frontier/website/login.php

<?php

require($_SERVER['DOCUMENT_ROOT'].'/include.php');

$nick = $_POST['nick'];
$pass = $_POST['pass'];
$hash = md5($pass);

$sql = "SELECT * FROM player WHERE 
	nick = '$nick' AND
	pass = '$hash'";

$result = mysqli_query($mysqli, $sql) or die($gameerror . "L-Q01");

$num = mysqli_num_rows($result);

if ($num == 1) { // username and password match

    $row = mysqli_fetch_assoc($result);

    $id = $row['id'];

    // create session with userid
    session_start();
    $_SESSION['id'] = $id;
    session_write_close();

    // update the last login field, clear failure counter
    $date = date('Y-m-d H:i');
    $sql = "UPDATE player SET last_date = '$date',
	failed_num = '0' WHERE id = '$id'";
    mysqli_query($mysqli, $sql) or die($gameerror . "L-Q02");

    header("Location: $gameroot/playuser.php");

} else { // either no username or password was bad

    $sql = "SELECT * FROM player WHERE nick = '$nick'";
    $result = mysqli_query($mysqli, $sql) or die($gameerror . "L-Q03");
    $num = mysqli_num_rows($result);

    if ($num == 1) { // username good (must have been bad password)

	$row = mysqli_fetch_assoc($result);

	$id = $row['id'];

	// update the failure fields and increment failure counter
	$date = date('Y-m-d H:i');
	$ip = $_SERVER['REMOTE_ADDR'];
	$count = $row['failed_num'] + 1;
	$sql = "UPDATE player SET failed_num = '$count',
	    failed_date = '$date', failed_ip = '$ip'
	    WHERE id = '$id'";
	mysqli_query($mysqli, $sql) or die($gameerror . "L-Q04");

    }

    // If they messed up the username, we ignore it completely.

    // redirect back to the main page so they can log in again.
    header("Location: $gameroot/index.html");

}

mysqli_close($mysqli);

?>