<?php
function login($db){

        /*___Database Query: Login___*/
	$username = $_POST["username"];
        $password = $_POST["password"];
        $safe_username = SQLite3::escapeString(htmlentities($username));

	$log_in = false;
	$real_password = "";

	if($username == "Guest"){

		$real_password_db = $db->query("SELECT email FROM jg;");
		while($row = $real_password_db->fetchArray(SQLITE3_NUM)){
			if($row[0] == $password){
				$log_in = true;
				break;
			}		
		}
	} else {
		$pepper = file_get_contents("../database/pepper.txt");
		$password = $password . $pepper;

        	$real_password_db = $db->query("SELECT password FROM user WHERE name='" . $safe_username . "';");
        	while($real_password_array = $real_password_db->fetchArray(SQLITE3_NUM)){
        		foreach($real_password_array as $secondelement){
                		$real_password=$secondelement;
                	}   
		}   

        	if (password_verify($password, $real_password)) {
			$log_in = true;
		}
	}

        /*___Login___*/
	if(!$log_in){
		return LOGIN_PASSWORD;
	}

	
	$id = user_id($db, $username);
	$banned_db = $db->query("SELECT 1 FROM banned_user WHERE user=".$id);
	$banned_ar = $banned_db->fetchArray(SQLITE3_NUM);

	if($banned_ar[0] == 1){
		echo "You are banned. ;_;";
		exit;
	}

        if($db->exec("
        	BEGIN TRANSACTION;
                INSERT INTO log (id, user, login) VALUES (NULL, (SELECT id FROM user WHERE name='" . $username . "'), (SELECT strftime('%s', 'now')));
                COMMIT;
	")){


                $_SESSION["login"] = true;
                $_SESSION["username"] = $username;
		$_SESSION["userid"] = $id;

		return LOGIN_SUCCESSFULL; 

	} else {
		return LOGIN_DATABASE;
	}   
}

function logout(){
        
	if(session_destroy()){
                return LOGOUT_SUCCESSFULL;
        } else {
                return LOGOUT_FAILURE;
        }   
}

function brutforce_protection($db){
	$_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1;

	$remote_ip = $_SERVER["REMOTE_ADDR"];
	$session_id = session_id();
	$time = $_SERVER["REQUEST_TIME"];
	
	if($_SESSION["login_attempts"] <= 0){
		$db->exec("
			BEGIN TRANSACTION;
			INSERT INTO banned_user (id, login_attempts, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time.");
			COMMIT;
		");
		banned();

	} else {
		if($db->exec("
			BEGIN TRANSACTION;
			INSERT INTO banned_user (id, login_attempts, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", '".$db->escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', '".$time."');
			COMMIT;
		")){
			return true;
		} else {
			return false;
		}
	}
}

function check_if_banned($db){

	$remote_ip = $_SERVER["REMOTE_ADDR"];
	$session_id = session_id();
	$check_db = $db->query("SELECT time, login_attempts, id FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."' ORDER BY id DESC;");
	$check_ar = $check_db->fetchArray(SQLITE3_NUM);

	$log_at = $check_ar[1];
	if($log_at){
		$_SESSION["login_attempts"] = $log_at;
	}

	$accepted_time = $_SERVER["REQUEST_TIME"] - 21600; 	// == 6h
	$db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'");	

	if($log_at <= 0){
		if($check_ar[0] >= $accepted_time){
			return true;					// still banned
		}
	}

	return false; 					// not longer banned
}

function banned(){
	header("Refresh: 0; ".$GLOBALS["scheme"].$_SERVER["HTTP_HOST"]."/banned");
	exit;
}