<?php
require "PasswordHash.php";

include "db.php";  

// emailname and password sent from form
$email=$_GET['email'];
$mypassword=$_GET['pwd'];

// To protect MySQL injection 
$email = stripslashes($email);
$mypassword = stripslashes($mypassword);
$email = mysqli_real_escape_string($link,$email);
$mypassword = mysqli_real_escape_string($link,$mypassword);

$t_hasher = new PasswordHash(8, FALSE);


$query1 = 'select Password, FirstName, Surname, UserID from user where Email = \'' .$email .'\'';
//echo $query1 . "\n";
$data1 = mysqli_query($link, $query1);

while($line = mysqli_fetch_assoc($data1))
{
	$passHash = $line['Password'];
	$displayName=$line['FirstName'];
	$surname=$line['Surname'];
	$id=$line['UserID'];
}

$check = $t_hasher->CheckPassword($mypassword, $passHash);
if ($check) 
{

	$query2 = "select ReceiveEmail, GoodreadsState from userpref where UserID = $id";
	//echo $query1 . "\n";
	$data2 = mysqli_query($link, $query2);

	while($line = mysqli_fetch_assoc($data2))
	{
		$receiveEmail = trim($line['ReceiveEmail']);
		$GRState=trim($line['GoodreadsState']);
	}

	if($displayName == "")
		$displayName=$email;
	
	session_start();
	$_SESSION['displayName']=$displayName;
	$_SESSION['email']=$email;
	$_SESSION['surname']=$surname;
	$_SESSION['UserID']=$id;
	$_SESSION['receiveEmail']=$receiveEmail;
	$_SESSION['GRState']=$GRState;
	echo session_id();
	echo ":::" . $displayName . ":::" . $surname . ":::" . $receiveEmail . ":::" . $GRState . ":::" . $id;
}
else
{
	echo "Incorrect UserName or Password";
}
?>