debug = false; $resendActivation = false; if($_SERVER["REQUEST_METHOD"] == 'POST' && isset($_POST['login']) && $_POST['login'] == 'loginnow') { $errors = array(); $username = trim($_POST["username"]); $password = trim($_POST["password"]); $remember_choice = trim($_POST["remember_me"]); if($username == "") { $errors[] = lang("ACCOUNT_SPECIFY_USERNAME"); } if($password == "") { $errors[] = lang("ACCOUNT_SPECIFY_PASSWORD"); } if(count($errors) == 0) { //A security note here, never tell the user which credential was incorrect if(!usernameExists($username)) { $errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID"); } else { $userdetails = fetchUserDetails($username); //See if the user's account is activation if($userdetails["active"]==0) { $resendActivation = true; $errors[] = lang("ACCOUNT_INACTIVE"); } else { //Hash the password and use the salt from the database to compare the password. $entered_pass = generateHash($password,$userdetails["password"]); if($entered_pass != $userdetails["password"]) { //Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing $errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID"); } else { //passwords match! we're good to go' //Construct a new logged in user object //Transfer some DBI data to the session object $loggedInUser = new loggedInUser(); $loggedInUser->email = $userdetails["email"]; $loggedInUser->hash_pw = $userdetails["password"]; //Update last sign in $loggedInUser->updatelast_sign_in(); $_SESSION["userPieUser"] = $loggedInUser; header("Location: $returnurl"); die(); } } } } } include "header.php"; include "menu.php"; ?>
Home / Login