Upload files to "website"

website/login.php

@@ -0,0 +1,68 @@
+<?php
+
+require($_SERVER['DOCUMENT_ROOT'].'/include.php');
+
+$nick = $_POST['nick'];
+$pass = $_POST['pass'];
+$hash = md5($pass);
+
+$sql = "SELECT * FROM player WHERE 
+	nick = '$nick' AND
+	pass = '$hash'";
+
+$result = mysqli_query($mysqli, $sql) or die($gameerror . "L-Q01");
+
+$num = mysqli_num_rows($result);
+
+if ($num == 1) { // username and password match
+
+    $row = mysqli_fetch_assoc($result);
+
+    $id = $row['id'];
+
+    // create session with userid
+    session_start();
+    $_SESSION['id'] = $id;
+    session_write_close();
+
+    // update the last login field, clear failure counter
+    $date = date('Y-m-d H:i');
+    $sql = "UPDATE player SET last_date = '$date',
+	failed_num = '0' WHERE id = '$id'";
+    mysqli_query($mysqli, $sql) or die($gameerror . "L-Q02");
+
+    header("Location: $gameroot/playuser.php");
+
+} else { // either no username or password was bad
+
+    $sql = "SELECT * FROM player WHERE nick = '$nick'";
+    $result = mysqli_query($mysqli, $sql) or die($gameerror . "L-Q03");
+    $num = mysqli_num_rows($result);
+
+    if ($num == 1) { // username good (must have been bad password)
+
+	$row = mysqli_fetch_assoc($result);
+
+	$id = $row['id'];
+
+	// update the failure fields and increment failure counter
+	$date = date('Y-m-d H:i');
+	$ip = $_SERVER['REMOTE_ADDR'];
+	$count = $row['failed_num'] + 1;
+	$sql = "UPDATE player SET failed_num = '$count',
+	    failed_date = '$date', failed_ip = '$ip'
+	    WHERE id = '$id'";
+	mysqli_query($mysqli, $sql) or die($gameerror . "L-Q04");
+
+    }
+
+    // If they messed up the username, we ignore it completely.
+
+    // redirect back to the main page so they can log in again.
+    header("Location: $gameroot/index.html");
+
+}
+
+mysqli_close($mysqli);
+
+?>