Used prepare for SQL statements for login (#138)

Put error message on top of login if password and username don't match or if level is not permitted. Reference exportExcelScript from js folder.
JustinLangshaw · Dec 1, 2017 · 7bff988 · 7bff988
1 parent 3d25f2c
commit 7bff988
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 50 deletions.
diff --git a/sacferals/authenticate.php b/sacferals/authenticate.php
@@ -10,28 +10,37 @@ function connectdb($host, $user, $pass, $db)
 return $link;
 }
 
-
 function authenticateUser()
 {
 	global $link;
 	$username = $_POST['username'];
-	//$email = $_POST['email'];
 	$pass = $_POST['pass'];
 
-	$query = "select * from SacFeralsUsers where (BINARY username = BINARY '$username' or email='$username') and BINARY password = BINARY '$pass'";
-	$result = mysqli_query($link, $query);
-	$row = mysqli_fetch_row($result);
+	$query = $link->prepare("select * from SacFeralsUsers where (BINARY username = BINARY ? or email=?) and BINARY password = BINARY ?");
+	$query->bind_param("sss", $username, $username, $pass);
+	$query->execute();
+	$query->bind_result($userid, $usern, $email, $password, $level);
+	$query->store_result();
+
+	if(!$query->fetch()){
+		$result = 0;
+	}else{		
+		$result = $query->num_rows;
+	}
+	$query->close();
 
-	if(mysqli_num_rows($result) == 0 || ($row[4]!=1 && $row[4]!=2)) //not valid if not activated
+	if($result == 0 || ($level!=1 && $level!=2)) //not valid if not activated
 	{
-		$_SESSION['authenticate234252432341'] = "Not Valid!!!";
+		$_SESSION['authenticate234252432341'] = "Not Valid!!!";	
+		if(($username != "") || ($pass != "")){
+			return "Invalid credentials ";
+		}		
 	}
 	else
 	{ 
-		list($userid, $username, $email, $password, $level) = $row;
 		$_SESSION['authenticate234252432341'] = "validuser09821";
 		$_SESSION['Ausername'] = $username;
-		//$_SESSION['Aemail'] = $email;
+		$_SESSION['Aemail'] = $email;
 		$_SESSION['level'] = $level;
 	}
 }

diff --git a/sacferals/exportExcelScript.js b/sacferals/exportExcelScript.js
diff --git a/sacferals/search.php b/sacferals/search.php
@@ -51,7 +51,7 @@
 		<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
 		<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>	
 
-		<script src="exportExcelScript.js?version=1.5"></script>
+		<script src="js/exportExcelScript.js?version=1.5"></script>
 		<script src="js/customquery.js"></script> 
 		<script src="js/searchScript.js"></script> 
   	</head>

diff --git a/sacferals/userprofile.php b/sacferals/userprofile.php
@@ -2,10 +2,9 @@
 	session_start();
 	include('authenticate.php');
 	$link = connectdb($host, $user, $pass, $db);
-
 	if($_SESSION['authenticate234252432341'] != 'validuser09821')
 	{
-		authenticateUser();
+		$loginmsg = authenticateUser();
 	}
 ?>
 
@@ -42,6 +41,7 @@
 					<h1 class='main_heading'>Log in</h1>
 					<form class='form' role='form' method='post' action='userprofile.php'>
 						<fieldset class='form_field'>
+							<font color="red" size=2.5><label id="error" name="error" ><?php echo $loginmsg?></label></font>
 							<label class='form_label required'>Username</label>
 							<input type='username' class='form_input' placeholder='Enter your username or email' 
 												required='required' name='username' value=''>