Geizkragen/login.php

<?php
// login.php

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

session_start();

// 1) DB-Verbindung (einmal)
$servername = "localhost";
$port = 3306;
$username = "FSST";
$password = "L9wUNZZ9Qkbt";
$db = "FSST";

$conn = mysqli_connect($servername, $username, $password, $db, $port);
if (!$conn) {
    http_response_code(500);
    die("Datenbankfehler");
}

// 2) POST-Verarbeitung VOR jeglicher Ausgabe
$loginError = null;
$loginInfo = null;

if (isset($_GET['registered']) && $_GET['registered'] === '1') {
    $loginInfo = 'Registrierung erfolgreich. Du kannst dich jetzt einloggen.';
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $uname = trim(isset($_POST['uname']) ? $_POST['uname'] : '');
    $pw    = isset($_POST['pw']) ? $_POST['pw'] : '';

    // Basic Validierung
    if ($uname === '' || $pw === '') {
        $loginError = "Bitte Username und Passwort eingeben.";
    } else {
        // Login ist SELECT, mit Prepared Statement (sicher) und ?-Platzhalter
        $stmt = mysqli_prepare(
            $conn,
            "SELECT userID, displayName, passwordHash FROM users WHERE displayName = ? LIMIT 1"
        );

        if (!$stmt) {
            $loginError = "Datenbankfehler.";
        } else {
            mysqli_stmt_bind_param($stmt, "s", $uname);
            mysqli_stmt_execute($stmt);

            $result = mysqli_stmt_get_result($stmt);
            $user = $result ? mysqli_fetch_assoc($result) : null;

            // Passwort prüfen: Eingabe gegen gespeicherten Hash (password_hash/password_verify)
            if ($user && password_verify($pw, $user['passwordHash'])) {
                // Optional: Rehash, falls Algorithmus/Cost geändert wurde
                if (password_needs_rehash($user['passwordHash'], PASSWORD_DEFAULT)) {
                    $newHash = password_hash($pw, PASSWORD_DEFAULT);
                    $upd = mysqli_prepare($conn, "UPDATE users SET passwordHash = ? WHERE userID = ?");
                    if ($upd) {
                        $userID = (int)$user['userID'];
                        mysqli_stmt_bind_param($upd, "si", $newHash, $userID);
                        mysqli_stmt_execute($upd);
                        mysqli_stmt_close($upd);
                    }
                }

                $_SESSION['user_id']     = (int)$user['userID'];
                $_SESSION['displayName'] = $user['displayName'];

                mysqli_stmt_close($stmt);
                mysqli_close($conn);

                header("Location: index.php");
                exit;
            }

            $loginError = "Ungültige Zugangsdaten.";
            mysqli_stmt_close($stmt);
        }
    }
}

include 'header.php';
?>
<link rel="stylesheet" href="assets/css/login.css">

<main class="auth" role="main">
    <section class="auth__grid" aria-label="Login Bereich">
        <div class="auth__card">
            <header class="auth__header">
                <h2 class="auth__title">Login</h2>
                <p class="auth__subtitle">Melde dich an, um deine Wunschliste zu verwalten und Deals schneller zu speichern.</p>
            </header>

            <?php if ($loginInfo): ?>
                <p class="auth__alert" role="status"><?php echo htmlspecialchars($loginInfo, ENT_QUOTES, 'UTF-8'); ?></p>
            <?php endif; ?>

            <?php if ($loginError): ?>
                <p class="auth__alert" role="alert"><?php echo htmlspecialchars($loginError, ENT_QUOTES, 'UTF-8'); ?></p>
            <?php endif; ?>

            <form class="auth__form" action="login.php" method="POST" autocomplete="on">
                <div class="auth__field">
                    <label for="uname">Username</label>
                    <input type="text" id="uname" name="uname" inputmode="text" autocomplete="username" required>
                </div>

                <div class="auth__field">
                    <label for="pw">Passwort</label>
                    <input type="password" id="pw" name="pw" autocomplete="current-password" required>
                </div>

                <div class="auth__actions">
                    <input class="auth__submit" type="submit" value="Einloggen">
                </div>
            </form>

            <div class="auth__links">
                <p class="auth__muted">Neu hier? <a href="register.php">Account erstellen</a></p>
                <p class="auth__muted"><a href="index.php">Zurück zur Startseite</a></p>
            </div>
        </div>
    </section>
</main>

<?php
mysqli_close($conn);
include 'footer.php';
?>