", print_r($_POST, true), ""; // Check for login $tempID = $_COOKIE['sessionID']; $first_name = $_COOKIE['first_name']; if(!empty($tempID)){ redirect_user("menu.php"); exit(); } #------------------------ # Log existing user into system #------------------------ // This variable will indicate whether we found a email/password match // in the SQL database. We set it to 0 by default, assuming no match. $match=0; // We define an array that will contain any error messages that are // generated along the way. We will display these for the user once // we are done with our various database queries. $error = array(); // Before we even bother to query the database, let's first // check and see if $e (the entered email address) and the // $p (the entered password) were actually entered. If not // let's create an error message and make sure match is set // (or still set) to 0. // Note: We will not perform this check if the user has just // landed on the page. We only perform this check if the submit // button has been pressed at least once ($submittedForm). if(empty($e) AND $submittedForm != 0){ $error[] = "Please enter your email address to login."; $match=0; } if(empty($p) AND $submittedForm != 0){ $error[] = "Please enter your password."; $match=0; } // If an email and a password have been submitted, let's // query the database to see if the submitted email and password // match those on file. If so, we will create a new session for the // user. If not, we generate error messages. if(!empty($e) AND !empty($p) AND $submittedForm != 0){ // Set the database access information as constants: DEFINE ('DB_USER', 'rcfraley'); DEFINE ('DB_PASSWORD', '*PASSWORD*'); DEFINE ('DB_HOST', 'yourpersonality.netfirmsmysql.com'); DEFINE ('DB_NAME', 'ullman'); // Make the database connection: $dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() ); // Define a SQL query // Here we are selecting the stored password and user_id for rows where // the database email (email) and submitted email($e) match one another. /* ================================== Using mysqli_real_escape_string ================================== */ $e = mysqli_real_escape_string($dbc, trim($e)); $q = "SELECT pass, user_id, first_name FROM users WHERE email='$e'"; $r = @mysqli_query ($dbc, $q); // Run the query. if ($r) { // If it ran OK. }else{ $error[] = "Error querring the database. Please contact the site administrator."; } // Check to see if submitted password ($p) equals stored password ($row[0]) // If there is a match, change $match to 1. $num = mysqli_num_rows($r); $does_email_exist = 0; if($num > 0){ // If something was returned, flag a successful database query. $does_email_exist = 1; // Following some practices we already discussed, we will loop // through our results via while(), despite the fact that, technically, // only one result should have been returned. while ($row = mysqli_fetch_array($r, MYSQLI_NUM)) { // If the retrieved (and hashed) email ($row[0]) is equal // to SHA1() of the submitted password ($p), we // flag a match. // We will also create two local variables, $id and $fn, // to represent the unique user_id and the first_name stored // in the database for that user, respectively. if($row[0] == SHA1($p)){ $pp = SHA1($p); $match = 1; $id = $row[1]; $fn = $row[2]; }else{ $error[] = "The password is not correct. Please make sure you have typed it correctly."; $match = 0; } } } // If nothing was returned ($num = 0, e.g., the submitted email doesn't exist // in the data base, we return an error. if($does_email_exist == 0){ $error[] = "The email you entered does not exist in our database. Please check to see that you entered your email correctly. If you would like to create a new account, please choose the Create new account option."; } } if($match == 0){ // Include external style sheet print " "; // Create a form to collect email (email) and password (password) from user. print "
"; print ""; print ""; print "

"; print "
Welcome to our class webpage!

"; print "

"; print "Create an account "; print "Forgot password"; print ""; } // end match == 0 /* --------------------------------------------------------- If the page has been submitted, the database querried, and everything was successful, then $match will equal 1 and we need to do something different. Namely, we need to create a session ID variable and store it both in the SQL database and create COOKIES that contain the ID. --------------------------------------------------------- */ if($match == 1){ // Create session ID // This function will generate a random string of characters of // a specified length function randString($length, $charset='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789') { $str = ''; $count = strlen($charset); while ($length--) { $str .= $charset[mt_rand(0, $count-1)]; } return $str; } // Let's call the function and create a variable, $sessionID, // that will be a 20-char string of letters and numbers. // This should uniquely identify this particular login session. $sessionID = randString(20); // Save sesion ID to SQL database // and store locally as a cookie $q= "UPDATE users SET session='$sessionID' WHERE user_id=$id LIMIT 1"; $r = @mysqli_query ($dbc, $q); // Run the query. if ($r) { // If it ran OK. // Create a cookie if login was sucessful // Then redirect the user to the menu page. setcookie('user_id', $id); setcookie('first_name', $fn); setcookie('sessionID', $sessionID); redirect_user("menu.php"); }else{ print "Error querring database. Please contact the site administrator.
"; } mysqli_close($dbc); // Close the database connection. } # end if match == 1 ?>