I'm still new in web development and I am trying to develop a website to provide my local community with a practitioner directory with option of booking.
I want to get an opinion or recommendation from you experts whether the logic for my login functionality is correct.
Before I ask any question on this platform, please note that I have done extensive research and trials on web development.
Let me just explain the logic I implemented point wise.
- Call DB Connection file
- Start a new session
- Unset variables (To start a fresh login)
- Destroy open sessions
- Make a new DB Connection
- Read username and password input in form using POST method
- Implement logic for login and display error messages (Check if user account is verified, check username and password)
- Direct user to the next page once username and password is validated
// File that contains Database Connection details
require_once("dblogin.php");
// Initialize the session.
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session once you logout, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
// Connect to the database
$conn = new mysqli($servername, $username, $password, $dbname);
// Connection error to database
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
if($_SERVER["REQUEST_METHOD"] == "POST") {
// Initialize the session.
session_start();
// Get email from input form
$email = mysqli_real_escape_string($conn, $_POST['email']);
// Get password from input form and encrpy it
$password = password_hash(mysqli_real_escape_string($conn, $_POST['password']),PASSWORD_BCRYPT);
// Retrieve password from database for check
$user_check_query = "SELECT * FROM user_account WHERE username='$email' LIMIT 1";
$result = mysqli_query($conn, $user_check_query);
$user = mysqli_fetch_assoc($result);
// Checks if account is not verified
if ($user['username'] === $email && password_verify($_POST['password'],$user[password]) && $user['account_verified'] === '0'){
$error = "Your Account is not verified";
// Checks if account is verified for normal user
}else if ($user['username'] === $email && password_verify($_POST['password'],$user[password]) && $user['user_type'] === "user" && $user['account_verified'] === '1') {
// Stores username as a variable
$_SESSION['username'] = $user['username'];
// Directs to index.php page
header('location: index.php');
// Checks if account is verified for doctor
}else if($user['username'] === $email && password_verify($_POST['password'],$user[password]) && $user['user_type'] === "doctor" && $user['account_verified'] === '1'){
// Stores username as a variable
$_SESSION['username'] = $user['username'];
// Directs to doctor profile page
header('location: docbookings.php?docid='.$user['doctor_profile_id']);
}else {
// If does meet above conditions, display invalid email or password
$error = "Your Email Address or Password is invalid";
}
}
My expectations from this platform is not get someone code for me but to get an advice or recommendation on my logic so that the final product works fine.
Aucun commentaire:
Enregistrer un commentaire