<?php
function login($db){

        /*___Database Query: Login___*/
	$username = $_POST["username"];
        $password = $_POST["password"];
        $safe_username = SQLite3::escapeString("$username");

	$pepper = file_get_contents("../database/pepper.txt");
	$password = $password . $pepper;

	$real_password = "";

        $real_password_db = $db->query("SELECT password FROM user WHERE name='" . $safe_username . "';");
        while($real_password_array = $real_password_db->fetchArray(SQLITE3_NUM)){
        	foreach($real_password_array as $secondelement){
                	$real_password=$secondelement;
                }   
	}   

        /*___Login___*/
        if (!password_verify($password, $real_password)) {
		return LOGIN_PASSWORD;
	}

        if($db->exec("
        	BEGIN TRANSACTION;
                INSERT INTO log (id, user, login) VALUES (NULL, (SELECT id FROM user WHERE name='" . $username . "'), (SELECT strftime('%s', 'now')) );
                COMMIT;
	")){

		$id = user_id($db, $username);

                $_SESSION["login"] = true;
                $_SESSION["username"] = $username;
		$_SESSION["userid"] = $id;

		return LOGIN_SUCCESSFULL; 

	} else {
		return LOGIN_DATABASE;
	}   
}

function logout(){
        
	if(session_destroy()){
                return LOGOUT_SUCCESSFULL;
        } else {
                return LOGOUT_FAILURE;
        }   
}

function brutforce_protection($db){
	$_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1;

	$remote_ip = $_SERVER["REMOTE_ADDR"];
	$session_id = session_id();
	$time = $_SERVER["REQUEST_TIME"];

	if($_SESSION["login_attempts"] <= 0){

		$db->exec("
			BEGIN TRANSACTION;
			INSERT INTO banned_user (id, ip, session_id, time) VALUES (NULL, '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time.");
			COMMIT;
		");
		banned();

	} else {
		 if($db->exec("
		 	BEGIN TRANSACTION;
			INSERT INTO banned_user (id, login_attemps, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id)    ."', '".$time."');
			COMMIT;
		 ")){
		 	return true;
		 } else {
		 	return false;
		 }
	}
}

function check_if_banned($db){

	$remote_ip = $_SERVER["REMOTE_ADDR"];
	$session_id = session_id();
	$check_db = $db->query("SELECT time, login_attempts, id FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."' ORDER BY id DESC;");
	$check_ar = $check_db->fetchArray(SQLITE3_NUM);

	$log_at = $check_ar[1];
	if($log_at){
		$_SESSION["login_attempts"] = $log_at;
	}

	$accepted_time = $_SERVER["REQUEST_TIME"] - 21600; 	// == 6h
	$db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'");

	if($log_at <= 0){
		if ($check_ar[0] >= $accepted_time){
			return true;					// still banned
		}
	}

	return false; 					// not longer banned
}

function banned(){
	header("Refresh: 0; ".$GLOBALS["scheme"].$_SERVER["HTTP_HOST"]."/banned");
	exit;
}