API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 21st, 2016
73
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.64 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.  
  3. /*
  4. * Firewizz UserLogin
  5. */
  6.  
  7. namespace Firewizz;
  8.  
  9.  
  10.  
  11. class Security
  12. {
  13.  
  14. // Start the session, with Cookie data
  15. public function Start_Secure_Session()
  16. {
  17. // Forces sessions to only use cookies.
  18. ini_set('session.use_only_cookies', 1);
  19.  
  20. // Gets current cookies params
  21. $cookieParams = session_get_cookie_params();
  22.  
  23. // Set Cookie Params
  24. session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $this->isHTTPS, $this->deny_java_session_id);
  25. // Sets the session name
  26. session_name($this->session_name);
  27.  
  28. // Start the php session
  29. session_start();
  30.  
  31. // If new session or expired, generate new id
  32. if (!isset($_SESSION['new_session']))
  33. {
  34. $_SESSION['new_session'] = "true";
  35.  
  36. // regenerate the session, delete the old one.
  37. session_regenerate_id(true);
  38. }
  39. }
  40.  
  41. // Check of user is logged in to current session, return true or false;
  42. public function LOGGED_IN()
  43. {
  44. return $this->_login_check();
  45. }
  46.  
  47. public function LOGOUT()
  48. {
  49. // Unset all session values
  50. $_SESSION = array();
  51.  
  52. // get session parameters
  53. $params = session_get_cookie_params();
  54.  
  55. // Delete the actual cookie.
  56. setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
  57. // Destroy session
  58. session_destroy();
  59. if (!headers_sent())
  60. {
  61. header("Location: " . $this->login_string, true);
  62. }
  63. else
  64. {
  65. echo '<script>window.location="/"</script>';
  66. }
  67. }
  68.  
  69. // Must pass variables or send to login page!
  70. public function BORDER_PATROL($user_has_to_be_logged_in, $page_loaded_from_index)
  71. {
  72. $pass_border_partrol = true;
  73.  
  74. if (!$this->LOGGED_IN() && $user_has_to_be_logged_in)
  75. {
  76. $pass_border_partrol = false;
  77. }
  78. if (filter_input(INPUT_SERVER, "PHP_SELF") != "/index.php" && $page_loaded_from_index)
  79. {
  80. $pass_border_partrol = false;
  81. }
  82.  
  83. // Kick to login on fail
  84. if (!$pass_border_partrol)
  85. {
  86. $this->LOGOUT();
  87. exit();
  88. }
  89.  
  90. }
  91.  
  92. // Catch login, returns fail string or false if no errors
  93. public function CATCH_LOGIN()
  94. {
  95. if (filter_input(INPUT_POST, "id") == "login" && filter_input(INPUT_POST, "Verzenden") == "Verzenden")
  96. {
  97. // Variables from form.
  98. $email = filter_input(INPUT_POST, "email");
  99. $sha512Pass = filter_input(INPUT_POST, "p");
  100.  
  101. // Database variables
  102. $db_accounts = mysqli_connect($this->mySQL_accounts_host, $this->mySQL_accounts_username, $this->mySQL_accounts_password, $this->mySQL_accounts_database);
  103.  
  104. // Prepage sql
  105. if ($stmt = $db_accounts->prepare("SELECT account_id, verified, blocked ,login_email, login_password, login_salt, user_voornaam, user_tussenvoegsel, user_achternaam FROM accounts WHERE login_email = ? LIMIT 1"))
  106. {
  107. $stmt->bind_param('s', $email); // Bind "$email" to parameter.
  108. $stmt->execute(); // Execute the prepared query.
  109. $stmt->store_result();
  110.  
  111. $stmt->bind_result($user_id, $verified, $blocked, $email, $db_password, $salt, $voornaam, $tussenvoegsel, $achternaam); // get variables from result.
  112.  
  113. $stmt->fetch();
  114. $password = hash('sha512', $sha512Pass . $salt); // hash the password with the unique salt.
  115. $tussen = ' ';
  116. if ($tussenvoegsel != "")
  117. {
  118. $tussen = " " . $tussenvoegsel . " ";
  119. }
  120. $username = $voornaam . $tussen . $achternaam;
  121.  
  122.  
  123.  
  124. if ($stmt->num_rows == 1)
  125. { // If the user exists
  126. // Check blocked
  127. if ($blocked == "1")
  128. {
  129. return 'Deze acount is geblokkeerd, neem contact met ons op.';
  130. }
  131.  
