/employers/login.php

<?php
session_start();

// Include the config file which connects to database and bbcode array
include "./../includes/config.php";

// Checks if there is an existing login cookie
// if cookie does not exist, continue
// this is specifically needed here because we will be creating a cookie here and also to avoid a possible infinite loop
if (isset($_COOKIE['ID_my_site']))
{
    $username = $_COOKIE['ID_my_site'];
    $password = $_COOKIE['Key_my_site'];
    $statement = $db->prepare("SELECT * FROM account WHERE username = ? AND type = 1");
    $statement->execute(array($username));

    $info = $statement->fetch();
    // if cookie has wrong stored password, expire it and take them back to login page
    if ($password != $info['password'])
    {
        $past = time() - 3600;
        //destroy the cookie
        setcookie('ID_my_site', '', $past, "/");
        setcookie('Key_my_site', '', $past, "/");
        unset($_COOKIE['ID_my_site']);
        unset($_COOKIE['Key_my_site']);
        session_destroy();
    }
    else
        ("Location: index.php");
}
else
    ("Location: index.php");

// check if the login form is submitted
if (isset($_POST['submit']))
{
    //Image Verification Start -- Check if string entered matches the md5 hash by the generated string
    $number = $_POST['number'];
    if (md5($number) != $_SESSION['image_random_value'])
        die ('Validation string not valid! Please try again! Click <a href=login.php>here</a> to go back.');
    else
    {
        // if form has been submitted
        // makes sure they filled it in
        if (!$_POST['username'] | !$_POST['password'])
            die('You did not fill in a required field.');

        // checks it against the database
        $statement = $db->prepare("SELECT * FROM account WHERE username= ? AND type = 1");
        $statement->execute(array($_POST['username']));

        //Gives error if user dosen't exist
        $check2 = $statement->rowCount();
        if ($check2 == 0)
            die('That user does not exist in our database. <a href=registration.php>Click Here to Register</a>');

        $info = $statement->fetch();
        $username = $_POST['username'];
        $pass = $_POST['password'];
        $password = sha1(strtoupper($username) . ":" . strtoupper($pass));

        //gives error if the password is wrong
        if ($password != $info['password'])
            die('Incorrect password, please try again. Click <a href="login.php">here</a> to go back.');
        else
        {
            // if login is ok then we add a cookie, allow it for all subfolders and update online status
            $hour = time() + 3600;
            setcookie('ID_my_site', $username, $hour, "/");
            setcookie('Key_my_site', $password, $hour, "/");

            $statement = $db->prepare("UPDATE account SET online = 1 WHERE username = ? AND type = 1");
            $statement->execute(array($username));

            //then redirect them to the main page
            header("Location: index.php");
        }
   }
}

// Reset Password
if (empty($_GET['action']))
    $_GET['action'] = "";

if (empty($_GET['reset']))
    $_GET['reset'] = 0;

// Reset Form Start
if (isset($_POST['submit']) && ($_GET['action'] == "resetpass"))
{
    // if form has been submitted
    // makes sure they filled it in
    if(!$_POST['question'] | !$_POST['answer'] | !$_POST['username'])
        die('You did not fill in a required field.');

    // checks it against the database
    $check = $db->prepare("SELECT * FROM users u INNER JOIN account a WHERE u.account = a.id AND a.username= ? AND a.type = 1");
    $db->execute(array($_POST['username']));

    // Gives error if user dosen't exist
    $check2 = $check->rowcount();
    if ($check2 == 0)
        die
        ('
            That user does not exist in our database.
            <a href=registration.php>Click Here to Register</a> or
            <a href="login.php?action=resetpass> Click here to try again.</a>
        ');

    $info = $check->fetch();
    //gives error if the question/answer is wrong
    if ($_POST['question'] != $info['secQues'])
        die
        ('
            The question does not match the one in the database, please try again.
            Click <a href="login.php?action=resetpass">here</a> to go back.
        ');
    else if ($_POST['answer'] != $info['secAns'])
        die
        ('
            The answer does not match the one in the database, please try again.
            Click <a href="login.php?action=resetpass">here</a> to go back.
        ');
    else
    {
        $account = $info['id'];
        // if everything is ok then we allow to reset password via redirect to new page!
        header("Location: login.php?action=resetpass&reset=$account&cond=1");
    }
}
else if (isset($_POST['submit']) && ($_GET['action'] == "resetpass") && ($_GET['cond'] == 2))
{
    // if form has been submitted
    // makes sure they filled it in
    if(!$_POST['pass'] | !$_POST['pass2'])
        die('You did not fill in a required field.');

    // this makes sure both passwords entered match
    if ($_POST['pass'] != $_POST['pass2'])
        die('Your passwords did not match. ');

    // here we encrypt the password and add slashes if needed
    if (!get_magic_quotes_gpc())
        $_POST['pass'] = addslashes($_POST['pass']);

    $sha_pass_hash = sha1(strtoupper($_POST['username']) . ":" . strtoupper($_POST['pass']));

