Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <html>
- <head>
- <link rel="stylesheet" href="layout.css" type="text/css"/>
- </head>
- <body>
- <div id="logon">
- <h1>Login</h1>
- <form method="post" action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>">
- <div><label>Username</label><input type="text" name="l_username" /><br /></div>
- <div><label>Password</label><input type="password" name="l_password" /><br /></div>
- <div><input type="hidden" name="action" value="login">
- <div><input type="submit" value="Login" /></div>
- </form>
- <div>
- <hr />
- <h1>Change Password</h1>
- Following rules are enforced:
- <ul>
- <li>Must not be one of your <em>five</em> previous passwords
- <li>Must be at least 7 characters long, contain <em>ALL</em> of the following: uppercase, lowercase, digits, special characters ( ][$^?!+*()@£|\ )
- <!-- Expire Date, uncomment below line (remove the <!--) -->
- <li>Your password will expire after 70 days.
- </ul>
- <form method="post" action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>">
- <div><label>Username</label><input type="text" name="c_username" /><br /></div>
- <div><label>New Password</label><input type="password" name="c_new_password" /><br /></div>
- <div><label>Old Password</label><input type="password" name="c_old_password" /><br /></div>
- <div><input type="hidden" name="action" value="change">
- <div><input type="submit" value="Change Password" /></div>
- </form>
- <hr />
- <?php
- // database stuff
- /*
- $db_host = "localhost";
- $db_user = "root";
- $db_pass = "";
- $db_name = "test";
- */
- $db_host = 'studentnet.kingston.ac.uk';
- $db_user = 'k0614087';
- $db_pass = 'password';
- $db_name = 'db_k0614087';
- $conn = mysql_connect ($db_host, $db_user, $db_pass) or die ('MySQL connect failed. ' . mysql_error());
- mysql_select_db($db_name) or die('Cannot select database. ' . mysql_error());
- if(isset($_POST['action']))
- {
- if($_POST['action'] == 'login')
- {
- // do login
- if(isset($_POST['l_username']) && strlen($_POST['l_username']) > 0 && isset($_POST['l_password']) && strlen($_POST['l_password']) > 0)
- {
- $q = "Select * from passwords where username = '" . $_POST['l_username'] . "' order by timestamp desc";
- //echo $q . "<br />";
- $result = mysql_query($q) or die(mysql_error());
- $num = mysql_num_rows($result);
- if($num == 0)
- {
- echo "Username not found";
- }
- if($num > 0)
- {
- // check password
- $row = mysql_fetch_assoc($result);
- //echo $row['password'] . " " . $_POST['l_password'] . "" . $row['timestamp'] . "<br />";
- if(strcmp($row['password'],$_POST['l_password']) == 0)
- {
- // Expire Date, uncomment this (remove the /* and */)
- $number_of_days = 70;
- $expire_time = (24 * 60 * 60) * $number_of_days;
- //echo "Current time: " . time() . " : " . date("Y-m-d G:H:s",time()) . "<br />";
- //echo "Passwod time: " . strtotime($row['timestamp']) . " : " . date("Y-m-d G:H:s",strtotime($row['timestamp'])) . "<br />";
- $a = strtotime($row['timestamp']);
- $a = $a + $expire_time;
- //echo "Pwd time +7d: " . $a . " : " . date("Y-m-d G:H:s",strtotime($row['timestamp']) + (7 * 24 * 60 * 60)) . "<br />";
- if(time() > $a)
- {
- echo "Password expired. Please change before logging in";
- }
- else
- {
- echo "You are logged in";
- }
- }
- else
- {
- echo "Your password was incorrect";
- }
- }
- }
- else
- {
- echo "Please enter both a username and a password to login";
- }
- }
- // split action methods here
- if($_POST['action'] == 'change')
- {
- if(isset($_POST['c_username']) && strlen($_POST['c_username']) > 0 && isset($_POST['c_old_password']) && strlen($_POST['c_old_password']) > 0 && isset($_POST['c_new_password']) && strlen($_POST['c_new_password']) > 0)
- {
- // check old password and username match first
- $q = "Select * from passwords where username = '" . $_POST['c_username'] . "' order by timestamp desc";
- $result = mysql_query($q) or die(mysql_error());
- $num = mysql_num_rows($result);
- if($num == 0)
- {
- if($_POST['c_old_password'] == "NEW_USER")
- {
- $q = "Insert into passwords (username,password) values ('" . $_POST['c_username'] . "','" . $_POST['c_new_password'] . "')";
- $result = mysql_query($q) or die(mysql_error());
- echo "New user added.";
- }
- else
- {
- echo "Username not found";
- }
- }
- if($num > 0)
- {
- // check old password
- $row = mysql_fetch_assoc($result);
- if(strcmp($row['password'],$_POST['c_old_password']) == 0)
- {
- $password_score = 0;
- $isValid = false;
- // check password complexity
- // length
- $minimum_length = 7;
- if(strlen($_POST['c_new_password']) >= $minimum_length)
- {
- $password_score = $password_score + 1;
- //echo $password_score . " Pass min length requirement<br />";
- }
- // upper case
- // if new password does not equal new password all lower case,
- // there must have been uppercase! add 1 to score
- if($_POST['c_new_password'] != strtolower($_POST['c_new_password']))
- {
- $password_score = $password_score + 1;
- //echo $password_score . " Pass upper case requirement<br />";
- }
- // lower case
- // similar explanation to above
- if($_POST['c_new_password'] != strtoupper($_POST['c_new_password']))
- {
- $password_score = $password_score + 1;
- //echo $password_score . " Pass lower case requirement<br />";
- }
- // specials, this will match ][$^?!+*()@£|\
- if(preg_match('{[][$^?!+*()@£|\\]]}',$_POST['c_new_password']))
- {
- $password_score = $password_score + 1;
- //echo $password_score . " Pass specials requirement<br />";
- }
- // digits
- if(preg_match('#[0-9]#',$_POST['c_new_password']))
- {
- $password_score = $password_score + 1;
- //echo $password_score . " Pass digit requirement<br />";
- }
- // yes or no this password
- if($password_score >= 5)
- {
- $isValid = true;
- }
- else
- {
- echo "Sorry, your password does not meet the minmum requirements<br />";
- }
- // check password isn't same as last 5
- $result = mysql_query($q) or die(mysql_error());
- for($i = 0; $i < $num; $i++)
- {
- $row = mysql_fetch_assoc($result);
- $p = "";
- similar_text($row['password'], $_POST['c_new_password'], $p);
- //echo $i . ":" . $num . " " . $p . " " . $row['password'] . " " . $_POST['l_password'] . "" . $row['timestamp'] . "<br />";
- if($p > 70)
- {
- echo "Your new password is too similar to a previous one.<br />";
- $isValid = false;
- }
- }
- // check to make sure history is less than 5
- // delete oldest if it isn't
- //echo $num . "<br />";
- if($num > 4)
- {
- echo "Trimming password history<br />";
- $q = "Select * from passwords where username = '" . $_POST['c_username'] . "' order by timestamp asc";
- $result = mysql_query($q) or die(mysql_error());
- $row = mysql_fetch_assoc($result);
- $q = "Delete from passwords where timestamp = '" . $row['timestamp'] . "' and username = '" . $row['username'] . "'";
- //echo $q;
- $result = mysql_query($q) or die(mysql_error());
- }
- // set new password
- if($isValid)
- {
- $q = "Insert into passwords (username,password) values ('" . $_POST['c_username'] . "','" . $_POST['c_new_password'] . "')";
- //echo $q . "<br />";
- $result = mysql_query($q) or die(mysql_error());
- echo "Password change successful";
- }
- }
- else
- {
- echo "Your password was incorrect";
- }
- }
- }
- else
- {
- echo "Please enter your username, old password and new password to change your password";
- }
- }
- }
- ?>
- <hr />
- <?php
- if($_POST['action'] == 'login')
- {
- echo "L_USER: " . $_POST['l_username'] . "<br />";
- echo "L_PASS: " . $_POST['l_password']. "<br />";
- }
- if($_POST['action'] == 'change')
- {
- echo "USERNAME: " . $_POST['c_username']. "<br />";
- echo "OLD_PASS: " . $_POST['c_old_password']. "<br />";
- echo "NEW_PASS: " . $_POST['c_new_password']. "<br />";
- }
- ?>
- </body>
- </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement