FSST/Geizkragen
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor login logic to use prepared statements and password hashing

Browse Source
This commit is contained in:
Fabian Schieder 2026-01-23 08:46:55 +01:00
parent 09be0057da
commit 423ed1d3e2
1 changed files with 43 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
login.php
View File

@ -24,48 +24,67 @@ if (!$conn) {
$loginError = null;
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$uname = isset($_POST['uname']) ? $_POST['uname'] : '';
$uname = trim(isset($_POST['uname']) ? $_POST['uname'] : '');
$pw = isset($_POST['pw']) ? $_POST['pw'] : '';
// Basic Validierung
if ($uname === '' || $pw === '') {
$loginError = "Bitte Username und Passwort eingeben.";
}
else {
// Login ist SELECT, nicht INSERT
$stmt = mysqli_prepare($conn, "SELECT id, pw FROM user WHERE un = ?");
mysqli_stmt_bind_param($stmt, "s", $uname);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
} else {
// Login ist SELECT, mit Prepared Statement (sicher) und ?-Platzhalter
$stmt = mysqli_prepare(
$conn,
"SELECT displayName, passwordHash FROM users WHERE displayName = ? LIMIT 1"
);
$user = $result ? mysqli_fetch_assoc($result) : null;
if (!$stmt) {
$loginError = "Datenbankfehler.";
} else {
mysqli_stmt_bind_param($stmt, "s", $uname);
mysqli_stmt_execute($stmt);
// Falls du Passwörter gehasht speicherst: password_verify($pw, $user['pw'])
// Wenn aktuell Klartext (nicht empfohlen): $pw === $user['pw']
if ($user && $pw === $user['pw']) {
$_SESSION['user_id'] = (int)$user['id'];
$_SESSION['username'] = $uname;
$result = mysqli_stmt_get_result($stmt);
$user = $result ? mysqli_fetch_assoc($result) : null;
mysqli_close($conn);
header("Location: index.php");
exit;
// Passwort prüfen: Eingabe gegen gespeicherten Hash (password_hash/password_verify)
if ($user && password_verify($pw, $user['passwordHash'])) {
// Optional: Rehash, falls Algorithmus/Cost geändert wurde
if (password_needs_rehash($user['passwordHash'], PASSWORD_DEFAULT)) {
$newHash = password_hash($pw, PASSWORD_DEFAULT);
$upd = mysqli_prepare($conn, "UPDATE user SET passwordHash = ? WHERE id = ?");
if ($upd) {
$id = (int)$user['id'];
mysqli_stmt_bind_param($upd, "si", $newHash, $id);
mysqli_stmt_execute($upd);
mysqli_stmt_close($upd);
}
}
$_SESSION['user_id'] = (int)$user['id'];
$_SESSION['username'] = $user['un'];
$_SESSION['displayName'] = $user['displayName'];
mysqli_stmt_close($stmt);
mysqli_close($conn);
header("Location: index.php");
exit;
}
$loginError = "Ungültige Zugangsdaten.";
mysqli_stmt_close($stmt);
}
$loginError = "Ungültige Zugangsdaten.";
}
}
include 'header.php';
?>
<?php include 'header.php'; ?>
<!-- Hinweis: header.php öffnet bereits <!DOCTYPE html>, <html>, <head> und <body>. -->
<link rel="stylesheet" href="assets/css/login.css">
<main class="auth" role="main">
<section class="auth__grid" aria-label="Login Bereich">
<div class="auth__card">
<header class="auth__header">
<h2 class="auth__title">Login</h2>
<p class="auth__subtitle">Melde dich an, um deine Wunschliste zu verwalten und Deals schneller zu speichern.</p>
</header>
@ -95,7 +114,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
<p class="auth__muted"><a href="index.php">Zurück zur Startseite</a></p>
</div>
</div>
</section>
</main>
@ -103,5 +121,3 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
mysqli_close($conn);
include 'footer.php';
?>
<!-- footer.php schließt </body> und </html> -->