tildechan/login.php

<?php
$path = $_SERVER['DOCUMENT_ROOT'];
require_once($path . '/core/header.php');
require_once($path . '/core/footer.php');
require_once($path . '/core/database.php');

if($_SERVER['REQUEST_METHOD'] == 'POST') {

	// funtion to handle failed logins	
	function failed_login($msg = 'invalid username or password') {
		header("Location: /login.php?error=$msg");
		exit();
	}
	
	// assign the form contents to variables
	$username = strtolower($_POST['user'] ?? '');
	$password = strtolower($_POST['pass'] ?? '');

	if ($username == '' || $password == '') failed_login();

	$conn = get_database_conn();
	$login_sql = "SELECT id, username, password, admin FROM user WHERE username = ? LIMIT 1";
	$stmt = mysqli_prepare($conn, $login_sql);
	mysqli_stmt_bind_param($stmt, 's', $username);
	if (!mysqli_stmt_execute($stmt)) {
		failed_login('login select statement failed');
	}
	mysqli_stmt_store_result($stmt);
	if (mysqli_stmt_num_rows($stmt) != 1) {
		failed_login();
	}
	mysqli_stmt_bind_result($stmt, $id, $username, $password_hash, $admin);
	mysqli_stmt_fetch($stmt);
	if (!password_verify($password, $password_hash)) {
		failed_login();
	} 

	session_start();	
	$_SESSION['id'] = $id;
	$_SESSION['username'] = $username;
	$_SESSION['admin'] = $admin;

	//TODO: add some sort of message
	header('Location: /');	
}
	
display_header("~chan - login");
?>
<div style="
	margin: auto;
	width: 300px;
	padding-top: 100px;
">
	<h1>login</h1>
	<form action="login.php" method="post" class="input-form">
		<table>
			<tr>
				<td><b>username:</b></td>
				<td>
					<input name="user" type="text">
				</td>
			</tr>
			<tr>
				<td><b>password:</b></td>
				<td>
					<input name="pass" type="password">
				</td>
			</tr>
		</table>
		<br>
		<button type="Submit">submit</button>
<?php if (isset($_GET['error'])): ?>
		<br><br>
		<div class="error">
		<?php echo htmlspecialchars($_GET['error']); ?>
		</div>
<?php endif; ?>
	</form>
</div>
<?php
display_footer();
?>