Firstly, the code that does the login. This is pre-production hence the comments and un-squashed mysli statements and odd mysqli_error().
Code: Select all
<?php
#rm comments when in use.
ob_flush();
# starts the session
session_start();
# removing all $_SESSION elements
$_SESSION[] = array();
# contains the data needed to connect to the mysqli database
require('admin_details.php');
# if empty fields are submitted for either of the username or password, the user is redirected back to the login form
if ( empty($_POST['pass_word']) || empty($_POST['user_name']) ) {
header('location: login_form.php');
}
else {
# both fields have been submitted with content.
$connection_string = mysqli_connect(HOST, USER, PASS);
if ( !$connection_string ) {
#send mail indicating an error trying to connect to the db
$err_date = date('Y-d-m H:i:s');
$subj = 'Error while trying to login to the admin system.';
$msg = "An error was encountered while connecting to the database at $err_date";
$headers = "From: SITE";
@mail(ADDY, $subj, $msg, $headers);
}
else {
$select_database = mysqli_select_db($connection_string, DB);
if ( !$select_database ) { echo mysqli_error(); }
else {
$salt1 = hash('sha256', addslashes($_POST['user_name']));
$salt2 = hash('sha256', addslashes($_POST['pass_word']));
$select_string = mysqli_query($connection_string, "SELECT * FROM admin_user WHERE username_field = '".hash('sha256',$salt1)."' AND password_field = '".hash('sha256',$salt2)."' ");
$resultant = mysqli_num_rows($select_string);
#if a match is found against the username / password
if ($resultant == 1) {
#send email indicating a login was made.
$login_date = date('Y-d-m H:i:s');
$subj = 'Administrator Login confirmed';
$msg = "A login was made at $login_date from IP ".$_SERVER['REMOTE_ADDR']."";
$headers = "From: SITE";
@mail(ADDY, $subj, $msg, $headers);
session_regenerate_id();
$administrator_session = mysqli_fetch_object($select_string);
$_SESSION['access_key'] = $administrator_session->id;
#create random fingerprint
$random_num_max = 123456789;
$salt = mt_rand(0, $random_num_max);
$fingerPrint = hash('sha256', $salt);
$_SESSION['fingerprint'] = $fingerPrint;
#close mysqli connection
mysqli_close($connection_string);
session_write_close();
header("location: admin_index_page.php");
exit();
}
else {
header("location: login_form.php");
}
}
}
}
ob_end_flush();
?>
Code: Select all
<?php
session_start();
if ( !isset($_SESSION['access_key']) ||
trim($_SESSION['access_key'] == '') ||
!isset($_SESSION['fingerprint'])
|| strlen($_SESSION['fingerprint']) != 64
)
{
$_SESSION[] = array();
session_regenerate_id();
header("location: error.php");
}
?>Thanks in advance.