lol

user.php

<?php
$db = new PDO('mysql:host=localhost;dbname=test;charset=utf8', 'root', '');
session_start();
/*
CREATE TABLE users (
	id INT(9) AUTO_INCREMENT PRIMARY KEY,
	username VARCHAR(30) UNIQUE KEY,
	password TEXT);
 */
$action = @$_GET['action'];
if(!isset($action))
{
	?>
	<h1>Register</h1>
	<?php if(isset($_GET['error'])) echo htmlspecialchars($_GET['error']); ?>
	<form action='user.php?action=do_register' method='POST'>
		<input type='text' name='username' placeholder='Username'>
		<input type='password' name='password' placeholder='Password'>
		<input type='password' name='password_re' placeholder='Password (again)'>
		<input type='submit' value='Register'>
	</form>
	<?
	die();
}
else if($action == 'do_register')
{
	$username = $_POST['username'];
	$password = $_POST['password'];
	if($password != $_POST['password_re'])
	{
		header('Location: /user.php?action=register&error=' . urlencode('Passwords do not match.'));
		die();
	}
	if(strlen($username) > 30)
	{
		header('Location: /user.php?action=register&error=' . urlencode('Username is too long.'));
		die();
	}
	$hash = password_hash($password, PASSWORD_BCRYPT);
	// check username
	$stmt = $db->prepare('SELECT * FROM users WHERE username = ?');
	$stmt->bindValue(1, $username, PDO::PARAM_STR);
	$stmt->execute();
	if($stmt->rowCount() > 0)
	{
		header('Location: /user.php?action=register&error=' . urlencode('That username is already taken.'));
		die();
	}
	// create user
	$stmt = $db->prepare('INSERT INTO users (username, password) VALUES(?, ?)');
	$stmt->bindValue(1, $username, PDO::PARAM_STR);
	$stmt->bindValue(2, $hash, PDO::PARAM_STR);
	$stmt->execute();
	header('Location: /user.php?action=login');
	die();
}
else if($action == 'login')
{
	?>
	<h1>Login</h1>
	<?php if(isset($_GET['error'])) echo htmlspecialchars($_GET['error']); ?>
	<form action='user.php?action=do_login' method='POST'>
		<input type='text' name='username' placeholder='Username'>
		<input type='password' name='password' placeholder='Password'>
		<input type='submit' value='Login'>
	</form>
	<?
	die();
}
else if($action == 'do_login')
{
	$username = $_POST['username'];
	$password = $_POST['password'];
	$stmt = $db->prepare('SELECT * FROM users WHERE username=?');
	$stmt->bindValue(1, $username, PDO::PARAM_STR);
	$stmt->execute();
	if($stmt->rowCount() == 0)
	{
		header('Location: user.php?action=login&error=' . urlencode('Invalid username or password.'));
		die();
	}
	$result = $stmt->fetch(PDO::FETCH_ASSOC);
	if(!password_verify($password, $result['password']))
	{
		header('Location: user.php?action=login&error=' . urlencode('Invalid username or password.'));
		die();
	}
	$_SESSION['user_id'] = $result['id'];
	header('Location: /user.php?action=view&id=' . $result['id']);
	die();
}
else if($action == 'view')
{
	$stmt = $db->prepare('SELECT * FROM users WHERE id=?');
	$stmt->bindValue(1, @$_GET['id'], PDO::PARAM_STR);
	$stmt->execute();
	if($stmt->rowCount() == 0)
	{
		echo 'User not found.';
		die();
	}
	$result = $stmt->fetch(PDO::FETCH_ASSOC);
	?>
	<h1><?php echo $result['username']; ?></h1>
	<?
	if(isset($_SESSION['user_id']))
	{
		echo '<p>User id: ' . $_SESSION['user_id'] . '</p>';
	?>
		<a href='/user.php?action=logout'>Logout</a>
	<?
	}
	die();
}
else if($action == 'logout')
{
	unset($_SESSION['user_id']);
	header('Location: /user.php?action=login');
	die();
}
?>