<?php require 'required-security.php'; ?>
<?php require 'required-database.php'; ?>
<?php

//RETRIEVE request variables

$form_userpassword = $_POST['form_userpassword'];
$form_username = filter_input(INPUT_POST, 'form_username', FILTER_SANITIZE_SPECIAL_CHARS); 
if ( is_null($form_userpassword)  == true || is_null($form_username)  == true) {
	die('invalid access - click back');
}

//RETRIEVE PASSWORD FROM DB
$stmt = $db->prepare("select * from accounts where username=?;");
$stmt->bindValue(1, $form_username, SQLITE3_TEXT);
$executed = $stmt->execute();
$results = $executed->fetchArray(SQLITE3_ASSOC); //fetches only one

//Alternately will return false if there are no more rows. 
if ( $results) 
{
	$database_hashpassword = $results["userpassword"];
	//HASHPASSWORD is salted so not the same, need to call password_verify, order important
	if(password_verify($form_userpassword, $database_hashpassword )) {
    // If the password inputs matched the hashed password in the database
    // Do something, you know... log them in.
		//my_session_regenerate_id();
		$_SESSION['user_id'] = $results["user_id"]; //secure from injections

		//Redirect to a different page in the current directory that was requested 
		$host  = $_SERVER['HTTP_HOST'];
		$uri   = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
		$extra = 'index.php';
		//header location will automatically kill the code below it
		header("Location: http://$host$uri/$extra");

	} 
	else
	{
		die('wrong password ');
	}
} 
else
{
	die('incorrect username ');
}


ob_end_flush();
?>