From 472e170f408e3d8d1db2eb066d445153aad55d73 Mon Sep 17 00:00:00 2001
From: adam <adam@>
Date: Fri, 29 Jan 2021 03:26:28 +0200
Subject: register and login looks ok

---
 php/database.php | 25 +++++++++++++------------
 php/login.php    | 25 +++++++++++++++++++++++++
 php/register.php | 27 +++++++++++++++++++++++++++
 3 files changed, 65 insertions(+), 12 deletions(-)
 create mode 100644 php/login.php
 create mode 100644 php/register.php

(limited to 'php')

diff --git a/php/database.php b/php/database.php
index 934aafa..ef2b825 100644
--- a/php/database.php
+++ b/php/database.php
@@ -26,7 +26,7 @@ require_once "misc.php";
 			}
 		}
 
-		/*returns false if this isn't a user, otherwise returns the userid*/
+		/*returns false if this isn't a user, otherwise returns the user*/
 		function get_user(string $user) 
 		{
 			$ret=new User;
@@ -53,24 +53,25 @@ require_once "misc.php";
 		function authenticate(string $user, string $password) 
 		{
 			$ret=new User;
-			global $password_hash_algo;
-			
-
 
-			$hashed_pass=password_hash($password,$password_hash_algo);
-			$prep=$this->pdo->prepare("select user_id,username,email from users where username=:username and password=:password");
+			$prep=$this->pdo->prepare("select user_id,username,email,password from users where username=:username");
 			$prep->bindParam(':username',$user);
-			$prep->bindParam(':password',$hashed_pass);
-
 			$prep->execute();
 
 			$hold=$prep->fetch(PDO::FETCH_ASSOC);
+
 			if($hold)
 			{
-				$ret->user_id=hold["user_id"];
-				$ret->username=hold["username"];
-				$ret->email_address["email"];
-				return $ret;
+				if(password_verify($password,$hold["password"]))
+				{
+					$ret->user_id=$hold["user_id"];
+					$ret->username=$hold["username"];
+					$ret->email_address=$hold["email"];
+					return $ret;
+				}else
+				{
+					return false;
+				}
 			}else
 			{
 				return false;
diff --git a/php/login.php b/php/login.php
new file mode 100644
index 0000000..e6d44dc
--- /dev/null
+++ b/php/login.php
@@ -0,0 +1,25 @@
+<?php
+require_once "user.php";
+require_once "database.php";
+require_once "misc.php";
+
+$username=$_POST["username"];
+$password=$_POST["password"];
+/*server side verification*/
+if(gettype($username)!="string" || gettype($password)!="string")
+{
+	die("You didn't specify the pass or the username");
+}
+
+$database=new Database();
+$user=$database->authenticate($username,$password);
+if(!$user)
+{
+	die("Password or username is incorrect");
+}
+
+echo "Username: {$user->username}\n";
+echo "Email: {$user->email_address}";
+
+
+?>
diff --git a/php/register.php b/php/register.php
new file mode 100644
index 0000000..b6b164c
--- /dev/null
+++ b/php/register.php
@@ -0,0 +1,27 @@
+<?php
+require_once "database.php";
+require_once "misc.php";
+require_once "configuration.php";
+
+$username=$_POST["username"];
+$password=$_POST["password"];
+$password2=$_POST["password2"];
+$email=$_POST["email"];
+
+/*check if we are given shady credentials*/
+if(!validate_credentials($username,$email,$password,$password2))
+{
+	error_log("Invalid registration that has probbably bypassed client side verification. This could be an attack!");
+	die();
+}
+$database= new Database;
+
+if($database->register_user($username,$password,$email))
+{
+	echo "registered";
+}else
+{
+	echo "didn't register";
+}
+
+?>
-- 
cgit v1.2.3