-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauthenticate.php
83 lines (77 loc) · 3.7 KB
/
authenticate.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<?php
session_start();
// Change this to your connection info to respective server.
$DATABASE_HOST = 'localhost';
$DATABASE_USER = 'u299197478_groupx';
$DATABASE_PASS = 'Coursework69';
$DATABASE_NAME = 'u299197478_groupx';
// Try and connect
$con = mysqli_connect($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME);
if ( mysqli_connect_errno() ) {
// If there is an error with the connection, stop the script and display the error.
exit('Failed to connect to MySQL: ' . mysqli_connect_error());
}
// Now we check if the data from the login form was submitted
if ( !isset($_POST['email'], $_POST['password']) ) { //check if data exist with !isset
// Could not get the data that should have been sent.
exit('Please fill both the username and password fields!');
}
// Prepare our SQL, to prevent SQL injection
$name = $_POST['email'];
$pwd = $_POST['password'];
// Prepare our SQL, to prevent SQL injection
if ($stmt = $con->prepare('SELECT password FROM usernames WHERE email = ?')) {
//Username is a string so we use "s"
$stmt->bind_param('s', $_POST['email']);
$stmt->execute();
// Store the result so we can check if the account exists in the database.
$stmt->store_result();
if ($stmt->num_rows > 0) {
$stmt->bind_result($password);
$stmt->fetch();
// Account exists, now we verify the password.
$salt = bin2hex(openssl_random_pseudo_bytes(5));
$query = "SELECT * from usernames WHERE username = '" . $name . "'";
if (isset($name) and isset($pwd)) {
$connection = mysqli_connect($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME);
require "pepper.php";
//encription and decription of password
$salt = bin2hex(openssl_random_pseudo_bytes(5));
$sql = "SELECT * from usernames WHERE email = '" . $name . "'";
$result = $connection->query($sql);
$user = $result->fetch_assoc();
//compare if user's password equals one stored after descryption
if (md5($pwd . $user["salt"] . pepper) === $user["password"]) {
if($user["typeuser"]==="student"){
header('refresh:10;url=home.php');
session_regenerate_id();
$_SESSION['loggedin'] = TRUE;
$_SESSION['name'] = $_POST['email'];
echo 'LOGIN SUCCESFULL';
$URL="home.php";
echo "<script type='text/javascript'>document.location.href='{$URL}';</script>";
echo '<META HTTP-EQUIV="refresh" content="0;URL=' . $URL . '">';
}
else{
header('refresh:10;url=home.php');
session_regenerate_id();
$_SESSION['loggedin'] = TRUE;
$_SESSION['name'] = $_POST['email'];
echo 'LOGIN SUCCESFULL';
$URL="staffhome.php";
echo "<script type='text/javascript'>document.location.href='{$URL}';</script>";
echo '<META HTTP-EQUIV="refresh" content="0;URL=' . $URL . '">';
}
} else {
//header('Location: redirectCREATE.html');
$URL="wrongPasswordLogin.html";
echo "<script type='text/javascript'>document.location.href='{$URL}';</script>";
echo '<META HTTP-EQUIV="refresh" content="0;URL=' . $URL . '">';
}
}
} else {
header('Location: redirectCREATE.html');
}
$connection->close();
}
?>