From 34080a9121c4710610b2537175818aa1b9f4a6ce Mon Sep 17 00:00:00 2001
From: Horus3
Date: Tue, 15 Apr 2014 18:57:29 +0200
Subject: Security bugfix: Checks now the last login attempt, not the first.

---
 www/functions/func_login.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/www/functions/func_login.php b/www/functions/func_login.php
index 166c835..63c7e61 100755
--- a/www/functions/func_login.php
+++ b/www/functions/func_login.php
@@ -93,16 +93,21 @@ function brutforce_protection($db){
 	} else {
 		if($db->exec("
 			BEGIN TRANSACTION;
-			INSERT INTO banned_user (id, login_attemps, ip, session_id) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id)."');
+			INSERT INTO banned_user (id, login_attemps, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id)."', '".$time."');
 			COMMIT;
-		"))	
+		")){
+			return true;
+		} else {
+			return false;
+		}
 	}
 }
 
 function check_if_banned($db){
+
 	$remote_ip = $_SERVER["REMOTE_ADDR"];
 	$session_id = session_id();
-	$check_db = $db->query("SELECT time, login_attempts, id FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';");
+	$check_db = $db->query("SELECT time, login_attempts, id FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."' ORDER BY id DESC;");
 	$check_ar = $check_db->fetchArray(SQLITE3_NUM);
 
 	$log_at = $check_ar[1];
-- 
cgit v1.2.3