From 5967ee13e0baf304863a672ea45c6a14560302f8 Mon Sep 17 00:00:00 2001
From: WilliamMiceli <git@williammiceli.me>
Date: Wed, 4 Dec 2019 17:19:32 -0500
Subject: [PATCH] Login fields now only allow alphanumeric characters

---
 var/www/login.php | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/var/www/login.php b/var/www/login.php
index 7d1d6f5..3da2443 100644
--- a/var/www/login.php
+++ b/var/www/login.php
@@ -3,22 +3,24 @@
 
     try{
         if($_POST['login_username'] != '' && $_POST['login_password'] != ''){
-            unset($_SESSION['loggedInUser']);
-            $db_statement = $db_connection->prepare("SELECT COUNT(*) FROM login WHERE username = '".$_POST["login_username"]."' and pword = '".$_POST["login_password"]."'");
-            $db_statement->execute();
-            $db_statement->setFetchMode(PDO::FETCH_ASSOC);
-            $db_returned = $db_statement->fetchAll();
-            $matchingUsers = $db_returned[0]['COUNT(*)'];
-            if($matchingUsers > 0){
-                // User has been authenticated; set user as logged in
-                $_SESSION['loggedInUser'] = $_POST['login_username'];
-                unset($_SESSION['loginError']);
-                // Move onto landing page
-                header('Location: /messages.php');
-            }else{
-                // No matching users found, send user an error message
-                $_SESSION['loginError'] = 'Invalid Username or Password';
-            }
+            if(ctype_alnum($_POST['login_username']) && ctype_alnum($_POST['login_password'])){
+                unset($_SESSION['loggedInUser']);
+                $db_statement = $db_connection->prepare("SELECT COUNT(*) FROM login WHERE username = '".$_POST["login_username"]."' and pword = '".$_POST["login_password"]."'");
+                $db_statement->execute();
+                $db_statement->setFetchMode(PDO::FETCH_ASSOC);
+                $db_returned = $db_statement->fetchAll();
+                $matchingUsers = $db_returned[0]['COUNT(*)'];
+                if($matchingUsers > 0){
+                    // User has been authenticated; set user as logged in
+                    $_SESSION['loggedInUser'] = $_POST['login_username'];
+                    unset($_SESSION['loginError']);
+                    // Move onto landing page
+                    header('Location: /messages.php');
+                }else{
+                    // No matching users found, send user an error message
+                    $_SESSION['loginError'] = 'Invalid Username or Password';
+                }
+            }else{$_SESSION["loginError"] = "Invalid characters found, please try again";}
         }else{
             // If user submitted login form wihout actually filling it out completely, send user an error message
             if(!empty($_POST)){