From b4e9313612dd341e43e5dc998469ec346adea8c6 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 15 Apr 2014 20:03:48 +0200 Subject: Added failure page and fixed brutforce protection. --- blob/nginx_rewrite_rules | 16 +++++----- www/failure.php | 75 ++++++++++++++++++++++++++++++++++++++++++++ www/functions/func_login.php | 19 ++++++----- www/functions/func_user.php | 6 +++- www/index.php | 11 ++++--- www/insert.php | 2 +- www/liste.php | 8 ++--- www/print_index.php | 5 +-- www/update.php | 2 +- 9 files changed, 116 insertions(+), 28 deletions(-) create mode 100644 www/failure.php diff --git a/blob/nginx_rewrite_rules b/blob/nginx_rewrite_rules index 571c3fe..a1323f7 100755 --- a/blob/nginx_rewrite_rules +++ b/blob/nginx_rewrite_rules @@ -1,10 +1,10 @@ -error_page 401 /httperror.php?e=401; -error_page 403 /httperror.php?e=403; -error_page 404 /httperror.php?e=404; +error_page 401 /failure.php?e=401; +error_page 403 /failure.php?e=403; +error_page 404 /failure.php?e=404; -error_page 500 /httperror.php?e=500; -error_page 502 /httperror.php?e=502; -error_page 504 /httperror.php?e=504; +error_page 500 /failure.php?e=500; +error_page 502 /failure.php?e=502; +error_page 504 /failure.php?e=504; location /robots.txt {} #stop rewriting the robots.txt @@ -12,8 +12,10 @@ location /favicon.ico {} location /static {} location ~* ^/liste { - rewrite ^/liste/?$ /index.php?task=liste; + rewrite ^/liste/?$ /index.php?task=liste&id=0; rewrite ^/liste/([0-9]+)/?$ /index.php?task=liste&id=$1; + rewrite ^/liste/updated?/?$ /index.php?task=update; + rewrite ^/liste/new_member/? /index.php?task=new_member; } rewrite ^/quote/?$ /index.php?task=quote; diff --git a/www/failure.php b/www/failure.php new file mode 100644 index 0000000..976e414 --- /dev/null +++ b/www/failure.php @@ -0,0 +1,75 @@ + + + + Failure :: Junge Gemeinde Adlershof + + + + + + +

+
+

+ +

+

Upps, it seems to be something went wrong, sorry.

+

Have a random quote to bridge the time. Try to reload the site or check for typos in the URL.

+query("SELECT count(*) as count FROM sprueche;"); + $row = $rows->fetchArray(); + $numRows = $row["count"]; + + $zufall = mt_rand(1,$numRows); + $ergebnis = $db->query("SELECT * FROM sprueche where id=$zufall;"); +?> +
+
+


