API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 24th, 2016
230
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.35 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. ini_set('session.cookie_httponly', TRUE); // Helps mitigate xss
  3. ini_set('session.session.use_only_cookies', TRUE); // Prevents session fixation
  4. ini_set('session.cookie_lifetime', FALSE); // Smaller exploitation window for xss/csrf/clickjacking...
  5. ini_set('session.cookie_secure', TRUE); // Owasp a9 violations
  6.  
  7. // Start Sessions
  8. if(!isset($_SESSION))session_start(); // Session Start
  9.  
  10. // Set Localization
  11. $local = $set['localization'];
  12. switch ($local) {
  13. case 'custom': include ('language/custom.php'); break;
  14. case 'english': include ('language/english.php'); break;
  15. }
  16.  
  17. // Session Data
  18. if ((isset($_SESSION['pw']['userId'])) && ($_SESSION['pw']['userId'] != '')) {
  19. // Keep some User data available
  20. $pw_userId = $_SESSION['pw']['userId'];
  21. $pw_userEmail = $_SESSION['pw']['userEmail'];
  22. $pw_firstName = $_SESSION['pw']['firstName'];
  23. $pw_lastName = $_SESSION['pw']['lastName'];
  24. $pw_recEmails = $_SESSION['pw']['recEmails'];
  25. $pw_superUser = $_SESSION['pw']['superUser'];
  26. } else {
  27. $pw_userId = $pw_userEmail = $pw_firstName = $pw_lastName = $pw_userLoc = $pw_recEmails = $pw_superUser = '';
  28. }
  29.  
  30. $msgBox = '';
  31.  
  32. <?php
  33.  
  34. if(!defined('USERS_TABLE'))
  35. {
  36. define('USERS_TABLE', 'users');
  37. }
  38.  
  39. // Right Away on Login
  40. if(isset($_POST['username']) && isset($_POST['password']))
  41. {
  42. $ok = authenticate($_POST['username'], $_POST['password'], USERS_TABLE);
  43.  
  44. if($ok == false)
  45. {
  46. $_SESSION['c_loginMessage'] = 'Invalid Credentials';
  47. header('Location: index.php');
  48. exit();
  49. } elseif(in_array('error_found', $ok)) {
  50. $_SESSION['c_loginMessage'] = $ok['error'];
  51. header('Location: index.php');
  52. exit();
  53. }
  54. }
  55.  
  56. // Will check all pages that does need authentication - direct access example
  57. // The current pages are those to skip authentication
  58. if(
  59. basename($_SERVER['PHP_SELF']) !== 'index.php'
  60. )
  61. {
  62. if(!isset($_SESSION['c_username']) && !isset($_SESSION['c_authenticated']) && $_SESSION['c_authenticated'] !== 'true')
  63. {
  64. $_SESSION['c_loginMessage'] = 'Failed to log in';
  65. header('Location: index.php');
  66. exit();
  67. }
  68. }
  69.  
  70. ?>
  71. <?php
  72.  
  73. // Session Related Functions
  74.  
  75. function authenticate($username, $password, $user_table)
  76. {
  77. $link = mysqli_connect(DB_HOST, DB_USERNAME, DB_PASSWORD, DATABASE);
  78.  
  79. if($username && $password)
  80. {
  81. $query = sprintf("SELECT * FROM %s WHERE username = '%s' and password = '%s' LIMIT 1",
  82. mysqli_real_escape_string($link, $user_table),
  83. mysqli_real_escape_string($link, $username),
  84. mysqli_real_escape_string($link, $password)
  85. );
  86.  
  87. $result = mysqli_query($link, $query);
  88.  
  89. $results = mysqli_fetch_assoc($result);
  90.  
  91. // gave a result and was authenticated
  92. if(!empty($results))
  93. {
  94. $_SESSION['c_username'] = $username;
  95. $_SESSION['c_authenticated'] = 'true';
  96. return $results;
  97. } elseif(mysqli_error($link)) {
  98. return array('error_found' => 'true', 'error' => mysqli_error($link));
  99. } else {
  100. return false;
  101. }
  102.  
  103. }
  104. }
  105.  
  106. function add_user($username, $password, $user_table)
  107. {
  108. $link = mysqli_connect(DB_HOST, DB_USERNAME, DB_PASSWORD, DATABASE);
  109.  
  110. $query = sprintf('INSERT INTO %s SET username = "%s", password = "%s"',
  111. mysqli_real_escape_string($link, $user_table),
  112. mysqli_real_escape_string($link, $username),
  113. mysqli_real_escape_string($link, $password)
  114. );
  115.  
  116. $result = mysqli_query($link, $query);
  117.  
  118. if($result)
  119. {
  120. return true;
  121. } else {
  122. return false;
  123. }
  124.  
  125. }
  126.  
  127. function get_user($identifier)
  128. {
  129. $link = mysqli_connect(DB_HOST, DB_USERNAME, DB_PASSWORD, DATABASE);
  130.  
  131. $username = $_SESSION['c_username'];
  132.  
  133. if(isset($username))
  134. {
  135. $query = mysqli_query($link, "SELECT users.id as id, users.username FROM users WHERE username = '{$username}'");
  136.  
  137. while($row = mysqli_fetch_array($query))
  138. {
  139. //get logged user id and username
  140. $users_username = $row['username'];
  141. $users_id = $row['id'];
  142. }
  143.  
  144. if($username == $users_username)
  145. {
  146. if($identifier == "id" || $identifier == "ID")
  147. {
  148. return $users_id;
  149. }
  150.  
  151. if($identifier == "username" || $identifier == "USERNAME" || $identifier == "Username")
  152. {
  153. return $users_username;
  154. }
  155.  
  156. } else {
  157. header('Location: index.php');
  158. exit();
  159. }
  160.  
  161. } else {
  162. header('Location: index.php');
  163. exit();
  164. }
  165.  
  166. }
  167. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!