diff options
Diffstat (limited to 'php')
-rw-r--r-- | php/database.php | 25 | ||||
-rw-r--r-- | php/login.php | 25 | ||||
-rw-r--r-- | php/register.php | 27 |
3 files changed, 65 insertions, 12 deletions
diff --git a/php/database.php b/php/database.php index 934aafa..ef2b825 100644 --- a/php/database.php +++ b/php/database.php @@ -26,7 +26,7 @@ require_once "misc.php"; } } - /*returns false if this isn't a user, otherwise returns the userid*/ + /*returns false if this isn't a user, otherwise returns the user*/ function get_user(string $user) { $ret=new User; @@ -53,24 +53,25 @@ require_once "misc.php"; function authenticate(string $user, string $password) { $ret=new User; - global $password_hash_algo; - - - $hashed_pass=password_hash($password,$password_hash_algo); - $prep=$this->pdo->prepare("select user_id,username,email from users where username=:username and password=:password"); + $prep=$this->pdo->prepare("select user_id,username,email,password from users where username=:username"); $prep->bindParam(':username',$user); - $prep->bindParam(':password',$hashed_pass); - $prep->execute(); $hold=$prep->fetch(PDO::FETCH_ASSOC); + if($hold) { - $ret->user_id=hold["user_id"]; - $ret->username=hold["username"]; - $ret->email_address["email"]; - return $ret; + if(password_verify($password,$hold["password"])) + { + $ret->user_id=$hold["user_id"]; + $ret->username=$hold["username"]; + $ret->email_address=$hold["email"]; + return $ret; + }else + { + return false; + } }else { return false; diff --git a/php/login.php b/php/login.php new file mode 100644 index 0000000..e6d44dc --- /dev/null +++ b/php/login.php @@ -0,0 +1,25 @@ +<?php +require_once "user.php"; +require_once "database.php"; +require_once "misc.php"; + +$username=$_POST["username"]; +$password=$_POST["password"]; +/*server side verification*/ +if(gettype($username)!="string" || gettype($password)!="string") +{ + die("You didn't specify the pass or the username"); +} + +$database=new Database(); +$user=$database->authenticate($username,$password); +if(!$user) +{ + die("Password or username is incorrect"); +} + +echo "Username: {$user->username}\n"; +echo "Email: {$user->email_address}"; + + +?> diff --git a/php/register.php b/php/register.php new file mode 100644 index 0000000..b6b164c --- /dev/null +++ b/php/register.php @@ -0,0 +1,27 @@ +<?php +require_once "database.php"; +require_once "misc.php"; +require_once "configuration.php"; + +$username=$_POST["username"]; +$password=$_POST["password"]; +$password2=$_POST["password2"]; +$email=$_POST["email"]; + +/*check if we are given shady credentials*/ +if(!validate_credentials($username,$email,$password,$password2)) +{ + error_log("Invalid registration that has probbably bypassed client side verification. This could be an attack!"); + die(); +} +$database= new Database; + +if($database->register_user($username,$password,$email)) +{ + echo "registered"; +}else +{ + echo "didn't register"; +} + +?> |