<?php
require "PasswordHash.php";

include "../../private/db.php"; 

// emailname and password sent from form
$email=$_GET['email'];
$mypassword=$_GET['pwd'];

// To protect MySQL injection 
$email = stripslashes($email);
$mypassword = stripslashes($mypassword);
$email = mysqli_real_escape_string($link,$email);
$mypassword = mysqli_real_escape_string($link,$mypassword);

$t_hasher = new PasswordHash(8, FALSE);

$exists = 0;
$query1 = 'select Password, FirstName, Surname, DisplayName, UserID from user where Email = \'' .$email .'\'';
//echo $query1 . "\n";
$data1 = mysqli_query($link, $query1);

while($line = mysqli_fetch_assoc($data1))
{
	$exists = 1;
	$passHash = $line['Password'];
	$firstName=$line['FirstName'];
	$surname=$line['Surname'];
	$displayName=$line['DisplayName'];
	$id=$line['UserID'];
}

if ($exists) {
  $check = $t_hasher->CheckPassword($mypassword, $passHash);
  if ($check) 
    {
      $query2 = "select ReceiveEmail, GoodreadsState, LocID from userpref where UserID = $id";
      //echo $query1 . "\n";
      $data2 = mysqli_query($link, $query2);

      while($line = mysqli_fetch_assoc($data2))
	{
	  $receiveEmail = trim($line['ReceiveEmail']);
	  $GRState=trim($line['GoodreadsState']);
	  $LocID=trim($line['LocID']);
	}

      if($displayName == "")
	{
	  if($firstName == "")
	    $displayName=$email;
	  else
	    $displayName = $firstName;
	}
	
      session_start();
      $_SESSION['displayName']=$displayName;
      $_SESSION['email']=$email;
      $_SESSION['surname']=$surname;
      $_SESSION['UserID']=$id;
      $_SESSION['receiveEmail']=$receiveEmail;
      $_SESSION['GRState']=$GRState;
      $_SESSION['Loc']=$LocID;
      echo session_id();
      echo ":::" . $displayName . ":::" . $surname . ":::" . $receiveEmail . ":::" . $GRState . ":::" . $LocID . ":::" . $email . ":::" . $id;
    }
 }
else
{
	echo "Incorrect UserName or Password";
}
mysqli_close($link);
?>