diff options
| -rw-r--r-- | blob/database_schema | 9 | ||||
| -rwxr-xr-x | www/functions/func_login.php | 72 | ||||
| -rwxr-xr-x | www/setup.php | 2 |
3 files changed, 62 insertions, 21 deletions
diff --git a/blob/database_schema b/blob/database_schema index e69de29..f83e2d9 100644 --- a/blob/database_schema +++ b/blob/database_schema @@ -0,0 +1,9 @@ +CREATE TABLE banned_user (id INTEGER PRIMARY KEY, login_attempts INTEGER, ip TEXT, session_id TEXT, time INTEGER, user INTEGER); + +CREATE TABLE jg(id INTEGER PRIMARY KEY, name TEXT, adresse TEXT, telefonnummer INTEGER, handynummer INTEGER, email TEXT, geburtstag TEXT); + +CREATE TABLE log (id INTEGER PRIMARY KEY, user INTEGER, login INTEGER, FOREIGN KEY(user) REFERENCES user(id)); + +CREATE TABLE sprueche(id INTEGER PRIMARY KEY, spruch TEXT); + +CREATE TABLE user (id INTEGER PRIMARY KEY, name TEXT UNIQUE, password TEXT, email TEXT UNIQUE, status INTEGER, register INTEGER); diff --git a/www/functions/func_login.php b/www/functions/func_login.php index 3afb3d8..166c835 100755 --- a/www/functions/func_login.php +++ b/www/functions/func_login.php @@ -6,30 +6,53 @@ function login($db){ $password = $_POST["password"]; $safe_username = SQLite3::escapeString("$username"); - $pepper = file_get_contents("../database/pepper.txt"); - $password = $password . $pepper; - + $log_in = false; $real_password = ""; - $real_password_db = $db->query("SELECT password FROM user WHERE name='" . $safe_username . "';"); - while($real_password_array = $real_password_db->fetchArray(SQLITE3_NUM)){ - foreach($real_password_array as $secondelement){ - $real_password=$secondelement; - } - } + if($username == "Guest"){ + $real_password_db = $db->query("SELECT email FROM jg"); + while($row = $real_passsword_db->fetchArray(SQLITE3_NUM)){ + if($row[0] == $password){ + $log_in = true; + break; + } + } + } else { + $pepper = file_get_contents("../database/pepper.txt"); + $password = $password . $pepper; + + $real_password_db = $db->query("SELECT password FROM user WHERE name='" . $safe_username . "';"); + while($real_password_array = $real_password_db->fetchArray(SQLITE3_NUM)){ + foreach($real_password_array as $secondelement){ + $real_password=$secondelement; + } + } + + if (!password_verify($password, $real_password)) { + $log_in = true; + } + } /*___Login___*/ - if (!password_verify($password, $real_password)) { + if(!$log_in){ return LOGIN_PASSWORD; } - + + $id = user_id($db, $username); + $banned_db = $db->query("SELECT 1 FROM banned_user WHERE user=".$id); + $banned_ar = $banned_db->fetchArray(SQLITE3_NUM); + + if($banned_ar[0] == 1){ + echo "You are banned. ;_;"; + exit; + } + if($db->exec(" BEGIN TRANSACTION; INSERT INTO log (id, user, login) VALUES (NULL, (SELECT id FROM user WHERE name='" . $username . "'), (SELECT strftime('%s', 'now'))); COMMIT; ")){ - $id = user_id($db, $username); $_SESSION["login"] = true; $_SESSION["username"] = $username; @@ -54,32 +77,41 @@ function logout(){ function brutforce_protection($db){ $_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1; + $remote_ip = $_SERVER["REMOTE_ADDR"]; + $session_id = session_id(); + $time = $_SERVER["REQUEST_TIME"]; + if($_SESSION["login_attempts"] <= 0){ - $remote_ip = $_SERVER["REMOTE_ADDR"]; - $session_id = session_id(); - $time = $_SERVER["REQUEST_TIME"]; - if($db->exec(" BEGIN TRANSACTION; - INSERT INTO banned_user (id, ip, session_id, time) VALUES (NULL, '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time."); + INSERT INTO banned_user (id, login_attempts, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time."); COMMIT; ")){ echo "You are banned. ;_;"; } exit; + } else { + if($db->exec(" + BEGIN TRANSACTION; + INSERT INTO banned_user (id, login_attemps, ip, session_id) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id)."'); + COMMIT; + ")) } } function check_if_banned($db){ - $remote_ip = $_SERVER["REMOTE_ADDR"]; $session_id = session_id(); - $check_db = $db->query("SELECT time FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';"); + $check_db = $db->query("SELECT time, login_attempts, id FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';"); $check_ar = $check_db->fetchArray(SQLITE3_NUM); + $log_at = $check_ar[1]; + $_SESSION["login_attempts"] = $log_at; + $accepted_time = $_SERVER["REQUEST_TIME"] - 21600; // == 6h + $db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'"); - if($check_ar[0] < $accepted_time){ + if($log_at == 0 && ($check_ar[0] < $accepted_time)){ return false; // not longer banned } else { return true; // still banned diff --git a/www/setup.php b/www/setup.php index 3e8ca76..7b691df 100755 --- a/www/setup.php +++ b/www/setup.php @@ -55,7 +55,7 @@ if($bool){ CREATE TABLE IF NOT EXISTS user (id INTEGER PRIMARY KEY, name TEXT UNIQUE, password TEXT, email TEXT UNIQUE, status INTEGER, register INTEGER); INSERT INTO user (id, name, status, password, email, register) VALUES (NULL, 'admin', 0, '" . $hash_password . "', '" . $email . "', (SELECT strftime('%s', 'now'))); CREATE TABLE IF NOT EXISTS log (id INTEGER PRIMARY KEY, user INTEGER, login INTEGER, FOREIGN KEY(user) REFERENCES user(id)); - CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, ip TEXT, session_id TEXT, time INTEGER); + CREATE TABLE IF NOT EXISTS banned_user (id INTEGER PRIMARY KEY, login_attempts INTEGER, ip TEXT, session_id TEXT, time INTEGER, user INTEGER); CREATE TABLE IF NOT EXISTS jg(id INTEGER PRIMARY KEY, name TEXT, adresse TEXT, telefonnummer INTEGER, handynummer INTEGER, email TEXT, geburtstag TEXT); CREATE TRIGGER IF NOT EXISTS delete_files AFTER DELETE ON user FOR EACH ROW BEGIN DELETE FROM files WHERE owner=OLD.id; END; COMMIT;") |