  132. // We check if the account is locked from too many login attempts
  133. if ($this->_checkBrute($user_id, $db_accounts) == true)
  134. {
  135. // Account is locked
  136. // Send an email to user saying their account is locked
  137. return "Te vaak fout ingelogd,<br />uw account is voor " . $this->blockout_time . " minuten geblokkerd.";
  138. }
  139. else
  140. {
  141. if ($db_password == $password && $verified == 1)
  142. {
  143. // Password is correct!, update lastLogin
  144. if ($stmt = $db_accounts->prepare("UPDATE accounts SET date_lastLogin=? WHERE account_id=?"))
  145. {
  146. $lastlogin = date("Y-m-d H:i:s");
  147.  
  148. $stmt->bind_param('ss', $lastlogin, $user_id); // Bind "$email" to parameter.
  149. $stmt->execute();
  150. $stmt->close();
  151. }
  152.  
  153. $ip_address = $_SERVER['REMOTE_ADDR']; // Get the IP address of the user.
  154. $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
  155.  
  156. $user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value
  157. $_SESSION['user_id'] = $user_id;
  158. $username = $username; // XSS protection as we might print this value
  159. $_SESSION['username'] = $username;
  160. $_SESSION['login_string'] = hash('sha512', $password . $ip_address . $user_browser);
  161. // Login successful.
  162.  
  163. if ($this->MailOnLogin != FALSE)
  164. {
  165. mail($this->MailOnLogin, 'SECUREPLAY - LOGIN', $username . ' logged in to the secureplay platform..');
  166. }
  167. return false;
  168. }
  169. else
  170. {
  171. // Password is not correct
  172. // We record this attempt in the database
  173. $now = time();
  174. $db_accounts->query("INSERT INTO login_attempts (userID, timestamp) VALUES (" . $user_id . ", " . $now . ")");
  175.  
  176. return "Onbekende gebruikersnaam en/of wachtwoord.";
  177. }
  178. }
  179. }
  180. else
  181. {
  182. return "Onbekende gebruikersnaam en/of wachtwoord.";
  183. }
  184. }
  185. else
  186. {
  187. return 'SQL FAIL! ' . mysqli_error($db_accounts);
  188. }
  189. return "Onbekende fout!";
  190. }
  191.  
  192.  
  193. return false;
  194. }
  195.  
  196. private function _checkBrute($user_id, $db_accounts)
  197. {
  198. // Get timestamp of current time
  199. $now = time();
  200. // All login attempts are counted from the past 2 hours.
  201. $valid_attempts = $now - ($this->blockout_time * 60);
  202.  
  203. if ($stmt = $db_accounts->prepare("SELECT timestamp FROM login_attempts WHERE userID = ? AND timestamp > $valid_attempts"))
  204. {
  205. $stmt->bind_param('i', $user_id);
  206. // Execute the prepared query.
  207. $stmt->execute();
  208. $stmt->store_result();
  209. // If there has been more than 5 failed logins
  210. if ($stmt->num_rows > $this->max_login_fails)
  211. {
  212. return true;
  213. }
  214. else
  215. {
  216. return false;
  217. }
  218. }
  219. else
  220. {
  221. return true;
  222. }
  223. }
  224.  
  225. // Login Check if user is logged in correctly
  226. private function _login_check()
  227. {
  228. // Database variables
  229. $db_accounts = mysqli_connect($this->mySQL_accounts_host, $this->mySQL_accounts_username, $this->mySQL_accounts_password, $this->mySQL_accounts_database);
  230.  
  231. // Check if all session variables are set
  232. if (isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string']))
  233. {
  234. $user_id = $_SESSION['user_id'];
  235. $login_string = $_SESSION['login_string'];
  236. $username = $_SESSION['username'];
  237. $ip_address = $_SERVER['REMOTE_ADDR']; // Get the IP address of the user.
  238. $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
  239.  
  240. if ($stmt = $db_accounts->prepare("SELECT login_password FROM accounts WHERE account_id = ? LIMIT 1"))
  241. {
  242. $stmt->bind_param('i', $user_id); // Bind "$user_id" to parameter.
  243. $stmt->execute(); // Execute the prepared query.
  244. $stmt->store_result();
  245.  
  246. if ($stmt->num_rows == 1)
  247. { // If the user exists
  248. $stmt->bind_result($password); // get variables from result.
  249. $stmt->fetch();
  250. $login_check = hash('sha512', $password . $ip_address . $user_browser);
  251. if ($login_check == $login_string)
  252. {
  253. // Logged In!!!!
  254. return $user_id;
  255. }
  256. else
  257. {
  258. // Not logged in
  259. return false;
  260. }
  261. }
  262. else
  263. {
  264. // Not logged in
  265. return false;
  266. }
  267. }
  268. else
  269. {
  270. // Not logged in
  271. //die("f3");
  272. return false;
  273. }
  274. }
  275. else
  276. {
  277. // Not logged in
  278. return false;
  279. }
  280. }
  281.  
