setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Get username and password out of the POST data
$username = $_POST["username"];
$password = $_POST["password"];
// THIS SHOULD BE MADE MORE EFFICIENT WITH ONLY ONE QUERY IF POSSIBLE
// Grab the password hash for the username (if available)
$sqlGetData = $conn->prepare("SELECT userID,password,isAdmin FROM " . $userTableName . " WHERE username=\"" . $username . "\"");
$sqlGetData->execute();
} catch (PDOException $e) { // failed connection
echo "Connection failed: " . $e->getMessage();
}
$result = $sqlGetData->fetch(PDO::FETCH_ASSOC);
// Grab the hash from the fetched SQL data
$passwordHash = $result["password"];
$userID = $result["userID"];
$isAdmin = $result["isAdmin"];
// Verify that the entered password matches the hashed one
if (password_verify($password, $passwordHash)) {
echo "Welcome $username, please wait while we redirect you...
";
$_SESSION["userID"] = $userID;
$_SESSION["username"] = $username;
$_SESSION["isAdmin"] = $isAdmin;
// Function from StackOverflow used to get the base URL, to which we append
// the redirect (where the user came from)
function url(){
return sprintf(
"%s://%s/%s",
isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off' ? 'https' : 'http',
$_SERVER['SERVER_NAME'],
$_GET["redirect"]
);
}
$address = url();
echo "Redirecting to $address...
";
echo "";
} else {
echo "Invalid credentials
";
}
// Close the SQL connection
$conn = null;
?>