Does anyone have any comments on this code? This is the login page.
pro.login.php
Code: Select all
<?php
/* --------------------------------------------------
Login Page
By: Luke Shaheen
PRO. prefix - Process Only File
This is the general portal for users to login to
the site.
Feature List:
- "remember me"
- MD5 Authentication
- Detailed logging
- Double form protection(car verification)
This page will only respond to login attempts. The actual form should be on the main page.
--------------------------------------------------- */
include('inc.include.php');
//$layout->header('Login','');
// Log Login Function
function log_login($playername, $status, $reason, $system) {
include('inc.include.php');
// Connect to database.
$system->db_connect();
// INSERT report.
$query = mysql_query("INSERT INTO `login_attempts` (player, ip, date, status, reason)
VALUES ('$playername', '$ip', '$date', '$status', '$reason')");
}
// Check to see if a player was sent.
if (strip_tags($_POST[login_player])) {
// Login request was sent(username)
// Upload username as a variable and clean.
$login_player = strip_tags($_POST[login_player]);
$login_password = strip_tags($_POST['login_password']);
echo "<center><b>".$login_player."</b></center><br>";
// Login Steps:
// 1. Check if account exists
// 2. Check if a password was posted
// - If it was then goto step 4
// 3. Display users current car and ask for password
// - On SUBMIT send to step 2
// 4. Validate password
// - If invalid: Log event(IP, username, time)
// 5. Verify account status(jailed or banned?)
// 6. Check for "Remember Me"
// 7. Detailed Logging of login
// 8. Load the session
// 9. Redirrect User
// Pre-Login: Check if the account exists.
$system->db_connect();
// Count usernames matched.
$pre_login_sql = mysql_query("SELECT * FROM `users` WHERE `player` = '$login_player' LIMIT 1");
$pre_login = mysql_num_rows($pre_login_sql);
$pre_login_sel = mysql_fetch_array($pre_login_sql);
// Load the players ID number for later car identification
$login_car_id = $pre_login_sel['cur_car'];
// Close DB for security & speed
mysql_close();
// Compare results to 0
if ($pre_login == '0') {
// Username is NOT there.
echo "The player you specified does NOT exist.";
// Show footer and end page.
$layout->footer();
exit;
}
// Username does exist so continue.
// Step #2 - Check if a password was posted
if ($login_password) {
// The user has posted a password so continue.
// Step #4 - Validate Password
// Connect to database.
$system->db_connect();
// Database is connected. Select users info.
$player_sql = mysql_query("SELECT * FROM `users` WHERE `player` = '$login_player' LIMIT 1");
$player = mysql_fetch_array($player_sql);
$player_db_password = $player['password'];
$player_db_rank = $player['rank'];
$player_db_id = $player['id'];
// Close DB connection
mysql_close();
// Check if the passwords match.
if (sha1($login_password) == $player_db_password) {
// The passwords match! Continue...
// Step #5 - Verify account status(jailed[2] or banned[3]?)
if ($player_db_rank == '2') {
// The player's account is "jailed"
log_login($login_player, 'failed', 'Account Jailed', $system);
echo "<b>This account is 'Jailed' and cannot be used.</b><br><br> The reason it was 'Jailed'(or locked/closed):";
} else {
// The player is legit! Continue...
// Step #6 - Check for "Remember Me"
if ($_POST['remember_me']) {
// The user does want their info to be remembered.
// Upload cookie - to expire in 30 days
setcookie('player_id', $player_db_id, time()+60*60*24*30, '/www', 'theextremegarage.com');
setcookie('player_pass', $player_db_password, time()+60*60*24*30, '/www', 'theextremegarage.com');
echo "'Remember Me' feature used. You will be automatically logged in on this computer for the next 30 days.<br>";
}
// Step #7 - Detailed Logging of login
log_login($login_player, 'Success', 'none', $system);
// Step #8 - Load the session
$_SESSION['player'] = $login_player;
$_SESSION['player_id'] = $player_db_id;
$_SESSION['rank'] = $player_db_rank;
// Step #9 - Redirect the user and report succes!
echo "You have been logged in as, ".$login_player."(PID: ".$player_db_id.")<br>";
echo "You will be redirected to your garage in 3 seconds. If you don't wish to wait please <a href='./game/?welcome'>click here</a>";
}
} else {
// The passwords don't match. Tell the user. (remember to log attempt.
echo "The password you entered was incorrect. Attempt logged.";
log_login($login_player, 'failed', 'Bad Password', $system);
}
} else { // No login password was sent. Show car and ask for password.
// Step #3 - Display users car.
// load car as an image
$car_img = display_car($login_car_id, $system);
// Display car image
echo "<center><img src='".$car_img."' alt='Player Car'></center><br>";
// Check car warning.
echo "Please verify that the above car is yours. If it is continue by entering your password below.<br><br>
<center>
<form action='pro.login.php?LOGIN2' method='post'>
<b>Player:</b> ".$login_player."<br>
<b>Password:</b> <input type='password' size='10' name='login_password'><br>
<input type='hidden' name='login_player' value='".$login_player."' />
<input type='hidden' name='remember_me' value='".$_POST['rememberme']."'>
<input type='submit' value='Login'></form></center><br>";
}
} // End of loop (if POST[login_username])
//$layout->footer();
?>http://dev.theextremegarage.com/
Player: demo
Password: demo
Features yet to make:
- Cookie recognition for returning users
- automatic redirrect after login(what would you suggest here? Normally I use JS, I'm thinking header())
- Possible conversion to Feyd's Sha256
Thanks,
Luke