+ Zitat Nummer #

+fetchArray()){ + echo $row["spruch"]; + } +?>
+
diff --git a/www/functions/func_login.php b/www/functions/func_login.php index 63c7e61..ccd99db 100755 --- a/www/functions/func_login.php +++ b/www/functions/func_login.php @@ -28,7 +28,7 @@ function login($db){ } } - if (!password_verify($password, $real_password)) { + if (password_verify($password, $real_password)) { $log_in = true; } } @@ -38,6 +38,7 @@ function login($db){ return LOGIN_PASSWORD; } + $id = user_id($db, $username); $banned_db = $db->query("SELECT 1 FROM banned_user WHERE user=".$id); $banned_ar = $banned_db->fetchArray(SQLITE3_NUM); @@ -93,7 +94,7 @@ function brutforce_protection($db){ } else { if($db->exec(" BEGIN TRANSACTION; - INSERT INTO banned_user (id, login_attemps, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id)."', '".$time."'); + INSERT INTO banned_user (id, login_attempts, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", '".$db->escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', '".$time."'); COMMIT; ")){ return true; @@ -111,14 +112,18 @@ function check_if_banned($db){ $check_ar = $check_db->fetchArray(SQLITE3_NUM); $log_at = $check_ar[1]; - $_SESSION["login_attempts"] = $log_at; + if($log_at){ + $_SESSION["login_attempts"] = $log_at; + } $accepted_time = $_SERVER["REQUEST_TIME"] - 21600; // == 6h $db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'"); - if($log_at == 0 && ($check_ar[0] < $accepted_time)){ - return false; // not longer banned - } else { - return true; // still banned + if($log_at <= 0){ + if($check_ar[0] >= $accepted_time){ + return true; // still banned + } } + + return false; // not longer banned } diff --git a/www/functions/func_user.php b/www/functions/func_user.php index d9e202d..8efd104 100755 --- a/www/functions/func_user.php +++ b/www/functions/func_user.php @@ -290,7 +290,11 @@ function user_id($db, $user){ } $owner = $owner_ar[0]; - return $owner; + if($owner != ""){ + return $owner; + } else { + return false; + } } function change_username($db, $oldname, $newname){ diff --git a/www/index.php b/www/index.php index a8dc53f..b6dce19 100755 --- a/www/index.php +++ b/www/index.php @@ -5,12 +5,12 @@ if(!isset($_SESSION["login"])){ $_SESSION["login"] = false; } -require_once("include.php"); // handles all the stuff that needs to be included - if(!isset($_SESSION["login_attempts"])){ $_SESSION["login_attempts"] = 6; } +require_once("include.php"); // handles all the stuff that needs to be included + if(check_if_banned($db)){ echo "You are banned. ;_;"; exit; @@ -101,7 +101,7 @@ if(empty($_GET)){ echo "Database error. Please send me a mail"; exit; } else { - header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/liste"); + print_list($db); } } else { print_insert(); @@ -112,13 +112,14 @@ if(empty($_GET)){ if($_SERVER["REQUEST_METHOD"] == "POST"){ $var = update_db($db); if($var){ - header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/liste"); + print_list($db); } else { + echo $var."
"; echo "Database error. Please send me a mail"; exit; } } else { - header("Refresh: 0; ".$scheme.$_SERVER["HTTP_HOST"]."/liste"); + print_list($db); } break; diff --git a/www/insert.php b/www/insert.php index c0b30e5..4a17042 100644 --- a/www/insert.php +++ b/www/insert.php @@ -35,7 +35,7 @@ echo "

Trage einfach die Daten von unserem neuen Mitglied ein:
-
+ diff --git a/www/liste.php b/www/liste.php index 2ff3490..1df43ce 100644 --- a/www/liste.php +++ b/www/liste.php @@ -67,7 +67,7 @@ function hide_elements() } -echo " + echo "
Name:
@@ -78,7 +78,7 @@ Wenn du deine Adresse ändern möchtest, dann drücke einfach auf deinen

-"; + "; } else { $id = $_GET["id"]; @@ -86,10 +86,10 @@ Wenn du deine Adresse ändern möchtest, dann drücke einfach auf deinen $ergebnis = $db->query("SELECT * FROM jg where id=$safe_id;"); while($row=$ergebnis->fetchArray()){ echo "
Trage einfach die neuen Daten von $row[name] ein:
- "; +
"; echo " - + diff --git a/www/print_index.php b/www/print_index.php index 9a8e96d..3f848b6 100644 --- a/www/print_index.php +++ b/www/print_index.php @@ -24,7 +24,7 @@ function print_index(){
Hallo ".$name.".
Willkommen auf der Webpage für die Junge Gemeinde in Adlershof. Für einen persönlichen Zugang, und um alle Features zu nutzen, registriere dich doch hier. Wenn du Probleme bei der Navigation hast, dann schau unter Hilfe nach.
+href='/help'>Hilfe* nach.
Für Anregungen und Kritik bin ich immer zu haben. Schick mir einfach ne Mail oder sags mir nächsten Donnerstag. ;)

PS: Du kannst dich nach einer Registrierung auch mit deinem Username einloggen. @@ -41,7 +41,8 @@ href='/help'>Hilfe nach.
(,_....----''' (,..--''
- +
+

*Hilfe noch nich implementiert. Dokumentation schreiben ist nicht so mein Ding. :)

"; diff --git a/www/update.php b/www/update.php index 04df988..67a92a1 100644 --- a/www/update.php +++ b/www/update.php @@ -10,7 +10,7 @@ function update_db($db){ $email = SQLite3::escapeString($_POST["email"]); $bday = SQLite3::escapeString($_POST["geburtstag"]); - if(!preg_match("/^[0-9]+$/", $id) || !preg_match("/[0-9]+$/", $telefonnummer) || !preg_match("/^.+@.+$/", $email)){ + if((!empty($id) && !preg_match("/^[0-9]+$/", $id)) || (!empty($telefonnummer) && !preg_match("/^[0-9]+$/", $telefonnummer) )|| (!empty($email) && !preg_match("/^.+@.+$/", $email))){ return false; } -- cgit v1.2.3
Name: Adresse: Telefon:
Telefon:
Handy: E-Mail: Geburtstag: