5) { $timeout = 300; // 5 minutes timeout if (time() - $_SESSION['last_attempt'] < $timeout) { header("Location: /Sign&Log.php?error=TOO_MANY_ATTEMPTS"); exit(); } else { $_SESSION['login_attempts'] = 0; } } // Input validation if (empty($_POST['username']) || empty($_POST['password'])) { header("Location: /Sign&Log.php?error=INVALID_CREDENTIALS"); exit(); } require 'connect.php'; try { $conn->beginTransaction(); $username = trim(htmlspecialchars($_POST['username'])); // Using stored procedure instead of direct query $sql = "SELECT * FROM validate_login(:username)"; $stmt = $conn->prepare($sql); $stmt->bindParam(':username', $username, PDO::PARAM_STR); $stmt->execute(); if ($stmt->rowCount() <= 0) { $_SESSION['login_attempts'] = isset($_SESSION['login_attempts']) ? $_SESSION['login_attempts'] + 1 : 1; $_SESSION['last_attempt'] = time(); $conn->rollBack(); header("Location: /Sign&Log.php?error=INVALID_CREDENTIALS"); exit(); } $res = $stmt->fetch(PDO::FETCH_ASSOC); if (!password_verify($_POST['password'], $res['password'])) { $_SESSION['login_attempts'] = isset($_SESSION['login_attempts']) ? $_SESSION['login_attempts'] + 1 : 1; $_SESSION['last_attempt'] = time(); $conn->rollBack(); header("Location: /Sign&Log.php?error=INVALID_CREDENTIALS"); exit(); } $conn->commit(); // Session setup $_SESSION['username'] = $username; $_SESSION['userid'] = $res['userid']; $_SESSION['role'] = $res['role']; $_SESSION['last_activity'] = time(); $_SESSION['ip_address'] = $_SERVER['REMOTE_ADDR']; $_SESSION['login_attempts'] = 0; // Redirect based on role if ($res['role'] == 'Admin') { header("Location: ./Admin.php"); } else { header("Location: ./HomePage.php"); } } catch (PDOException $e) { $conn->rollBack(); error_log("Login error: " . $e->getMessage()); header("Location: /Sign&Log.php?error=SERVER_ERROR"); exit(); } ?>