| 12345678910111213141516171819202122232425262728293031323334353637383940414243 |
- <?php
- require "app.php";
- if (isset($_POST['user'])) {
- $username = $_POST['user'];
- $query = $conn->query("SELECT * FROM Users WHERE User='$username'") or header("Location: ../?wronglogin");
- $row = $query->fetchArray();
- if (password_verify($_POST['pass'], $row['Password'])) {
- if (empty($row['Email'])) { // Unconfirmed E-mail
- $mess = new Message("You have not confirmed your e-mail address yet. Please do so before logging in.", "warning");
- queue_message($mess);
- } else {
- $ips = json_decode($row['Addresses'], true);
- if (in_array($_SERVER["REMOTE_ADDR"], $ips)) {
- // Everything is fine, log in
- $_SESSION['user'] = $row['User'];
- $_SESSION['permissions'] = $row['Permissions'];
- $_SESSION['userid'] = $row['UID'];
- queue_message(new Message("Successfully logged in.", "success"));
- } else { // New IP
- $mess = new_activation($username, "Addresses", $_SERVER["REMOTE_ADDR"]);
- queue_message($mess);
- }
- }
- } else { // Password incorrect
- $message = "Someone has failed to login to your account on " . Config::$sitename . ". They were using the password: " . htmlspecialchars($_POST['pass'] . "Their IP: " . $_SERVER['REMOTE_ADDR']);
- mail($row['Email'], "Failed login attempt", $message);
- queue_message(new Message("Incorrect password, the account owner has been notified.", "danger"));
- }
- if (isset($_POST['redirect'])) {
- $redirect = $_POST['redirect'];
- if (preg_match("/^https?:\/\/(\w*\.)?tankernn\.eu/i", $redirect) === 1 or preg_match("/^\.?\.?\//i", $redirect) === 1) {
- header("Location: $redirect");
- }
- echo "Invalid redirect URL: " . htmlspecialchars($redirect);
- } else {
- echo "Successfully logged in.";
- }
- }
- else {
- echo "No login data present.";
- }
- ?>
|
