3 files changed, 50 insertions, 5 deletions

diff --git a/www/functions/func_login.php b/www/functions/func_login.php
index e5b7aab..0f9f3e6 100755
--- a/www/functions/func_login.php
+++ b/www/functions/func_login.php
@@ -51,6 +51,38 @@ function logout(){
         }   
 }
 
-function brutforce_protection(){
-	$_SESSION["login_attempts"] = $_SESSION["login_attempts"] + 1;
+function brutforce_protection($db){
+	$_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1;
+
+	if($_SESSION["login_attempts"] <= 0){
+		$_SESSION["banned"] = true;
+		$remote_ip = $_SERVER["REMOTE_ADDR"];
+		$session_id = session_id();
+		$time = $_SERVER["REQUEST_TIME"];
+
+		if($db->exec("
+			BEGIN TRANSACTION;
+			INSERT INTO banned_user (id, ip, session_id, time) VALUES (NULL, '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time.";
+			COMMIT;
+		")){
+			echo "You are banned. ;_;":
+		}
+		exit;
+	}
+}
+
+function check_if_banned($db){
+
+	$remote_ip = $_SERVER["REMOTE_ADDR"];
+	$session_id = session_id();
+	$check_db = $db->query("SELECT time FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';");
+	$check_ar = $check_db->fetchArray(SQLITE3_NUM)
+
+	$accepted_time = $_SERVER["REQUEST_TIME"] - 21600; 	// == 6h
+
+	if($check_ar[0] < $accepted_time){
+		return true; 					// not longer banned
+	} else {
+		return false;					// still banned
+	}
 }
diff --git a/www/index.php b/www/index.php
index d7adf38..be63506 100755
--- a/www/index.php
+++ b/www/index.php
@@ -14,8 +14,16 @@ if(!isset($_SESSION["banned"])){
 }
 
 if($_SESSION["banned"]){
-	echo "You are banned.";
-	exit;
+	if(check_if_banned($db)){
+		$_SESSION["banned"] = false;
+	} else {
+		echo "You are banned. ;_;";
+		exit;
+	}
+}
+
+if(!isset($_SESSION["login_attempts"])){
+	$_SESSION["login_attempts"] = 6;
 }
 
 if(empty($_GET)){
@@ -40,8 +48,12 @@ if(empty($_GET)){
 				if($_SERVER['REQUEST_METHOD'] == 'POST'){
 					$var = login($db);
 					if($var == LOGIN_SUCCESSFULL){
+						$_SESSION["login_attempts"] = 6;
 						header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/".$_SESSION["username"]);
-						//account($db);
+					} elseif ($var == LOGIN_PASSWORD){
+						brutforce_protection($db);
+						print_login($var);
+
 					} else {
 						print_login($var);
 					}
diff --git a/www/setup.php b/www/setup.php
index d2290c3..99c9034 100755
--- a/www/setup.php
+++ b/www/setup.php
@@ -57,6 +57,7 @@ if($bool){
 		CREATE TABLE IF NOT EXISTS files (id INTEGER PRIMARY KEY, parent INTEGER, owner INTEGER, name TEXT, folder TEXT, mime TEXT, size INTEGER, share TEXT, hash TEXT, download_link TEXT, FOREIGN KEY(owner) REFERENCES user(id));
 		INSERT INTO files (id, parent, owner, name, folder, size, share, hash, download_link) VALUES (NULL, 0, 1, '/', 'DIRECTORY', 0, 'HIDDEN', '', '');
 		CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login TEXT, FOREIGN KEY(user) REFERENCES user(id));
+		CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, ip TEXT, session_id TEXT, time INTEGER);
 		CREATE TRIGGER IF NOT EXISTS delete_files AFTER DELETE ON user FOR EACH ROW BEGIN DELETE FROM files WHERE owner=OLD.id; END;
 		COMMIT;")
 	) {