Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // LOGIN VALIDATION
- if(isset($_POST['login'])){
- if((!empty($_POST['email'])) AND (!empty($_POST['password']))){
- $email = $_POST['email'];
- $password = $_POST['password'];
- // PREPARE STATEMENT TO AVOID SQL INJECTION
- $sql = "SELECT id, email, password FROM users WHERE email = :email AND access_level > 0 LIMIT 1";
- $results = $db_connect->prepare($sql);
- if($results->execute(array(':email' => $email))){
- $user_data = $results->fetch();
- $account_found = $results->rowCount();
- if ($account_found != 0) {
- $db_user_id = $user_data['id'];
- $db_email = $user_data['email'];
- $db_password = $user_data['password'];
- // BRUTE FORCE CHECK
- $remote_ip = $_SERVER['REMOTE_ADDR'];
- $sql = "
- SELECT attempt_nr
- FROM users_login_attempts
- WHERE user_id = :userid
- AND time > DATE_SUB(NOW(), INTERVAL 1 HOUR)
- AND user_ip = :userip
- ";
- $results = $db_connect->prepare($sql);
- if ($results->execute(array(':userid' => $user_id,':userip' => $remote_ip))){
- $count_tries = $results->rowCount();
- if ($count_tries < 5) {
- var_dump($count_tries);
- // PASSWORD VERIFICATION
- if(password_verify($password,$db_password)){
- // SET SESSIONS WITH XXS PROTECTION
- $_SESSION['user_id'] = preg_replace("/[^0-9]+/", "", $db_user_id);
- $user_browser = $_SERVER['HTTP_USER_AGENT'];
- $_SESSION['login_string'] = hash('sha512', $db_user_id.$user_browser);
- // SUCCESSFULL
- $log_error .= $database_log_1;
- }else{
- // INCORRECT PASSWORD, INPUT INTO BRUTH FORCE
- $sql = "INSERT INTO users_login_attempts (user_id, time, user_ip) VALUE (:userid,NOW(),:userip)";
- $results = $db_connect->prepare($sql);
- if($results->execute(array(':userid' => $db_user_id,':userip' => $remote_ip))){
- // RETURN BRUTE FORCE ERROR
- $log_error .= $database_log_2;
- }else{
- // DATABASE BRUTE INSERT ERROR
- $log_error .= $database_log_3;
- }
- }
- }else{
- // BRUTE FORCE LIMIT REACHED
- $log_error .= $database_log_4;
- }
- }else{
- // DATABASE ERROR
- $log_error .= $database_log_5;
- }
- }else{
- // IF NO USER EXIST
- $log_error .= $database_log_6;
- }
- }else{
- // DATABASE ERROR
- $log_error .= $database_log_7;
- }
- }else{
- // FORM ERROR - NOT ALL FILLED
- $log_error .= $database_log_8;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement