Merge branch 'main' of https://gitea.bankerheide.de/whupfeld/melder

admin/login.php

@@ -4,9 +4,9 @@
  * Ideenmelder
  * Autor: Walter Hupfeld, Hamm
  * E-Mail: info@hupfeld-software.de
- * Version: 1.0
+ * Version: 3.0
  * Datum: 18.05.2021
- * zuletzt bearbeitet: 21.02.2024
+ * zuletzt bearbeitet: 15.03.2024
  ******************************** */
 
 // Starte die Session
@@ -24,15 +24,20 @@ $boolLogin=true;
     if (isset($_POST['login']) && isset($_POST['password'])) {
         $strUser         = trim($_POST['login']);
         $strPassword     = trim($_POST['password']);
-        $strSQL = "SELECT username,passwordhash,district,role FROM user WHERE username='$strUser'";
-        $result = $db->query($strSQL);
+        $strSQL = "SELECT username,passwordhash,district,role FROM user WHERE username=:user";
+        $stmt = $db->prepare($strSQL);
+        $stmt->bindValue(':user',$strUser);
+        $result=$stmt->execute();
         if ($row=$result->fetch(PDO::FETCH_ASSOC))  {
             $boolOk = $strDistrict==$row['district'] || $row['role']=="admin";
             if (password_verify($strPassword,$row['passwordhash']) && $boolOk) {
                 $_SESSION['user']=$strUser;
                 $_SESSION['csrf_token'] = uniqid('', true);
                 $_SESSION['superadmin'] = $row['role']=="admin";
-                $db->query("UPDATE `user` SET `lastlogin`= NOW() WHERE `username`='$strUser'");
+                $strSQL="UPDATE `user` SET `lastlogin`= NOW() WHERE `username`=:user";
+                $stmt = $db->prepare($strSQL);
+                $stmt->bindValue(':user',$strUser);
+                $stmt->execute();
                 header ("Location: index.php");
             } else {
                 $boolLogin=false;