API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 1st, 2017
111
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.70 KB | None | 0 0
raw download clone embed print report
  1. İlk Başda mysql'den tablo ve kolonları oluşduruyoruz .
  2. [CODE]CREATE TABLE `secure_login`.`members` (
  3. `id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY,
  4. `username` VARCHAR(30) NOT NULL,
  5. `email` VARCHAR(50) NOT NULL,
  6. `password` CHAR(128) NOT NULL,
  7. `salt` CHAR(128) NOT NULL
  8. ) ENGINE = InnoDB;[/CODE
  9.  
  10. [CODE]CREATE TABLE `secure_login`.`login_attempts` (
  11. `user_id` INT(11) NOT NULL,
  12. `time` VARCHAR(30) NOT NULL
  13. ) ENGINE=InnoDB[/CODE]
  14.  
  15.  
  16. Config Dosyamızı oluşduruyoruz
  17.  
  18. [CODE]<?php
  19. define("HOST", "localhost"); // The host you want to connect to.
  20. define("USER", "USER"); // The database username.
  21. define("PASSWORD", "PASSWORD"); // The database password.
  22. define("DATABASE", "secure_login"); // The database name.
  23.  
  24. define("CAN_REGISTER", "any");
  25. define("DEFAULT_ROLE", "member");
  26.  
  27. define("SECURE", FALSE);
  28. ?>
  29. [/CODE]
  30.  
  31. DB config Bağlantı Dosyası oluşduruyoruz .
  32.  
  33. [CODE]<?php
  34. include_once 'psl-config.php'; // As functions.php is not included
  35. $mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
  36. ?>[/CODE]
  37.  
  38. 1 Adet function.php oluşdurup fonksiyonları giriyoruz .
  39.  
  40. [CODE]<?php
  41. include_once 'psl-config.php';
  42.  
  43. function sec_session_start() {
  44. $session_name = 'sec_session_id'; // Set a custom session name
  45. $secure = SECURE;
  46. // This stops JavaScript being able to access the session id.
  47. $httponly = true;
  48. // Forces sessions to only use cookies.
  49. if (ini_set('session.use_only_cookies', 1) === FALSE) {
  50. header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
  51. exit();
  52. }
  53. // Gets current cookies params.
  54. $cookieParams = session_get_cookie_params();
  55. session_set_cookie_params($cookieParams["lifetime"],
  56. $cookieParams["path"],
  57. $cookieParams["domain"],
  58. $secure,
  59. $httponly);
  60. // Sets the session name to the one set above.
  61. session_name($session_name);
  62. session_start(); // Start the PHP session
  63. session_regenerate_id(); // regenerated the session, delete the old one.
  64. }
  65. function login($email, $password, $mysqli) {
  66. // Using prepared statements means that SQL injection is not possible.
  67. if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
  68. FROM members
  69. WHERE email = ?
  70. LIMIT 1")) {
  71. $stmt->bind_param('s', $email); // Bind "$email" to parameter.
  72. $stmt->execute(); // Execute the prepared query.
  73. $stmt->store_result();
  74.  
  75. // get variables from result.
  76. $stmt->bind_result($user_id, $username, $db_password, $salt);
  77. $stmt->fetch();
  78.  
  79. // hash the password with the unique salt.
  80. $password = hash('sha512', $password . $salt);
  81. if ($stmt->num_rows == 1) {
  82. // If the user exists we check if the account is locked
  83. // from too many login attempts
  84.  
  85. if (checkbrute($user_id, $mysqli) == true) {
  86. // Account is locked
  87. // Send an email to user saying their account is locked
  88. return false;
  89. } else {
  90. // Check if the password in the database matches
  91. // the password the user submitted.
  92. if ($db_password == $password) {
  93. // Password is correct!
  94. // Get the user-agent string of the user.
  95. $user_browser = $_SERVER['HTTP_USER_AGENT'];
  96. // XSS protection as we might print this value
  97. $user_id = preg_replace("/[^0-9]+/", "", $user_id);
  98. $_SESSION['user_id'] = $user_id;
  99. // XSS protection as we might print this value
  100. $username = preg_replace("/[^a-zA-Z0-9_\-]+/",
  101. "",
  102. $username);
  103. $_SESSION['username'] = $username;
  104. $_SESSION['login_string'] = hash('sha512',
  105. $password . $user_browser);
  106. // Login successful.
  107. return true;
  108. } else {
  109. // Password is not correct
  110. // We record this attempt in the database
  111. $now = time();
  112. $mysqli->query("INSERT INTO login_attempts(user_id, time)
  113. VALUES ('$user_id', '$now')");
  114. return false;
  115. }
  116. }
  117. } else {
  118. // No user exists.