  282. }
  283.  
  284. <?php
  285. require_once 'assets/class.Firewizz.Security.php';
  286.  
  287. if (!isset($SECURITY))
  288. {
  289. $SECURITY = new FirewizzSecurity();
  290. }
  291.  
  292. // Check if user is logged in or redirect to login page;
  293. $SECURITY->BORDER_PATROL(true, true);
  294.  
  295.  
  296. // CONTENT bla bla
  297.  
  298. ?>
  299.  
  300. <?php
  301. // Requires
  302. require_once 'assets/class.FirePDF.php';
  303. require_once 'assets/class.Firewizz.Security.php';
  304. $SECURITY = new FirewizzSecurity();
  305. $SECURITY->Start_Secure_Session();
  306.  
  307. // Html file to scrape, if this works replace with referer so the page that does the request gets printed.(prepend by security so it can only be done from securePlay
  308. $html_file = 'http://www.website.nl/?p=overzichten&sort=someSort&s=67';
  309.  
  310. // Output pdf filename
  311. $pdf_fileName = 'Test_Pdf.pdf';
  312.  
  313. /*
  314. * cURL part
  315. */
  316.  
  317. // create curl resource
  318. $ch = curl_init();
  319.  
  320. // set source url
  321. curl_setopt($ch, CURLOPT_URL, $html_file);
  322.  
  323. // set cookies
  324. $cookiesIn = "user_id=" . $_SESSION['user_id'] . "; username=" . $_SESSION['username'] . "; login_string=" . $_SESSION['login_string'] . ";";
  325.  
  326. // set cURL Options
  327. $tmp = tempnam("/tmp", "CURLCOOKIE");
  328. if ($tmp === FALSE)
  329. {
  330. die('Could not generate a temporary cookie jar.');
  331. }
  332.  
  333. $options = array(
  334. CURLOPT_RETURNTRANSFER => true, // return web page
  335. //CURLOPT_HEADER => true, //return headers in addition to content
  336. CURLOPT_ENCODING => "", // handle all encodings
  337. CURLOPT_AUTOREFERER => true, // set referer on redirect
  338. CURLOPT_CONNECTTIMEOUT => 120, // timeout on connect
  339. CURLOPT_TIMEOUT => 120, // timeout on response
  340. CURLOPT_MAXREDIRS => 10, // stop after 10 redirects
  341. CURLINFO_HEADER_OUT => true,
  342. CURLOPT_SSL_VERIFYPEER => false, // Disabled SSL Cert checks
  343. CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  344. CURLOPT_COOKIEJAR => $tmp,
  345. //CURLOPT_COOKIEFILE => $tmp,
  346. CURLOPT_COOKIE => $cookiesIn
  347. );
  348.  
  349. // $output contains the output string
  350. curl_setopt_array($ch, $options);
  351. $output = curl_exec($ch);
  352.  
  353. // close curl resource to free up system resources
  354. curl_close($ch);
  355.  
  356. // output the cURL
  357. echo $output;
  358. ?>
  359.  
  360. $cookiesIn = "user_id=" . $_SESSION['user_id'] . "; username=" . $_SESSION['username'] . "; login_string=" . $_SESSION['login_string'] . ";";
  361.  
  362. $tmp = tempnam("/tmp", "CURLCOOKIE");
  363. if($tmp === FALSE) die('Could not generate a temporary cookie jar.');
  364.  
  365. $options = array(
  366. CURLOPT_RETURNTRANSFER => true, // return web page
  367. //CURLOPT_HEADER => true, //return headers in addition to content
  368. CURLOPT_ENCODING => "", // handle all encodings
  369. CURLOPT_AUTOREFERER => true, // set referer on redirect
  370. CURLOPT_CONNECTTIMEOUT => 120, // timeout on connect
  371. CURLOPT_TIMEOUT => 120, // timeout on response
  372. CURLOPT_MAXREDIRS => 10, // stop after 10 redirects
  373. CURLINFO_HEADER_OUT => true,
  374. CURLOPT_SSL_VERIFYPEER => false, // Disabled SSL Cert checks
  375. CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  376. CURLOPT_COOKIEJAR => $tmp,
  377. CURLOPT_COOKIEFILE => $tmp,
  378. );
  379.  
  380. private function Cookie2Session($name)
  381. {
  382. if (filter_input(INPUT_COOKIE, $name))
  383. {
  384. $_SESSION[$name] = filter_input(INPUT_COOKIE, $name);
  385. }
  386. }
  387.  
