check_login.php 1.7 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243
  1. <?php
  2. require "app.php";
  3. if (isset($_POST['user'])) {
  4. $username = $_POST['user'];
  5. $query = $conn->query("SELECT * FROM Users WHERE User='$username'") or header("Location: ../?wronglogin");
  6. $row = $query->fetch_array();
  7. if (password_verify($_POST['pass'], $row['Password'])) {
  8. if (empty($row['Email'])) { // Unconfirmed E-mail
  9. $mess = new Message("You have not confirmed your e-mail address yet. Please do so before logging in.", "warning");
  10. queue_message($mess);
  11. } else {
  12. $ips = json_decode($row['Addresses'], true);
  13. if (in_array($_SERVER["REMOTE_ADDR"], $ips)) {
  14. // Everything is fine, log in
  15. $_SESSION['user'] = $row['User'];
  16. $_SESSION['permissions'] = $row['Permissions'];
  17. $_SESSION['userid'] = $row['UID'];
  18. queue_message(new Message("Successfully logged in.", "success"));
  19. } else { // New IP
  20. $mess = new_activation($username, "Addresses", $_SERVER["REMOTE_ADDR"]);
  21. queue_message($mess);
  22. }
  23. }
  24. } else { // Password incorrect
  25. $message = "Someone has failed to login to your account on " . Config::$sitename . ". They were using the password: " . htmlspecialchars($_POST['pass'] . "Their IP: " . $_SERVER['REMOTE_ADDR']);
  26. mail($row['Email'], "Failed login attempt", $message);
  27. queue_message(new Message("Incorrect password, the account owner has been notified.", "danger"));
  28. }
  29. if (isset($_POST['redirect'])) {
  30. $redirect = $_POST['redirect'];
  31. if (preg_match("/^https?:\/\/(\w*\.)?tankernn\.eu/i", $redirect) === 1 or preg_match("/^\.?\.?\//i", $redirect) === 1) {
  32. header("Location: $redirect");
  33. }
  34. echo "Invalid redirect URL: " . htmlspecialchars($redirect);
  35. } else {
  36. echo "Successfully logged in.";
  37. }
  38. }
  39. else {
  40. echo "No login data present.";
  41. }
  42. ?>