aboutsummaryrefslogtreecommitdiffstats
path: root/php
diff options
context:
space:
mode:
Diffstat (limited to 'php')
-rw-r--r--php/database.php25
-rw-r--r--php/login.php25
-rw-r--r--php/register.php27
3 files changed, 65 insertions, 12 deletions
diff --git a/php/database.php b/php/database.php
index 934aafa..ef2b825 100644
--- a/php/database.php
+++ b/php/database.php
@@ -26,7 +26,7 @@ require_once "misc.php";
}
}
- /*returns false if this isn't a user, otherwise returns the userid*/
+ /*returns false if this isn't a user, otherwise returns the user*/
function get_user(string $user)
{
$ret=new User;
@@ -53,24 +53,25 @@ require_once "misc.php";
function authenticate(string $user, string $password)
{
$ret=new User;
- global $password_hash_algo;
-
-
- $hashed_pass=password_hash($password,$password_hash_algo);
- $prep=$this->pdo->prepare("select user_id,username,email from users where username=:username and password=:password");
+ $prep=$this->pdo->prepare("select user_id,username,email,password from users where username=:username");
$prep->bindParam(':username',$user);
- $prep->bindParam(':password',$hashed_pass);
-
$prep->execute();
$hold=$prep->fetch(PDO::FETCH_ASSOC);
+
if($hold)
{
- $ret->user_id=hold["user_id"];
- $ret->username=hold["username"];
- $ret->email_address["email"];
- return $ret;
+ if(password_verify($password,$hold["password"]))
+ {
+ $ret->user_id=$hold["user_id"];
+ $ret->username=$hold["username"];
+ $ret->email_address=$hold["email"];
+ return $ret;
+ }else
+ {
+ return false;
+ }
}else
{
return false;
diff --git a/php/login.php b/php/login.php
new file mode 100644
index 0000000..e6d44dc
--- /dev/null
+++ b/php/login.php
@@ -0,0 +1,25 @@
+<?php
+require_once "user.php";
+require_once "database.php";
+require_once "misc.php";
+
+$username=$_POST["username"];
+$password=$_POST["password"];
+/*server side verification*/
+if(gettype($username)!="string" || gettype($password)!="string")
+{
+ die("You didn't specify the pass or the username");
+}
+
+$database=new Database();
+$user=$database->authenticate($username,$password);
+if(!$user)
+{
+ die("Password or username is incorrect");
+}
+
+echo "Username: {$user->username}\n";
+echo "Email: {$user->email_address}";
+
+
+?>
diff --git a/php/register.php b/php/register.php
new file mode 100644
index 0000000..b6b164c
--- /dev/null
+++ b/php/register.php
@@ -0,0 +1,27 @@
+<?php
+require_once "database.php";
+require_once "misc.php";
+require_once "configuration.php";
+
+$username=$_POST["username"];
+$password=$_POST["password"];
+$password2=$_POST["password2"];
+$email=$_POST["email"];
+
+/*check if we are given shady credentials*/
+if(!validate_credentials($username,$email,$password,$password2))
+{
+ error_log("Invalid registration that has probbably bypassed client side verification. This could be an attack!");
+ die();
+}
+$database= new Database;
+
+if($database->register_user($username,$password,$email))
+{
+ echo "registered";
+}else
+{
+ echo "didn't register";
+}
+
+?>