Untitled

$(".login").click(function(){
        var type = "login";
        var login = $(".btc-login").val();
        if(login=="" || login==null || login==undefined){
            alert("Please put your Bitcoin wallet for login/register");
            return;
        }
        var values = "type="+type+"&login="+login+"&tr="+getCookie("tr");
        $.ajax({
            url: "ajax.php",
            type: "post",
            data: values,
            success: function (response){
               // you will get response from your php page (what you echo or print)
               if(response=="success"){
                 window.location.href = "account.php";
               }else if(response=="login"){
                 window.location.href = "account.php";
               }else{
                 alert(response);
               }
            },
            error: function(jqXHR, textStatus, errorThrown){
               alert(textStatus, errorThrown);
            }
        });
});

$servername = "localhost";
$username = "root";
$password = "";
$dbname = "qwe";

try{
  $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
  // set the PDO error mode to exception
  $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
  $conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
  //echo "Connected successfully";
}catch(PDOException $e){
  //echo "Connection failed: " . $e->getMessage();
}

$type = $_POST['type'];
    if($type=="login"){
        $login = trim($_POST['login']);
        $BTC = new Btc_address_validator();
        if(!$BTC->validate($login)){
            exit("Invalid bitcoin address");
        }
        $tr = $_POST['tr'];
        if($tr!="undefined" && $tr!=""){
            if(!$BTC->validate($tr)){
                exit("Invalid affiliate bitcoin address");
            }
        }
        $register_time = date("Y-m-d H:i:s");
        $total_deposits = 0.00000000;
        $total_deposited = 0.00000000;
        $total_paid = 0.00000000;


        $stmt1 = $conn->prepare("SELECT * FROM qweqw WHERE login=?");
        $stmt1->bindParam(1, $login, PDO::PARAM_INT);
        $stmt1->execute();
        $row = $stmt1->fetch(PDO::FETCH_ASSOC);

        if(!$row){
            //register & login
            $sql = "INSERT INTO eldoradiki(login,tr,total_deposits,total_deposited,total_paid,register_time) VALUES
            (:login,:tr,:total_deposits,:total_deposited,:total_paid,:register_time)";
            $stmt = $conn->prepare($sql);
            $stmt->bindParam(':login', $login, PDO::PARAM_STR);
            $stmt->bindParam(':tr', $tr, PDO::PARAM_STR);
            $stmt->bindParam(':total_deposits', $total_deposits, PDO::PARAM_STR);
            $stmt->bindParam(':total_deposited', $total_deposited, PDO::PARAM_STR);
            $stmt->bindParam(':total_paid', $total_paid, PDO::PARAM_STR);
            $stmt->bindParam(':register_time', $register_time, PDO::PARAM_STR);
            if($stmt->execute()){
                exit("success");
            }else{
                exit("fail");
            }
        }else{
            $_SESSION['login'] = $login;
            //login
            exit("login");
        }

robot@kali:~$ nikto -h https://ban***.club/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          31.170.165.49
+ Target Hostname:    bancobit.club
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /OU=Domain Control Validated/OU=PositiveSSL/CN=ban****.club
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
+ Start Time:         2017-05-18 14:50:48 (GMT3)
---------------------------------------------------------------------------
+ Server: openresty
+ Retrieved x-powered-by header: PHP/7.0.19
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the secure flag
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /ban****.tar, fields: 0x58be8093 0x97c
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /test.txt: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ /login.php: Admin login page/section found.
+ 7446 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2017-05-18 15:29:27 (GMT3) (2319 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested