Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- include_once 'db_connect.php';
- include_once 'functions.php';
- sec_session_start();
- if (login_check($mysqli) == true) {
- $logged = 'in';
- } else {
- $logged = 'out';
- }
- ?>
- <!DOCTYPE html>
- <html>
- <head>
- <title>Secure Login: Log In</title>
- <link rel="stylesheet" href="styles/main.css" />
- <script type="text/JavaScript" src="js/sha512.js"></script>
- <script type="text/JavaScript" src="js/forms.js"></script>
- </head>
- <body>
- <?php
- if (isset($_GET['error'])) {
- echo '<p class="error">Error Logging In!</p>';
- }
- ?>
- <form action="process_login.php" method="POST" name="login_form">
- Email: <input type="text" name="email" />
- Password: <input type="password"
- name="password"
- id="password"/>
- <input type="button"
- value="Login"
- onclick="formhash(this.form,this.form.password);"
- />
- </form>
- <?php
- if (login_check($mysqli) == true) {
- echo '<p>Currently logged ' . $logged . ' as ' .
- htmlentities($_SESSION['username']) . '.</p>';
- echo '<p>Do you want to change user? <a
- href="includeslogout.php">Log out</a>.</p>';
- } else {
- echo '<p>Currently logged ' . $logged . '.</p>';
- echo "<p>If you don't have a login, please <a
- href='register.php'>register</a></p>";
- }
- ?>
- </body>
- </html>
- <?php
- include_once 'db_connect.php';
- include_once 'functions.php';
- sec_session_start(); // Our custom secure way of starting a PHP session.
- if (isset($_POST['email'], $_POST['p'])) {
- $email = $_POST['email'];
- $password = $_POST['p']; // The hashed password.
- if (login($email, $password, $mysqli) == true) {
- // Login success
- header('Location: protected_page.php');
- } else {
- // Login failed
- header('Location: ../index.php?error=1');
- }
- } else {
- // The correct POST variables were not sent to this page.
- echo 'invalid Request';
- }
- function formhash(form, password) {
- // Create a new element input, this will be our hashed password field.
- var p = document.createElement("input");
- // Add the new element to our form.
- document.body.appendChild(p);
- p.name = "p";
- p.type = "hidden";
- p.value = hex_sha512(password.value);
- // Make sure the plaintext password doesn't get sent.
- password.value = "";
- // Finally submit the form.
- form.submit();
- }
- function login($email, $password, $mysqli) {
- // Using prepared statements means that SQL injection is not possible.
- if ($stmt = $mysqli->prepare("SELECT id, username, password
- FROM users
- WHERE email = ?
- LIMIT 1")) {
- $stmt->bind_param('s', $email); // Bind "$email" to parameter.
- $stmt->execute(); // Execute the prepared query.
- $stmt->store_result();
- // get variables from result.
- $stmt->bind_result($user_id, $username, $db_password);
- $stmt->fetch();
- if ($stmt->num_rows == 1) {
- // If the user exists we check if the account is locked
- // from too many login attempts
- if (checkbrute($user_id, $mysqli) == true) {
- // Account is locked
- // Send an email to user saying their account is locked
- return false;
- } else {
- // Check if the password in the database matches
- // the password the user submitted. We are using
- // the password_verify function to avoid timing attacks.
- if (password_verify($password, $db_password)) {
- // Password is correct!
- // Get the user-agent string of the user.
- $user_browser = $_SERVER['HTTP_USER_AGENT'];
- // XSS protection as we might print this value
- $user_id = preg_replace("/[^0-9]+/", "", $user_id);
- $_SESSION['user_id'] = $user_id;
- // XSS protection as we might print this value
- $username = preg_replace("/[^a-zA-Z0-9_-]+/",
- "",
- $username);
- $_SESSION['username'] = $username;
- $_SESSION['login_string'] = hash('sha512',
- $db_password . $user_browser);
- // Login successful.
- return true;
- } else {
- // Password is not correct
- // We record this attempt in the database
- $now = time();
- $mysqli->query("INSERT INTO login_attempts(user_id, time)
- VALUES ('$user_id', '$now')");
- return false;
- }
- }
- } else {
- // No user exists.
- return false;
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement