. // This query retreives the user's information from the database using
34. // their username.
35. $query = "
36. SELECT
37. id,
38. username,
39. password,
40. salt,
41. email
42. FROM users
43. WHERE
44. username = :username
45. ";
46.  
47. // The parameter values
48. $query_params = array(
49. ':username' => $_POST['username']
50. );
51.  
52. try
53. {
54. // Execute the query against the database
55. $stmt = $db->prepare($query);
56. $result = $stmt->execute($query_params);
57. }
58. catch(PDOException $ex)
59. {
60. // Note: On a production website, you should not output $ex->getMessage().
61. // It may provide an attacker with helpful information about your code.
62. die("Failed to run query: " . $ex->getMessage());
63. }
64.  
65. // This variable tells us whether the user has successfully logged in or not.
66. // We initialize it to false, assuming they have not.
67. // If we determine that they have entered the right details, then we switch it to true.
68. $login_ok = false;
69.  
70. // Retrieve the user data from the database. If $row is false, then the username
71. // they entered is not registered.
72. $row = $stmt->fetch();
73. if($row)
74. {
75. // Using the password submitted by the user and the salt stored in the database,
76. // we now check to see whether the passwords match by hashing the submitted password
77. // and comparing it to the hashed version already stored in the database.
78. $check_password = hash('sha256', $_POST['password'] . $row['salt']);
79. for($round = 0; $round < 65536; $round++)
80. {
81. $check_password = hash('sha256', $check_password . $row['salt']);
82. }
83.  
84. if($check_password === $row['password'])
85. {
86. // If they do, then we flip this to true
87. $login_ok = true;
88. }
89. }
90.  
91. // If the user logged in successfully, then we send them to the private members-only page
92. // Otherwise, we display a login failed message and show the login form again
93. if($login_ok)
94. {
95. // Here I am preparing to store the $row array into the $_SESSION by
96. // removing the salt and password values from it. Although $_SESSION is
97. // stored on the server-side, there is no reason to store sensitive values
98. // in it unless you have to. Thus, it is best practice to remove these
99. // sensitive values first.
100. unset($row['salt']);
101. unset($row['password']);
102.  
103. // This stores the user's data into the session at the index 'user'.
104. // We will check this index on the private members-only page to determine whether
105. // or not the user is logged in. We can also use it to retrieve
106. // the user's details.
107. $_SESSION['user'] = $row;
108.  
109. // This creates a log of the login action.
110.  
111. $query = "
112. INSERT INTO logs (
113. type,
114. user,
115. ip
116. ) VALUES (
117. :type,
118. :user,
119. :ip
120. )
121. ";
122.  
123. // Here we prepare our tokens for insertion into the SQL query.
124. $query_params = array(
125. ':type' => "User Login",
126. ':user' => $_POST['username'],
127. ':ip' => $_SERVER['REMOTE_ADDR']
128. );
129.  
130. try
131. {
132. // Execute the query to create the blog post
133. $stmt = $db->prepare($query);
134. $result = $stmt->execute($query_params);
135. }
136. catch(PDOException $ex)
137. {
138. // Note: On a production website, you should not output $ex->getMessage().
139. // It may provide an attacker with helpful information about your code.
140. die("Failed to run query: " . $ex->getMessage());
141. }
142.  
143. // Redirect the user to the Dashboard page.
144. header("Location: ../dashboard");
145. die("Redirecting to Dashboard...");
146. }
147. else
148. {
149. // Tell the user they failed
150. header("Location: ../login.php?badlogin");
151. die("Login Failed - Please try again...");
152.  
153. // Show them their username again so all they have to do is enter a new
154. // password. The use of htmlentities prevents XSS attacks. You should
155. // always use htmlentities on user submitted values before displaying them
156. // to any users (including the user that submitted them). For more information:
157. // http://en.wikipedia.org/wiki/XSS_attack
158. $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
159. }
160. }
161. endif;
162. endif;
163.  
164. header("Location: ../login.php?badlogin");
165. die("The Recaptcha was entered incorrectly.");
166. ?>