Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function auth() {
- session_start();
- // check to see if the user has been banned by ip first ?
- // edd note
- $maxfailedattempt = 6;
- $iptocheck = $_SERVER['REMOTE_ADDR'];
- $iptocheck = mysql_real_escape_string($iptocheck);
- ///HEY EDD YOU NEED TO WORK OUT IF THIS IS DOING THIS FROM THE USER TABLE
- /// AND BOTH THE IPCHECK TABLE IF THE MAX ATTEMPT IS OVER 6 THEN REDIRECT
- /// THE USER AND CALL THEM A CUNT LOL
- if ($fetch = mysql_fetch_array(mysql_query("SELECT `loggedip` FROM `ipcheck` WHERE `loggedip`='$iptocheck'"))) {
- //Already has some IP address records in the database
- //Get the total failed login attempts associated with this IP address
- $resultx = mysql_query("SELECT `failedattempts` FROM `ipcheck` WHERE `loggedip`='$iptocheck'");
- $rowx = mysql_fetch_array($resultx);
- $loginattempts_total = $rowx['failedattempts'];
- If ($loginattempts_total > $maxfailedattempt) {
- $registered = FALSE;
- header("Location: disable.php");
- exit();
- }
- }
- // POST FORM DATA
- if ((isset($_POST["password"])) && (isset($_POST["username"])) && (isset($_SESSION['LAST_ACTIVITY']) == FALSE)) {
- function sanitize($data) {
- $data = trim($data);
- $data = htmlspecialchars($data);
- $data = mysql_real_escape_string($data);
- return $data;
- }
- $this->connect();
- $password = sanitize($_POST["password"]);
- $username = sanitize($_POST["username"]);
- if (!($fetch = mysql_fetch_array(mysql_query("SELECT `username` FROM `username` WHERE `username`='$username'")))) {
- $registered = TRUE;
- $username = mysql_real_escape_string($username); // just to be sure.
- $result = mysql_query($query);
- $row = mysql_fetch_array($result);
- $resusername = $row['username'];
- $firsttime = $row['firsttime'];
- $disable = $row['disable'];
- $correctpassword = $row['password'];
- $loginattempts_username = $row['loginattempt'];
- $salt = substr($correctpassword, 0, 64);
- $correcthash = substr($correctpassword, 64, 64);
- $userhash = hash("sha256", $salt . $password);
- $maxfailedattempt = 6;
- $iptocheck = $_SERVER['REMOTE_ADDR'];
- $iptocheck = mysql_real_escape_string($iptocheck);
- if ($userhash !== $correcthash) {
- $loginattempts_username = $loginattempts_username + 1;
- $loginattempts_username = intval($loginattempts_username);
- //update login attempt records
- mysql_query("UPDATE `username` SET `loginattempt` = '$loginattempts_username' WHERE `username` = '$username'");
- //Possible brute force attacker is targeting registered usernames
- //check if has some IP address records
- if (!($fetch = mysql_fetch_array(mysql_query("SELECT `loggedip` FROM `ipcheck` WHERE `loggedip`='$iptocheck'")))) {
- //no records
- //insert failed attempts
- $loginattempts_total = 1;
- $loginattempts_total = intval($loginattempts_total);
- mysql_query("INSERT INTO `ipcheck` (`loggedip`, `failedattempts`) VALUES ('$iptocheck', '$loginattempts_total')");
- } else {
- //has some records, increment attempts
- $loginattempts_total = $loginattempts_total + 1;
- mysql_query("UPDATE `ipcheck` SET `failedattempts` = '$loginattempts_total' WHERE `loggedip` = '$iptocheck'");
- }
- }
- if ($userhash === $correcthash){
- session_regenerate_id();
- $loginattempts_username = 0;
- $loginattempts_total = 0;
- $loginattempts_username = intval($loginattempts_username);
- $loginattempts_total = intval($loginattempts_total);
- mysql_query("UPDATE `username` SET `loginattempt` = '$loginattempts_username' WHERE `username` = '$username'");
- mysql_query("UPDATE `ipcheck` SET `failedattempts` = '$loginattempts_total' WHERE `loggedip` = '$iptocheck'");
- mysql_query("UPDATE `username` SET `online` = 1 WHERE `username` = '$username'");
- $_SESSION['token'] = md5(uniqid(rand(), 1));
- $token = $_SESSION['token'];
- mysql_query("INSERT INTO `sess` (`token`, `username`) VALUES ('$token', '$username')");
- $_SESSION['loggedin'] = "1";
- $_SESSION['userName'] = $resusername;
- $_SESSION['LAST_ACTIVITY'] = time();
- if ($disable == 1) {
- header("Location: disable.php");
- exit();
- }
- if ($firsttime == 1) {
- header("Location: firsttime.php");
- exit();
- }
- }
- }
- else
- {
- // YEAH I KNOW CODE NEEDS TO COME DOWN HERE FOR IP CHECKING ETC
- $registered = FALSE;
- $iptocheck = $_SERVER['REMOTE_ADDR'];
- $iptocheck = mysql_real_escape_string($iptocheck);
- if ($registered == FALSE) {
- if (!($fetch = mysql_fetch_array(mysql_query("SELECT `loggedip` FROM `ipcheck` WHERE `loggedip`='$iptocheck'")))) {
- //no records
- //insert failed attempts
- $loginattempts_total = 1;
- $loginattempts_total = intval($loginattempts_total);
- mysql_query("INSERT INTO `ipcheck` (`loggedip`, `failedattempts`) VALUES ('$iptocheck', '$loginattempts_total')");
- } else {
- //has some records, increment attempts
- $loginattempts_total = $loginattempts_total + 1;
- mysql_query("UPDATE `ipcheck` SET `failedattempts` = '$loginattempts_total' WHERE `loggedip` = '$iptocheck'");
- }
- }
- }
- }
- if (isset($_SESSION['loggedin'])) {
- echo "Welcome " . $_SESSION['userName'];
- }
- if (!isset($_SESSION['loggedin'])) {
- ?>
- <form id="form1" name="form1" method="post" action="<?php htmlentities($_SERVER['PHP_SELF']); ?>">
- <table align="center" width="375" border="0" cellpadding="0">
- <label>Username:</label>
- <input type="text" name="username" id="username" />
- <label>Password:</label>
- <input type="password" name="password" id="password" />
- <input type="Submit" class="input" name="Submit" id="Submit" value="Login" />
- </table>
- </form>
- <?php
- }
- }
Add Comment
Please, Sign In to add comment