1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
<?php
function login($db){
/*___Database Query: Login___*/
$username = $_POST["username"];
$password = $_POST["password"];
$safe_username = SQLite3::escapeString("$username");
$log_in = false;
$real_password = "";
if($username == "Guest"){
$real_password_db = $db->query("SELECT email FROM jg");
while($row = $real_passsword_db->fetchArray(SQLITE3_NUM)){
if($row[0] == $password){
$log_in = true;
break;
}
}
} else {
$pepper = file_get_contents("../database/pepper.txt");
$password = $password . $pepper;
$real_password_db = $db->query("SELECT password FROM user WHERE name='" . $safe_username . "';");
while($real_password_array = $real_password_db->fetchArray(SQLITE3_NUM)){
foreach($real_password_array as $secondelement){
$real_password=$secondelement;
}
}
if (!password_verify($password, $real_password)) {
$log_in = true;
}
}
/*___Login___*/
if(!$log_in){
return LOGIN_PASSWORD;
}
$id = user_id($db, $username);
$banned_db = $db->query("SELECT 1 FROM banned_user WHERE user=".$id);
$banned_ar = $banned_db->fetchArray(SQLITE3_NUM);
if($banned_ar[0] == 1){
echo "You are banned. ;_;";
exit;
}
if($db->exec("
BEGIN TRANSACTION;
INSERT INTO log (id, user, login) VALUES (NULL, (SELECT id FROM user WHERE name='" . $username . "'), (SELECT strftime('%s', 'now')));
COMMIT;
")){
$_SESSION["login"] = true;
$_SESSION["username"] = $username;
$_SESSION["userid"] = $id;
return LOGIN_SUCCESSFULL;
} else {
return LOGIN_DATABASE;
}
}
function logout(){
if(session_destroy()){
return LOGOUT_SUCCESSFULL;
} else {
return LOGOUT_FAILURE;
}
}
function brutforce_protection($db){
$_SESSION["login_attempts"] = $_SESSION["login_attempts"] - 1;
$remote_ip = $_SERVER["REMOTE_ADDR"];
$session_id = session_id();
$time = $_SERVER["REQUEST_TIME"];
if($_SESSION["login_attempts"] <= 0){
if($db->exec("
BEGIN TRANSACTION;
INSERT INTO banned_user (id, login_attempts, ip, session_id, time) VALUES (NULL, ".$_SESSION["login_attempts"].", '".SQLite3::escapeString($remote_ip)."', '".SQLite3::escapeString($session_id)."', ".$time.");
COMMIT;
")){
echo "You are banned. ;_;";
}
exit;
} else {
if($db->exec("
BEGIN TRANSACTION;
INSERT INTO banned_user (id, login_attemps, ip, session_id) VALUES (NULL, ".$_SESSION["login_attempts"].", ".$db->escapeString($remote_ip).", '".SQLite3::escapeString($session_id)."');
COMMIT;
"))
}
}
function check_if_banned($db){
$remote_ip = $_SERVER["REMOTE_ADDR"];
$session_id = session_id();
$check_db = $db->query("SELECT time, login_attempts, id FROM banned_user WHERE ip='".SQLite3::escapeString($remote_ip)."' OR session_id='".SQLite3::escapeString($session_id)."';");
$check_ar = $check_db->fetchArray(SQLITE3_NUM);
$log_at = $check_ar[1];
$_SESSION["login_attempts"] = $log_at;
$accepted_time = $_SERVER["REQUEST_TIME"] - 21600; // == 6h
$db->exec("DELETE FROM banned_user WHERE time<'".$accepted_time."'");
if($log_at == 0 && ($check_ar[0] < $accepted_time)){
return false; // not longer banned
} else {
return true; // still banned
}
}
|