  119. return false;
  120. }
  121. }
  122. }
  123. function checkbrute($user_id, $mysqli) {
  124. // Get timestamp of current time
  125. $now = time();
  126.  
  127. // All login attempts are counted from the past 2 hours.
  128. $valid_attempts = $now - (2 * 60 * 60);
  129.  
  130. if ($stmt = $mysqli->prepare("SELECT time
  131. FROM login_attempts
  132. WHERE user_id = ?
  133. AND time > '$valid_attempts'")) {
  134. $stmt->bind_param('i', $user_id);
  135.  
  136. // Execute the prepared query.
  137. $stmt->execute();
  138. $stmt->store_result();
  139.  
  140. // If there have been more than 5 failed logins
  141. if ($stmt->num_rows > 5) {
  142. return true;
  143. } else {
  144. return false;
  145. }
  146. }
  147. }
  148. unction login_check($mysqli) {
  149. // Check if all session variables are set
  150. if (isset($_SESSION['user_id'],
  151. $_SESSION['username'],
  152. $_SESSION['login_string'])) {
  153.  
  154. $user_id = $_SESSION['user_id'];
  155. $login_string = $_SESSION['login_string'];
  156. $username = $_SESSION['username'];
  157.  
  158. // Get the user-agent string of the user.
  159. $user_browser = $_SERVER['HTTP_USER_AGENT'];
  160.  
  161. if ($stmt = $mysqli->prepare("SELECT password
  162. FROM members
  163. WHERE id = ? LIMIT 1")) {
  164. // Bind "$user_id" to parameter.
  165. $stmt->bind_param('i', $user_id);
  166. $stmt->execute(); // Execute the prepared query.
  167. $stmt->store_result();
  168.  
  169. if ($stmt->num_rows == 1) {
  170. // If the user exists get variables from result.
  171. $stmt->bind_result($password);
  172. $stmt->fetch();
  173. $login_check = hash('sha512', $password . $user_browser);
  174.  
  175. if ($login_check == $login_string) {
  176. // Logged In!!!!
  177. return true;
  178. } else {
  179. // Not logged in
  180. return false;
  181. }
  182. } else {
  183. // Not logged in
  184. return false;
  185. }
  186. } else {
  187. // Not logged in
  188. return false;
  189. }
  190. } else {
  191. // Not logged in
  192. return false;
  193. }
  194. }
  195. function esc_url($url) {
  196.  
  197. if ('' == $url) {
  198. return $url;
  199. }
  200.  
  201. $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
  202.  
  203. $strip = array('%0d', '%0a', '%0D', '%0A');
  204. $url = (string) $url;
  205.  
  206. $count = 1;
  207. while ($count) {
  208. $url = str_replace($strip, '', $url, $count);
  209. }
  210.  
  211. $url = str_replace(';//', '://', $url);
  212.  
  213. $url = htmlentities($url);
  214.  
  215. $url = str_replace('&amp;', '&', $url);
  216. $url = str_replace("'", ''', $url);
  217.  
  218. if ($url[0] !== '/') {
  219. // We're only interested in relative links from $_SERVER['PHP_SELF']
  220. return '';
  221. } else {
  222. return $url;
  223. }
  224. }
  225. <?[/CODE]
  226.  
  227.  
  228. Giriş Sayfası oluşduruyoruz şimdi
  229.  
  230. [CODE]<?php
  231. include_once 'db_connect.php';
  232. include_once 'functions.php';
  233.  
  234. sec_session_start(); // Our custom secure way of starting a PHP session.
  235.  
  236. if (isset($_POST['email'], $_POST['p'])) {
  237. $email = $_POST['email'];
  238. $password = $_POST['p']; // The hashed password.
  239.  
  240. if (login($email, $password, $mysqli) == true) {
  241. // Login success
  242. header('Location: ../protected_page.php');
  243. } else {
  244. // Login failed
  245. header('Location: ../index.php?error=1');
  246. }
  247. } else {
  248. // The correct POST variables were not sent to this page.
  249. echo 'Invalid Request';
  250. }[/CODE]
  251.  
  252.  
  253. Çıkış yani logout.php oluşduruyoruz .
  254.  
  255. [CODE]<?php
  256. include_once 'functions.php';
  257. sec_session_start();
  258.  
  259. // Unset all session values
  260. $_SESSION = array();
  261.  
  262. // get session parameters
  263. $params = session_get_cookie_params();
  264.  
  265. // Delete the actual cookie.
  266. setcookie(session_name(),
  267. '', time() - 42000,
  268. $params["path"],
  269. $params["domain"],
  270. $params["secure"],
  271. $params["httponly"]);
  272.  
  273. // Destroy session
  274. session_destroy();
  275. header('Location: LOCATION YOU WANT IT TO GO');[/CODE]
  276.  
  277.  
  278. 1 Adet forms.js Oluşduruyoruz
  279.  
  280. [CODE]function formhash(form, password) {
  281. // Create a new element input, this will be our hashed password field.
  282. var p = document.createElement("input");
  283.  
  284. // Add the new element to our form.
  285. form.appendChild(p);
  286. p.name = "p";
  287. p.type = "hidden";
  288. p.value = hex_sha512(password.value);
  289.  
  290. // Make sure the plaintext password doesn't get sent.
  291. password.value = "";
  292.  
  293. // Finally submit the form.
  294. form.submit();
  295. }
  296.  
  297. function regformhash(form, uid, email, password, conf) {
  298. // Check each field has a value
  299. if (uid.value == '' ||
  300. email.value == '' ||
  301. password.value == '' ||
  302. conf.value == '') {
  303.  
  304. alert('You must provide all the requested details. Please try again');
  305. return false;
  306. }
  307.  
  308. // Check the username
  309.  
  310. re = /^\w+$/;
  311. if(!re.test(form.username.value)) {
  312. alert("Username must contain only letters, numbers and underscores. Please try again");
  313. form.username.focus();
  314. return false;
  315. }
  316.  
  317. // Check that the password is sufficiently long (min 6 chars)
  318. // The check is duplicated below, but this is included to give more
  319. // specific guidance to the user
  320. if (password.value.length < 6) {
  321. alert('Passwords must be at least 6 characters long. Please try again');
  322. form.password.focus();
  323. return false;
  324. }
  325.  
  326. // At least one number, one lowercase and one uppercase letter
  327. // At least six characters
  328.  
  329. var re = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{6,}/;
  330. if (!re.test(password.value)) {
  331. alert('Passwords must contain at least one number, one lowercase and one uppercase letter. Please try again');
  332. return false;
  333. }
  334.  
  335. // Check password and confirmation are the same
  336. if (password.value != conf.value) {
  337. alert('Your password and confirmation do not match. Please try again');
  338. form.password.focus();
  339. return false;
  340. }
  341.  
  342. // Create a new element input, this will be our hashed password field.
  343. var p = document.createElement("input");
  344.  
  345. // Add the new element to our form.
  346. form.appendChild(p);
  347. p.name = "p";
  348. p.type = "hidden";
  349. p.value = hex_sha512(password.value);
  350.  
  351. // Make sure the plaintext password doesn't get sent.
  352. password.value = "";
  353. conf.value = "";
  354.  
  355. // Finally submit the form.
  356. form.submit();
  357. return true;
  358. }[/CODE]
  359.  
  360.  
  361. ve Son olarak login.php'mizi ekliyoruz .
  362.  
  363. [CODE]<?php
  364. include_once 'includes/db_connect.php';
  365. include_once 'includes/functions.php';
  366.  
  367. sec_session_start();
  368.  
  369. if (login_check($mysqli) == true) {
  370. $logged = 'in';
  371. } else {
  372. $logged = 'out';
  373. }
  374. ?>
  375. <!DOCTYPE html>
  376. <html>
  377. <head>
  378. <title>Secure Login: Log In</title>
  379. <link rel="stylesheet" href="styles/main.css" />
  380. <script type="text/JavaScript" src="js/sha512.js"></script>
  381. <script type="text/JavaScript" src="js/forms.js"></script>
  382. </head>
  383. <body>
  384. <?php
  385. if (isset($_GET['error'])) {
  386. echo '<p class="error">Error Logging In!</p>';
  387. }
  388. ?>
  389. <form action="includes/process_login.php" method="post" name="login_form">
  390. Email: <input type="text" name="email" />
  391. Password: <input type="password"
  392. name="password"
  393. id="password"/>
  394. <input type="button"
  395. value="Login"
  396. clickon="formhash(this.form, this.form.password);" />
  397. </form>
  398. <p>If you don't have a login, please <a href="register.php">register</a></p>
  399. <p>If you are done, please <a href="includes/logout.php">log out</a>.</p>
  400. <p>You are currently logged <?php echo $logged ?>.</p>
  401. </body>
  402. </html>[/CODE]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!