-
Notifications
You must be signed in to change notification settings - Fork 0
/
sign_in.php
executable file
·146 lines (125 loc) · 5.71 KB
/
sign_in.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
<?php
// Things to notice:
// The main job of this script is to execute a SELECT statement to look for the submitted username and password in the appropriate database table
// If the submitted username and password is found in the table, then the following session variable is set: $_SESSION["loggedInSkeleton"]=true;
// All other scripts check for this session variable before loading (if it doesn't exist then the user isn't logged in and the page doesn't load)
// However... the database table isn't currently being queried (at the moment the code is only checking for a username of "barryg", "mandyb" or "admin") and it's your job to add this query in...
//
// Other notes:
// client-side validation using "password","text" inputs and "required","maxlength" attributes (but we can't rely on it happening!)
// we sanitise the user's credentials - see helper.php (included via header.php) for the sanitisation function
// we validate the user's credentials - see helper.php (included via header.php) for the validation functions
// the validation functions all follow the same rule: return an empty string if the data is valid...
// ... otherwise return a help message saying what is wrong with the data.
// if validation of any field fails then we display the help messages (see previous) when re-displaying the form
// execute the header script:
require_once "header.php";
// default values we show in the form:
$username = "";
$password = "";
// strings to hold any validation error messages:
$username_errors = "";
$password_errors = "";
// should we show the signin form:
$show_signin_form = false;
// message to output to user:
$message = "";
//if they are logged in then shows them whatever is inside the if statement
if (isset($_SESSION['loggedInSkeleton']))
{
echo <<<_END
<div class="loginDialog"><fieldset><legend><h2>Already Logged In</h2></legend>
<table align="center" border="2" cellpadding="2"><tr><td>
<br>You are already logged in, please <a href="sign_out.php">log out</a> first.<br><br><br>
</td></tr></table></fieldset></div>
_END;
echo "<br>";
}
elseif (isset($_POST['username']))
{
// user has just tried to log in:
// connect directly to our database (notice 4th argument) we need the connection for sanitisation:
$connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
// if the connection fails, we need to know, so allow this exit:
if (!$connection)
{
die("Connection failed: " . $mysqli_connect_error);
}
// SANITISATION (see helper.php for the function definition)
// take copies of the credentials the user submitted and sanitise (clean) them:
$username = sanitise($_POST['username'], $connection);
$password = sanitise($_POST['password'], $connection);
// VALIDATION (see helper.php for the function definitions)
// now validate the data (both strings must be between 1 and 16 characters long):
// (reasons: we don't want empty credentials, and we used VARCHAR(16) in the database table)
$username_errors = validateString($username, 1, 16);
$password_errors = validateString($password, 1, 16);
// concatenate all the validation results together ($errors will only be empty if ALL the data is valid):
$errors = $username_errors . $password_errors;
// check that all the validation tests passed before going to the database:
if ($errors == "")
{
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password' ";
$result = mysqli_query($connection, $query);
$n = mysqli_num_rows($result);
// currently only barryg, mandyb, or timmy can sign in... each with ANY password
// you need to replace this code with code that checks the username and password against the relevant database table...
if ($username == "admin" && $password == "secret" )
{
// fake a match with the database table:
$n = 1;
}
// if there was a match then set the session variables and display a success message:
if ($n > 0)
{
// set a session variable to record that this user has successfully logged in:
$_SESSION['loggedInSkeleton'] = true;
// and copy their username into the session data for use by our other scripts:
$_SESSION['username'] = $username;
// show a successful signin message:
$message = "Hi, $username, you have successfully logged in, please <a href='account.php'>click here</a><br>";
}
else
{
// no matching credentials found so redisplay the signin form with a failure message:
$show_signin_form = true;
// show an unsuccessful signin message:
$message = "Sign in failed, please try again<br>";
}
}
else
{
// validation failed, show the form again with guidance:
$show_signin_form = true;
// show an unsuccessful signin message:
$message = "Sign in failed, please check the errors shown above and try again<br>";
}
// we're finished with the database, close the connection:
mysqli_close($connection);
}
else
{
// user has arrived at the page for the first time, just show them the form:
// show signin form:
$show_signin_form = true;
}
if ($show_signin_form)
{
// show the form that allows users to log in
// Note we use an HTTP POST request to avoid their password appearing in the URL:
echo <<<_END
<form action="sign_in.php" method="post">
Please enter your username and password:<br>
Username: <input type="text" name="username" maxlength="16" value="$username" required> $username_errors
<br>
Password: <input type="password" name="password" maxlength="16" value="$password" required> $password_errors
<br>
<input type="submit" value="Submit">
</form>
_END;
}
// display our message to the user:
echo $message;
// finish off the HTML for this page:
require_once "footer.php";
?>