Logging Users
Password verification was being bypassed therefor on line 160 i modified the password verification to match the databasepull/17/head
parent
c8583e0631
commit
41aa01579c
17
Script.php
17
Script.php
|
@ -10,7 +10,7 @@
|
||||||
session_start();
|
session_start();
|
||||||
date_default_timezone_set('Asia/Shanghai');
|
date_default_timezone_set('Asia/Shanghai');
|
||||||
// CONNeCTION
|
// CONNeCTION
|
||||||
$con=mysqli_connect("localhost","root","","lrr");
|
$con=mysqli_connect("localhost","Ashly","Teecloudy","lrr");
|
||||||
// Check connection
|
// Check connection
|
||||||
if (mysqli_connect_errno())
|
if (mysqli_connect_errno())
|
||||||
{
|
{
|
||||||
|
@ -113,7 +113,7 @@ if (!empty($_POST["frm_signup_1"])) {
|
||||||
header("Location: signup.php");
|
header("Location: signup.php");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
// check if email is taken
|
// check if email is taked
|
||||||
$result = mysqli_query($con,
|
$result = mysqli_query($con,
|
||||||
"SELECT * FROM Users_Table WHERE email='$email'");
|
"SELECT * FROM Users_Table WHERE email='$email'");
|
||||||
if(mysqli_num_rows($result)!=0)
|
if(mysqli_num_rows($result)!=0)
|
||||||
|
@ -122,7 +122,7 @@ if (!empty($_POST["frm_signup_1"])) {
|
||||||
header("Location: signup.php");
|
header("Location: signup.php");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
//applying password_hash() (first_commit)
|
//applying password_hash()
|
||||||
$password_hash = password_hash($password, PASSWORD_DEFAULT);
|
$password_hash = password_hash($password, PASSWORD_DEFAULT);
|
||||||
$sql= "INSERT INTO `users_table`(`Email`, `Password`, `Full_Name`, `UserType`, `Student_ID`, `Passport_Number`) VALUES "
|
$sql= "INSERT INTO `users_table`(`Email`, `Password`, `Full_Name`, `UserType`, `Student_ID`, `Passport_Number`) VALUES "
|
||||||
. "('$email','$password_hash','$fullname','Student','$student_id','$passport')";
|
. "('$email','$password_hash','$fullname','Student','$student_id','$passport')";
|
||||||
|
@ -144,7 +144,7 @@ if (!empty($_POST["frm_login"])) {
|
||||||
$user=mysqli_real_escape_string($con,$_POST["user"]);
|
$user=mysqli_real_escape_string($con,$_POST["user"]);
|
||||||
$password=mysqli_real_escape_string($con,$_POST["password"]);
|
$password=mysqli_real_escape_string($con,$_POST["password"]);
|
||||||
// $hashed_password=hash('sha512', $password); Not necessary in the login
|
// $hashed_password=hash('sha512', $password); Not necessary in the login
|
||||||
$result = mysqli_query($con, "SELECT * FROM users_table WHERE (Email='$user' or Student_ID='$user')");
|
$result = mysqli_query($con, "SELECT * FROM users_table WHERE (Email='$user')");
|
||||||
if(mysqli_num_rows($result)==0)
|
if(mysqli_num_rows($result)==0)
|
||||||
{
|
{
|
||||||
$_SESSION["info_login"]="Inavlid login Information.";
|
$_SESSION["info_login"]="Inavlid login Information.";
|
||||||
|
@ -157,7 +157,7 @@ header("Location: index.php");
|
||||||
{
|
{
|
||||||
while($row = mysqli_fetch_assoc($result)) {
|
while($row = mysqli_fetch_assoc($result)) {
|
||||||
// verify the hashed password and unhashed password
|
// verify the hashed password and unhashed password
|
||||||
if(password_verify($password, $row["Password"]) or ($password = $row["Password"])){
|
if(password_verify($password, $row["Password"]) or $password == $row["Password"]){
|
||||||
$_SESSION['user_id']=$row['User_ID'];
|
$_SESSION['user_id']=$row['User_ID'];
|
||||||
$_SESSION['user_email']=$row['Email'];
|
$_SESSION['user_email']=$row['Email'];
|
||||||
$_SESSION['user_student_id']=$row['Student_ID'];
|
$_SESSION['user_student_id']=$row['Student_ID'];
|
||||||
|
@ -183,6 +183,13 @@ header("Location: index.php");
|
||||||
{
|
{
|
||||||
header("Location: Admin.php");
|
header("Location: Admin.php");
|
||||||
}
|
}
|
||||||
|
// report wrong pass if not correct
|
||||||
|
}else{
|
||||||
|
$_SESSION["wrong_pass"]="Wrong Password.";
|
||||||
|
|
||||||
|
echo $_SESSION["wrong_pass"];
|
||||||
|
|
||||||
|
header("Location: index.php");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -49,6 +49,11 @@ if(isset($_SESSION['info_login'])) {
|
||||||
echo '<hr><div class="alert alert-danger" role="alert">'.$_SESSION['info_login'].'</div>';
|
echo '<hr><div class="alert alert-danger" role="alert">'.$_SESSION['info_login'].'</div>';
|
||||||
$_SESSION['info_login']=null;
|
$_SESSION['info_login']=null;
|
||||||
}
|
}
|
||||||
|
// wrong pass
|
||||||
|
if(isset($_SESSION['wrong_pass'])) {
|
||||||
|
echo '<hr><div class="alert alert-danger" role="alert">'.$_SESSION['wrong_pass'].'</div>';
|
||||||
|
$_SESSION['wrong_pass']=null;
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
</form>
|
</form>
|
||||||
|
|
Loading…
Reference in New Issue