From 6419201108e177b9547fda1fe9141989cf9db806 Mon Sep 17 00:00:00 2001
From: moehm
Date: Fri, 28 Mar 2014 22:39:47 +0100
Subject: Butforce protection, now banns malicious user.

---
 www/functions/func_login.php | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

(limited to 'www/functions')

diff --git a/www/functions/func_login.php b/www/functions/func_login.php
index e5b7aab..0f9f3e6 100755
--- a/www/functions/func_login.php
+++ b/www/functions/func_login.php
@@ -51,6 +51,38 @@ function logout(){
         }   
 }
 
-function brutforce_protection(){
-	$_SESSION["login_attempts"] = $_SESSION["login_attempts"] + 1;
+function brutforce_protection($db){
+	$_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1;
+
+	if($_SESSION["login_attempts"] <= 0){
+		$_SESSION["banned"] = true;
+		$remote_ip = $_SERVER["REMOTE_ADDR"];
+		$session_id = session_id();
+		$time = $_SERVER["REQUEST_TIME"];
+
+		if($db->exec("
+			BEGIN TRANSACTION;
+			INSERT INTO banned_user (id, ip, session_id, time) VALUES (NULL, '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time.";
+			COMMIT;
+		")){
+			echo "You are banned. ;_;":
+		}
+		exit;
+	}
+}
+
+function check_if_banned($db){
+
+	$remote_ip = $_SERVER["REMOTE_ADDR"];
+	$session_id = session_id();
+	$check_db = $db->query("SELECT time FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';");
+	$check_ar = $check_db->fetchArray(SQLITE3_NUM)
+
+	$accepted_time = $_SERVER["REQUEST_TIME"] - 21600; 	// == 6h
+
+	if($check_ar[0] < $accepted_time){
+		return true; 					// not longer banned
+	} else {
+		return false;					// still banned
+	}
 }
-- 
cgit v1.2.3