    // now we insert it into the database
    $errors = "";
    if (!isset($_POST['pass']))
        $errors .= "Please provide a password in the first field. <br/>";

    if (!isset($_POST['pass2']))
        $errors .= "Please provide a password in the second field. <br/>";

    if ($errors == "")
    {
        $account = $_GET['reset'];
        $statement = $db->prepare("UPDATE account a INNER JOIN users u SET a.password= ? WHERE u.account = a.id AND u.account =  AND a.id = ? AND a.username = ? AND a.type = 1");
        $statement->execute(array($sha_pass_hash, $account, $_POST['username']));
        $_GET['reset'] = 2;
        header("Location: login.php?action=resetpass&reset=2");
    }
    else
        echo $errors."Please go back and try again.";
}
// Reset Form End
?>
<html>
<head>
<title>
JobIsland for Businesses
</title>
<!-- CSS START -->
  <link rel="stylesheet" type="text/css" href="./../includes/invi.css" media="screen"/>
<!-- CSS END -->

<script language="javascript">
<!-- redirect script -->
function redirectPage()
{
    document.location.href= "login.php"
}
</script>
</head>

<body>
<!-- Left and Right Side Backgrounds -->
<div class="leftbg">
<div class="rightbg">

<!-- Header Start -->
<?php
    include "./../includes/head.php";
?>
<!-- Header End -->

<!-- Left Side Article Start -->
<div id="left">
<div class="left_articles">
<?php
if ($_GET['action'] == "resetpass")
{
    echo '<center><b><p style="font-size: 16;"><a> Password Reset </a></p></b></center>';
    echo '<br><p> Please enter your username along with the secret question and your answer to it.';
    echo '<br> Once the question and answer has been verified you will be allowed to reset your password.</p>';
    echo '<form method="post" action="login.php?action=resetpass">';
    echo '<tr>
            <td>
                <p style="font-size: 14;">Your Username:</p>
                </td><td>

                <input type="text" name="username" maxlength="60" size="40"/>
                </td></tr><br><br>

                <tr><td>
                <p style="font-size: 14;">Your Secret Question:</p>
                </td><td>

                <input type="text" name="question" maxlength="60" size="40" />
                </td></tr><br><br>

                <tr><td>
                <p style="font-size: 14;">Your Secret Answer:</p>
                </td><td>

                <input type="text" name="answer" maxlength="60" size="40" />
                </td></tr><br><br>

                <tr><th colspan=2>

                <input type="submit" name="submit" value="Reset Password" />
                <input type="button" value="Back" onClick="redirectPage()">

		</th></tr>
		</table>
		</form><br>
   		';
}
else if (($_GET['action'] == "resetpass") && ($_GET['reset'] > 0) && ($_GET['cond'] == 1))
{
    $user = $_GET['reset'];
    echo '<center><b><p style="font-size: 16;"><a> Password Reset </a></p></b></center>';
    echo '<p> Please enter your new password. </p>';
    echo '<p> The current password will now be overwritten with the new one.</p><br>';
    echo '<form method="post" action="login.php?action=resetpass&reset='.$user.'&cond=2">';
    echo '<tr>
          <td>
          <p style="font-size: 14;">Your New Password:</p>
          </td>
          <td>
          <input type="password" name="pass" maxlength="60" size="40" />
          </td>
          </tr>
          <br><br>
          <tr>
          <td>
          <p style="font-size: 14;">Your New Password Again:</p>
          </td>
          <td>
          <input type="password" name="pass2" maxlength="60" size="40" />
          </td>
          </tr>
          <br><br>
          <tr><th colspan=2>
          <input type="submit" name="submit" value="Reset Password">
          </th></tr>
          </table>
          </form>
          ';
}
else if (($_GET['action'] == "resetpass") && ($_GET['reset'] == 2) && ($_GET['cond'] == 3))
{
    echo '<center><b><p style="font-size: 16;"><a> Password Reset </a></p></b></center>';
    echo '<p>Your password has been successfully changed!</p>';
    echo '<p>You may now log in using your new password</p>';
    echo '<p> Click <a href="login.php">here</a> to login now!</p></center>';
    header("Location: logout.php");
}
else
{
?>
    <b><p style="font-size: medium" align="center">Business Parter, you are? Not? Register <a href="registration.php">here</a>, you may.</p></b>
<!-- 2 ways to pass form, using PHP_SELF or just putting in the location and file name. Both works fine. -->
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0" align="center">
<tr>
    <td>Username: </td>
    <td><input type="text" name="username" maxlength="40"></td>
</tr>
<tr>
    <td>Password: </td>
    <td><input type="password" name="password" maxlength="50"></td>
</tr>
<tr>
    <td>Image Verification:</td>
    <td><input name='number' type="text" id=\'number\''></td>
</tr>
<tr>
    <td colspan="2" align="center"><img alt=''  src='./../includes/random_image.php' /></td>
</tr>
</table>
<p style="font-size: small;" align="center">
Please enter the string shown in the image above.
</p>
<br>
<center>
<tr><td colspan="2" align="center">
<input type="submit" name="submit" value="Login">
</td></tr>
</center>
</form>
<p style="font-size: small;" align="center">Forgot your password? Click <b><a href="login.php?action=resetpass">here to retrieve it!</a></b>
<br/><br/>
<p style="font-weight: bold; font-size: 14;" align="center">Came here by mistake? Click <b><a href="./../login.php">here to go back to the home page!</a></b>
<?php
}
?>
</div>
</div>
<!-- Left Side Article End -->
<!-- Right Side Article Start -->
<div id="right">
    <br/>
    <center>
    <img src="http://static.tumblr.com/poxjlqi/qCCl52mnu/placeholder_ad.png">
    </center>
</div>
<!-- Right Side Article End -->

<!-- Footer Start -->
<?php
    include './../includes/footer.php';
?>
<!-- Footer End -->
</div>
</div>
</body>
</html>