preparedQueryArray($sql, $queryData); if(count($userData) == 0 || count($userData) > 1) { //injection attack or user not found return false; } $user = $userData[0]; $sql = "SELECT a.rowid, a.subdomain, a.display_name FROM user_accounts ua JOIN accounts a ON ua.account_id = a.rowid WHERE ua.user_id = :user_id"; $queryData = array(); $queryData['user_id'] = $user['user_id']; $domains = $database->preparedQueryArray($sql, $queryData); foreach($domains as $domain) { if(DOMAIN == $domain['subdomain']) { $response = array("authorized" => true); $response['display_name'] = $user['display_name']; $response['user_id'] = $user['user_id']; $response['domain'] = $domain['subdomain']; $response['client_id'] = $domain['rowid']; $_SESSION = $response; $loggerData = array(); $loggerData['display_name'] = $user['display_name']; $loggerData['user_id'] = $user['user_id']; SecurityLogger::action("login", $loggerData, time()); return $response; } } $loggerData = array(); $loggerData['attempted_username'] = $username; $loggerData['ip_address'] = $_SERVER['REMOTE_ADDR']; SecurityLogger::action("login-failed", $loggerData, time()); return false; } public static function hasPermission() { $loggedIn = isset($_SESSION['authorized']) && $_SESSION['authorized']; $onAdminSession = isset($_SESSION['domain']) && $_SESSION['domain'] == "admin"; $actuallyAdmin = DOMAIN == "admin"; return $loggedIn && $onAdminSession && $actuallyAdmin; } public static function hash($value) { return hash("sha256", $value); } public static function isLoggedIn() { return isset($_SESSION['authorized']) && $_SESSION['authorized']; } }