From b4e9313612dd341e43e5dc998469ec346adea8c6 Mon Sep 17 00:00:00 2001
From: root
Date: Tue, 15 Apr 2014 20:03:48 +0200
Subject: Added failure page and fixed brutforce protection.

---
 www/functions/func_login.php | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

(limited to 'www/functions/func_login.php')

diff --git a/www/functions/func_login.php b/www/functions/func_login.php
index 63c7e61..ccd99db 100755
--- a/www/functions/func_login.php
+++ b/www/functions/func_login.php
@@ -28,7 +28,7 @@ function login($db){
                 	}   
 		}   
 
-        	if (!password_verify($password, $real_password)) {
+        	if (password_verify($password, $real_password)) {
 			$log_in = true;
 		}
 	}
@@ -38,6 +38,7 @@ function login($db){
 		return LOGIN_PASSWORD;
 	}
 
+	
 	$id = user_id($db, $username);
 	$banned_db = $db->query("SELECT 1 FROM banned_user WHERE user=".$id);
 	$banned_ar = $banned_db->fetchArray(SQLITE3_NUM);
@@ -93,7 +94,7 @@ function brutforce_protection($db){
 	} else {
 		if($db->exec("
 			BEGIN TRANSACTION;
-			INSERT INTO banned_user (id, login_attemps, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id)."', '".$time."');
+			INSERT INTO banned_user (id, login_attempts, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", '".$db->escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', '".$time."');
 			COMMIT;
 		")){
 			return true;
@@ -111,14 +112,18 @@ function check_if_banned($db){
 	$check_ar = $check_db->fetchArray(SQLITE3_NUM);
 
 	$log_at = $check_ar[1];
-	$_SESSION["login_attempts"] = $log_at;
+	if($log_at){
+		$_SESSION["login_attempts"] = $log_at;
+	}
 
 	$accepted_time = $_SERVER["REQUEST_TIME"] - 21600; 	// == 6h
 	$db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'");	
 
-	if($log_at == 0 && ($check_ar[0] < $accepted_time)){
-		return false; 					// not longer banned
-	} else {
-		return true;					// still banned
+	if($log_at <= 0){
+		if($check_ar[0] >= $accepted_time){
+			return true;					// still banned
+		}
 	}
+
+	return false; 					// not longer banned
 }
-- 
cgit v1.2.3