User login (#1)

* Bare login form

* Empty homepage with login link

* Simple user table schema

* Added registration page

* Registration with salted+hashed passwords

* Added non-null requirements to user schema

* Require unique usernames

* Register and login prototype working

Author: peppermintpatty5

.gitignore

@@ -0,0 +1 @@
+web/db-login.php

schema/user.sql

@@ -0,0 +1,8 @@
+CREATE TABLE `user` (
+    `user_id`       int NOT NULL AUTO_INCREMENT,
+    `username`      varchar(64) NOT NULL,
+    `password_hash` binary(32) NOT NULL, -- SHA-256 produces a 32-byte digest
+    `salt`          binary(16) NOT NULL,
+    PRIMARY KEY (`user_id`),
+    UNIQUE KEY `username` (`username`)
+) ENGINE=InnoDB DEFAULT CHARSET=ascii COLLATE=ascii_bin;

web/index.php

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <title>Document</title>
+</head>
+
+<body>
+    <h1>Home</h1>
+    <p>
+        <a href="login.php">Login</a>
+    </p>
+    <p>
+        <a href="register.php">Register</a>
+    </p>
+</body>
+
+</html>

web/login.php

@@ -0,0 +1,58 @@
+<?php
+require_once "db-login.php";
+
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
+    $username = $_POST["username"];
+    $password = $_POST["password"];
+
+    $query = $mysql->prepare(
+        "SELECT
+            user_id,
+            username,
+            password_hash,
+            salt
+        FROM
+            user
+        WHERE
+            username=?
+        "
+    );
+    $query->bind_param("s", $username);
+    $query->execute();
+    $result = $query->get_result();
+
+    if (
+        $result
+        && ($user = $result->fetch_object())
+        && hash("sha256", $user->salt . $password, true) === $user->password_hash
+    ) {
+        echo "Welcome {$user->username}!";
+    } else {
+        echo "Incorrect username or password";
+    }
+}
+?>
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <title>Login</title>
+</head>
+
+<body>
+    <h1>Login</h1>
+    <form action="login.php" method="post">
+        <label for="input-username">
+            Username
+            <input type="text" name="username" id="input-username">
+        </label>
+        <label for="input-password">
+            Password
+            <input type="password" name="password" id="input-password">
+        </label>
+        <input type="submit" value="Login">
+    </form>
+</body>
+
+</html>

web/register.php

@@ -0,0 +1,50 @@
+<?php
+require_once "db-login.php";
+
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
+    $username = $_POST["username"];
+    $password = $_POST["password"];
+
+    $salt = random_bytes(16);
+    $password_hash = hash("sha256", $salt . $password, true);
+
+    $query = $mysql->prepare(
+        "INSERT INTO user(
+            username,
+            password_hash,
+            salt
+        ) VALUES (
+            ?, ?, ?
+        )"
+    );
+    $query->bind_param("sss", $username, $password_hash, $salt);
+    if ($query->execute())
+        echo "Success";
+    else
+        echo "Failure";
+}
+?>
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <title>Register</title>
+</head>
+
+<body>
+    <h1>Register</h1>
+    <form action="register.php" method="post">
+        <label for="input-username">
+            Username
+            <input type="text" name="username" id="input-username">
+        </label>
+        <label for="input-password">
+            Password
+            <input type="password" name="password" id="input-password">
+        </label>
+        <input type="submit" value="Login">
+    </form>
+</body>
+
+</html>