<?PHP
//Filename : do_authuser.php
//Description : script to verify a user is allowed to view authenticated pages and set session variables.
//Author :  darc
//Last modified :  2006.01.03

    include '../includes/db.php';
    
//check for required fields
    if ((!$_POST[username]) || (!$_POST[password]))
    {
        header("Location:../index.php");
        exit;
    }

//put this in an include....
function sql_quote( $value )
{
    if( get_magic_quotes_gpc() )
    {$value = stripslashes( $value );}
    if( function_exists( "mysql_real_escape_string" ) )
    {$value = mysql_real_escape_string( $value );}
    else{$value = addslashes( $value ); }
    return $value;
}

    $user = $_POST[username];
    $pass = $_POST[password];
    $user = sql_quote($user);
    $pass = sql_quote($pass);

    $sql ="SELECT * FROM $table_name WHERE username = '$user' AND password = password('$pass')";
    $result = @mysql_query($sql,$connection) or die(mysql_error());

//get the number of rows in the result set
    $num = mysql_num_rows($result);
    $row =mysql_fetch_array($result);

//If num_rows == 1 then they were authenticated, setup the session vars
//Make sure the account isn't pending or denied.
    if ($num == 1 && $row['status'] != "pending" && $row['status'] != "denied")
    {
        session_start();
        session_register('valid_login');  //authenticated
        session_register('current_user');  //current username
        session_register('auth');  //authentication level
        session_register('pin_num');  //pin number

        $_SESSION[valid_login] = "true";
        $_SESSION[current_user] = $row['username'];
    	$_SESSION[auth] = $row['auth'];
    	$_SESSION[pin_num] = $row['pin_num'];
//Redirect to brother home
        header("Location:/php/brother_home.php");
    }

//Else, they didn't authenticate correctly and should be send back to login
    else
    {
    	header("Location:../index.php");
    	exit;
    }

?>