HEX
Server: LiteSpeed
System: Linux s1049.use1.mysecurecloudhost.com 4.18.0-477.27.2.lve.el8.x86_64 #1 SMP Wed Oct 11 12:32:56 UTC 2023 x86_64
User: xedaptot (3356)
PHP: 8.3.31
Disabled: NONE
Upload Files
File: /home/xedaptot/360.naniguide.com/api/login.php
<?php
header("Access-Control-Allow-Origin: *");
header("Content-Type: application/json; charset=UTF-8");
header("Access-Control-Allow-Methods: POST");
header("Access-Control-Max-Age: 3600");
header("Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With");
error_reporting(E_ALL & ~E_WARNING & ~E_NOTICE & ~E_DEPRECATED);
ob_start();
session_start();
require_once("../db/connection.php");
require_once("../backend/functions.php");
require_once("api_functions.php");
require_once("vendor/autoload.php");

register_shutdown_function("fatal_handler");

$method = $_SERVER["REQUEST_METHOD"];
if($method!='POST') {
    ob_end_clean();
    http_response_code(405);
    echo json_encode(array("message"=>"invalid method $method"));
    exit;
}

if(!empty($_POST)) {
    $params = $_POST;
} else {
    $content = trim(file_get_contents("php://input"));
    $params = json_decode($content, true);
}

$mandatory_params = ['username','password'];
check_api_missing_params($params,$mandatory_params);

if (is_ssl()) { $protocol = 'https'; } else { $protocol = 'http'; }
$base_url = $protocol ."://". $_SERVER['SERVER_NAME'] . str_replace("api/login.php","",$_SERVER['SCRIPT_NAME']);

check_login($params['username'],$params['password']);
exit;

function check_login($username,$password) {
    global $mysqli,$base_url;
    $username = strip_tags($username);
    $password = strip_tags($password);
    $query = "SELECT id FROM svt_users WHERE (username=? OR email=?) LIMIT 1;";
    if($smt = $mysqli->prepare($query)) {
        $smt->bind_param('ss', $username, $username);
        $result = $smt->execute();
        if ($result) {
            $result = get_result($smt);
            if (count($result) == 1) {
                $row = array_shift($result);
                $id_user = $row['id'];
                $query = "SELECT * FROM svt_users WHERE id=? AND password=MD5(?) LIMIT 1;";
                if($smt = $mysqli->prepare($query)) {
                    $smt->bind_param('is', $id_user, $password);
                    $result = $smt->execute();
                    if ($result) {
                        $result = get_result($smt);
                        if (count($result) == 1) {
                            $row = array_shift($result);
                            if($row['active']) {
                                $signer = new MiladRahimi\Jwt\Cryptography\Algorithms\Hmac\HS256('12345678901234567890123456789012');
                                $generator = new MiladRahimi\Jwt\Generator($signer);
                                $expirationTime = time() + 86400;
                                $jwt = $generator->generate(['id_user' => $id_user,'exp'=>$expirationTime]);
                                $token_login = encrypt_decrypt('encrypt',$id_user,date('Ymd'));
                                $login_url = $base_url."backend/login.php?token=".$token_login;
                                ob_end_clean();
                                http_response_code(200);
                                echo json_encode(array("message"=>"ok","token"=>$jwt,"login_url"=>$login_url));
                                exit;
                            } else {
                                ob_end_clean();
                                http_response_code(201);
                                echo json_encode(array("message"=>"blocked"));
                                exit;
                            }
                        } else {
                            ob_end_clean();
                            http_response_code(202);
                            echo json_encode(array("message"=>"incorrect password"));
                            exit;
                        }
                    } else {
                        ob_end_clean();
                        http_response_code(500);
                        echo json_encode(array("message"=>"error"));
                        exit;
                    }
                } else {
                    ob_end_clean();
                    http_response_code(500);
                    echo json_encode(array("message"=>"error"));
                    exit;
                }
            } else {
                ob_end_clean();
                http_response_code(203);
                echo json_encode(array("message"=>"incorrect username"));
                exit;
            }
        } else {
            ob_end_clean();
            http_response_code(500);
            echo json_encode(array("message"=>"error"));
            exit;
        }
    } else {
        ob_end_clean();
        http_response_code(500);
        echo json_encode(array("message"=>"error"));
        exit;
    }
}