I have a login.php file which includes a file called class.login.php
When I type a wrong username and password such as "johndoe" "1234" I get the error message "Invalid Form Data"
When I click refresh on my browser, I get "Invalid Form Submission"
When I type in the correct username and password I get "Invalid Username/Password"
class.login.php:
Code: Select all
<?php
class Login
{
private $_userid;
private $_username;
private $_password;
private $_passmd5;
private $_errors;
private $_access;
private $_login;
private $_token;
public function __construct()
{
$this->_errors = array();
$this->_login = isset($_POST['login'])? 1 : 0;
$this->_access = 0;
$this->_token = $_POST['token'];
$this->_userid = 0;
$this->_username = ($this->_login)? $this->filter($_POST['username']) : $_SESSION['username'];
$this->_password = ($this->_login)? $this->filter($_POST['password']) : '';
$this->_passmd5 = ($this->_login)? md5($this->_password) : $_SESSION['password'];
}
public function isLoggedIn()
{
($this->_login)? $this->verifyPost() : $this->verifySession();
return $this->_access;
}
public function filter($var)
{
return preg_replace('/[^a-zA-Z0-9]/','',$var);
}
public function verifyPost()
{
try
{
if(!$this->isTokenValid())
throw new Exception('Invalid Form Submission');
if(!$this->isDataValid())
throw new Exception('Invalid Form Data');
if(!$this->verifyDatabase())
throw new Exception('Invalid Username/Password');
$this->_access = 1;
$this->registerSession();
}
catch(Exception $e)
{
$this->_errors[] = $e->getMessage();
}
}
public function verifySession()
{
if($this->sessionExist() && $this->verifyDatabase())
$this->_access = 1;
}
public function verifyDatabase()
{
//Database Connection Data
mysql_connect("host", "db", "pass") or die(mysql_error());
mysql_select_db("db") or die(mysql_error());
$data = mysql_query("SELECT userid FROM users WHERE username = '{$this->_username}' AND password = '{$this->_passmd5}'");
if(mysql_num_rows($data))
{
list($this->_id) = @array_values(mysql_fetch_assoc($data));
return true;
}
else
{ return false; }
}
public function isDataValid()
{
return (preg_match('/^[a-zA-Z0-9]{5,12}$/',$this->_username) && preg_match('/^[a-zA-Z0-9]{5,12}$/',$this->_password))? 1 : 0;
}
public function isTokenValid()
{
return (!isset($_SESSION['token']) || $this->_token != $_SESSION['token'])? 0 : 1;
}
public function registerSession()
{
$_SESSION['userid'] = $this->_userid;
$_SESSION['username'] = $this->_username;
$_SESSION['password'] = $this->_passmd5;
}
public function sessionExist()
{
return (isset($_SESSION['username']) && isset($_SESSION['password']))? 1 : 0;
}
public function showErrors()
{
echo "<h3>Errors</h3>";
foreach($this->_errors as $key=>$value)
echo $value."<br>";
}
}
?>Code: Select all
<?php
session_start();
if(isset($_POST['login']))
{
include('class.login.php');
$login = new Login();
if($login->isLoggedIn())
header('location: index.php');
else
$login->showErrors();
}
$token = $_SESSION['token'] = md5(uniqid(mt_rand(),true));
?>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF'];?>">
<table>
<tr><td>Username:</td><td><input type="text" name="username" /></td></tr>
<tr><td>Password:</td><td><input type="password" name="password" /></td></tr>
</table>
<input type="hidden" name="token" value="<?php echo $token;?>" />
<input type="submit" name="login" value="Log In" />
</form>