diff options
| -rwxr-xr-x | www/functions/func_login.php | 36 | ||||
| -rwxr-xr-x | www/index.php | 18 | ||||
| -rwxr-xr-x | www/setup.php | 1 |
3 files changed, 50 insertions, 5 deletions
diff --git a/www/functions/func_login.php b/www/functions/func_login.php index e5b7aab..0f9f3e6 100755 --- a/www/functions/func_login.php +++ b/www/functions/func_login.php @@ -51,6 +51,38 @@ function logout(){ } } -function brutforce_protection(){ - $_SESSION["login_attempts"] = $_SESSION["login_attempts"] + 1; +function brutforce_protection($db){ + $_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1; + + if($_SESSION["login_attempts"] <= 0){ + $_SESSION["banned"] = true; + $remote_ip = $_SERVER["REMOTE_ADDR"]; + $session_id = session_id(); + $time = $_SERVER["REQUEST_TIME"]; + + if($db->exec(" + BEGIN TRANSACTION; + INSERT INTO banned_user (id, ip, session_id, time) VALUES (NULL, '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time."; + COMMIT; + ")){ + echo "You are banned. ;_;": + } + exit; + } +} + +function check_if_banned($db){ + + $remote_ip = $_SERVER["REMOTE_ADDR"]; + $session_id = session_id(); + $check_db = $db->query("SELECT time FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';"); + $check_ar = $check_db->fetchArray(SQLITE3_NUM) + + $accepted_time = $_SERVER["REQUEST_TIME"] - 21600; // == 6h + + if($check_ar[0] < $accepted_time){ + return true; // not longer banned + } else { + return false; // still banned + } } diff --git a/www/index.php b/www/index.php index d7adf38..be63506 100755 --- a/www/index.php +++ b/www/index.php @@ -14,8 +14,16 @@ if(!isset($_SESSION["banned"])){ } if($_SESSION["banned"]){ - echo "You are banned."; - exit; + if(check_if_banned($db)){ + $_SESSION["banned"] = false; + } else { + echo "You are banned. ;_;"; + exit; + } +} + +if(!isset($_SESSION["login_attempts"])){ + $_SESSION["login_attempts"] = 6; } if(empty($_GET)){ @@ -40,8 +48,12 @@ if(empty($_GET)){ if($_SERVER['REQUEST_METHOD'] == 'POST'){ $var = login($db); if($var == LOGIN_SUCCESSFULL){ + $_SESSION["login_attempts"] = 6; header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/".$_SESSION["username"]); - //account($db); + } elseif ($var == LOGIN_PASSWORD){ + brutforce_protection($db); + print_login($var); + } else { print_login($var); } diff --git a/www/setup.php b/www/setup.php index d2290c3..99c9034 100755 --- a/www/setup.php +++ b/www/setup.php @@ -57,6 +57,7 @@ if($bool){ CREATE TABLE IF NOT EXISTS files (id INTEGER PRIMARY KEY, parent INTEGER, owner INTEGER, name TEXT, folder TEXT, mime TEXT, size INTEGER, share TEXT, hash TEXT, download_link TEXT, FOREIGN KEY(owner) REFERENCES user(id)); INSERT INTO files (id, parent, owner, name, folder, size, share, hash, download_link) VALUES (NULL, 0, 1, '/', 'DIRECTORY', 0, 'HIDDEN', '', ''); CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login TEXT, FOREIGN KEY(user) REFERENCES user(id)); + CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, ip TEXT, session_id TEXT, time INTEGER); CREATE TRIGGER IF NOT EXISTS delete_files AFTER DELETE ON user FOR EACH ROW BEGIN DELETE FROM files WHERE owner=OLD.id; END; COMMIT;") ) { |