API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 6th, 2016
174
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.70 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. include_once 'db_connect.php';
  3. include_once 'functions.php';
  4. sec_session_start();
  5. if (login_check($mysqli) == true) {
  6. $logged = 'in';
  7. } else {
  8. $logged = 'out';
  9. }
  10. ?>
  11.  
  12. <!DOCTYPE html>
  13. <html>
  14.  
  15. <head>
  16. <title>Secure Login: Log In</title>
  17. <link rel="stylesheet" href="styles/main.css" />
  18. <script type="text/JavaScript" src="js/sha512.js"></script>
  19. <script type="text/JavaScript" src="js/forms.js"></script>
  20. </head>
  21. <body>
  22.  
  23. <?php
  24. if (isset($_GET['error'])) {
  25. echo '<p class="error">Error Logging In!</p>';
  26. }
  27. ?>
  28.  
  29. <form action="process_login.php" method="POST" name="login_form">
  30. Email: <input type="text" name="email" />
  31. Password: <input type="password"
  32. name="password"
  33. id="password"/>
  34. <input type="button"
  35. value="Login"
  36. onclick="formhash(this.form,this.form.password);"
  37. />
  38. </form>
  39.  
  40. <?php
  41. if (login_check($mysqli) == true) {
  42. echo '<p>Currently logged ' . $logged . ' as ' .
  43. htmlentities($_SESSION['username']) . '.</p>';
  44. echo '<p>Do you want to change user? <a
  45. href="includeslogout.php">Log out</a>.</p>';
  46. } else {
  47. echo '<p>Currently logged ' . $logged . '.</p>';
  48. echo "<p>If you don't have a login, please <a
  49. href='register.php'>register</a></p>";
  50. }
  51. ?>
  52. </body>
  53. </html>
  54.  
  55. <?php
  56. include_once 'db_connect.php';
  57. include_once 'functions.php';
  58. sec_session_start(); // Our custom secure way of starting a PHP session.
  59.  
  60. if (isset($_POST['email'], $_POST['p'])) {
  61. $email = $_POST['email'];
  62. $password = $_POST['p']; // The hashed password.
  63.  
  64.  
  65. if (login($email, $password, $mysqli) == true) {
  66. // Login success
  67. header('Location: protected_page.php');
  68. } else {
  69. // Login failed
  70. header('Location: ../index.php?error=1');
  71. }
  72. } else {
  73. // The correct POST variables were not sent to this page.
  74. echo 'invalid Request';
  75. }
  76.  
  77. function formhash(form, password) {
  78. // Create a new element input, this will be our hashed password field.
  79. var p = document.createElement("input");
  80.  
  81. // Add the new element to our form.
  82.  
  83.  
  84. document.body.appendChild(p);
  85. p.name = "p";
  86. p.type = "hidden";
  87. p.value = hex_sha512(password.value);
  88.  
  89. // Make sure the plaintext password doesn't get sent.
  90. password.value = "";
  91.  
  92. // Finally submit the form.
  93.  
  94. form.submit();
  95. }
  96.  
  97. function login($email, $password, $mysqli) {
  98. // Using prepared statements means that SQL injection is not possible.
  99. if ($stmt = $mysqli->prepare("SELECT id, username, password
  100. FROM users
  101. WHERE email = ?
  102. LIMIT 1")) {
  103. $stmt->bind_param('s', $email); // Bind "$email" to parameter.
  104. $stmt->execute(); // Execute the prepared query.
  105. $stmt->store_result();
  106.  
  107. // get variables from result.
  108. $stmt->bind_result($user_id, $username, $db_password);
  109. $stmt->fetch();
  110.  
  111. if ($stmt->num_rows == 1) {
  112. // If the user exists we check if the account is locked
  113. // from too many login attempts
  114.  
  115. if (checkbrute($user_id, $mysqli) == true) {
  116. // Account is locked
  117. // Send an email to user saying their account is locked
  118. return false;
  119. } else {
  120. // Check if the password in the database matches
  121. // the password the user submitted. We are using
  122. // the password_verify function to avoid timing attacks.
  123. if (password_verify($password, $db_password)) {
  124. // Password is correct!
  125. // Get the user-agent string of the user.
  126. $user_browser = $_SERVER['HTTP_USER_AGENT'];
  127. // XSS protection as we might print this value
  128. $user_id = preg_replace("/[^0-9]+/", "", $user_id);
  129. $_SESSION['user_id'] = $user_id;
  130. // XSS protection as we might print this value
  131. $username = preg_replace("/[^a-zA-Z0-9_-]+/",
  132. "",
  133. $username);
  134. $_SESSION['username'] = $username;
  135. $_SESSION['login_string'] = hash('sha512',
  136. $db_password . $user_browser);
  137. // Login successful.
  138. return true;
  139. } else {
  140. // Password is not correct
  141. // We record this attempt in the database
  142. $now = time();
  143. $mysqli->query("INSERT INTO login_attempts(user_id, time)
  144. VALUES ('$user_id', '$now')");
  145. return false;
  146. }
  147. }
  148. } else {
  149. // No user exists.
  150. return false;
  151. }
  152. }
  153. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!