  388. // following lines put within the BORDER_PATROL Method
  389. if (filter_input(INPUT_COOKIE, 'pdfCurl'))
  390. {
  391. $this->Cookie2Session('user_id');
  392. $this->Cookie2Session('username');
  393. $this->Cookie2Session('login_string');
  394. $this->Cookie2Session('REMOTE_ADDR');
  395. $this->Cookie2Session('HTTP_USER_AGENT');
  396. $_SESSION['new_session'] = "true";
  397. }
  398.  
  399. // Login Check if user is logged in correctly
  400. private function _login_check()
  401. {
  402. // Database variables
  403. $db_accounts = mysqli_connect($this->mySQL_accounts_host, $this->mySQL_accounts_username, $this->mySQL_accounts_password, $this->mySQL_accounts_database);
  404.  
  405. // Check if all session variables are set
  406. if (isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string']))
  407. {
  408. $user_id = $_SESSION['user_id'];
  409. $login_string = $_SESSION['login_string'];
  410. $username = $_SESSION['username'];
  411. $ip_address = $_SERVER['REMOTE_ADDR']; // Get the IP address of the user.
  412. $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
  413.  
  414. // =====>> add this code, because cURL req comes from server. <<=====
  415. if (isset($_SESSION["REMOTE_ADDR"]) && ($_SERVER['REMOTE_ADDR'] == $_SERVER['SERVER_ADDR']))
  416. {
  417. $ip_address = $_SESSION["REMOTE_ADDR"];
  418. }
  419.  
  420. // {rest of code}
  421.  
  422. <?php
  423. // Requires
  424. require_once 'assets/class.FirePDF.php';
  425. require_once 'assets/class.Firewizz.Security.php';
  426. $SECURITY = new FirewizzSecurity();
  427. $SECURITY->Start_Secure_Session();
  428.  
  429. // Html file to scrape, if this works replace with referer so the page that does the request gets printed.(prepend by security so it can only be done from securePlay
  430. $html_file = 'http://www.secureplay.nl/?p=overzichten&sort=SpeelplaatsInspecties&s=67';
  431.  
  432. // Output pdf filename
  433. $pdf_fileName = 'Test_Pdf.pdf';
  434.  
  435. /*
  436. * cURL part
  437. */
  438.  
  439. // create curl resource
  440. $ch = curl_init();
  441.  
  442. // set source url
  443. curl_setopt($ch, CURLOPT_URL, $html_file);
  444.  
  445. // set cookies
  446. $cookiesIn = "user_id=" . $_SESSION['user_id'] . "; username=" . $_SESSION['username'] . "; login_string=" . $_SESSION['login_string'] . "; pdfCurl=true; REMOTE_ADDR=" . $_SERVER['REMOTE_ADDR'] . "; HTTP_USER_AGENT=" . $_SERVER['HTTP_USER_AGENT'];
  447. $agent = $_SERVER['HTTP_USER_AGENT'];
  448.  
  449. // set cURL Options
  450. $tmp = tempnam("/tmp", "CURLCOOKIE");
  451. if ($tmp === FALSE)
  452. {
  453. die('Could not generate a temporary cookie jar.');
  454. }
  455.  
  456. $options = array(
  457. CURLOPT_RETURNTRANSFER => true, // return web page
  458. //CURLOPT_HEADER => true, //return headers in addition to content
  459. CURLOPT_ENCODING => "", // handle all encodings
  460. CURLOPT_AUTOREFERER => true, // set referer on redirect
  461. CURLOPT_CONNECTTIMEOUT => 120, // timeout on connect
  462. CURLOPT_TIMEOUT => 120, // timeout on response
  463. CURLOPT_MAXREDIRS => 10, // stop after 10 redirects
  464. CURLINFO_HEADER_OUT => true,
  465. CURLOPT_SSL_VERIFYPEER => false, // Disabled SSL Cert checks
  466. CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  467. CURLOPT_COOKIEJAR => $tmp,
  468. //CURLOPT_COOKIEFILE => $tmp,
  469. CURLOPT_COOKIE => $cookiesIn,
  470. CURLOPT_USERAGENT => $agent
  471. );
  472.  
  473. // $output contains the output string
  474. curl_setopt_array($ch, $options);
  475. $output = curl_exec($ch);
  476.  
  477. // close curl resource to free up system resources
  478. curl_close($ch);
  479.  
  480. // output the cURL
  481. echo $output;
  482. ?>
  483.  
  484. // Security checks as usual, then:
  485.  
  486. if (array_key_exists('output', $_GET)) {
  487. $format = $_GET['output']; // e.g. "pdf"
  488. // We could check whether the response handler has a printAs<FORMAT> method
  489. switch ($format) {
  490. case 'pdf': $outputFn = 'printAsPDF'; break;
  491. default:
  492. throw new Exception("Output in {$format} format not supported");
  493. }
  494. ob_start($output);
  495. }
  496. // Page is generated normally
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!