API tools faq
paste
Advertisement
Guest User

functions.php

a guest
Sep 11th, 2014
431
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 6.35 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. include_once 'psl-config.php';
  3.  
  4. function sec_session_start() {
  5.     $session_name = 'sec_session_id';   // Set a custom session name
  6.     $secure = SECURE;
  7.     // This stops JavaScript being able to access the session id.
  8.     $httponly = true;
  9.     // Forces sessions to only use cookies.
  10.     if (ini_set('session.use_only_cookies', 1) === FALSE) {
  11.         header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
  12.         exit();
  13.     }
  14.     // Gets current cookies params.
  15.     $cookieParams = session_get_cookie_params();
  16.     session_set_cookie_params($cookieParams["lifetime"],
  17.         $cookieParams["path"],
  18.         $cookieParams["domain"],
  19.         $secure,
  20.         $httponly);
  21.     // Sets the session name to the one set above.
  22.     session_name($session_name);
  23.     session_start();            // Start the PHP session
  24.     session_regenerate_id();    // regenerated the session, delete the old one.
  25. }
  26.  
  27. function login($email, $password, $mysqli) {
  28.     // Using prepared statements means that SQL injection is not possible.
  29.     if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
  30.        FROM members
  31.       WHERE email = ?
  32.        LIMIT 1")) {
  33.         $stmt->bind_param('s', $email);  // Bind "$email" to parameter.
  34.         $stmt->execute();    // Execute the prepared query.
  35.         $stmt->store_result();
  36.  
  37.         // get variables from result.
  38.         $stmt->bind_result($user_id, $username, $db_password, $salt);
  39.         $stmt->fetch();
  40.  
  41.         // hash the password with the unique salt.
  42.         $password = hash('sha512', $password . $salt);
  43.         if ($stmt->num_rows == 1) {
  44.             // If the user exists we check if the account is locked
  45.             // from too many login attempts
  46.  
  47.             if (checkbrute($user_id, $mysqli) == true) {
  48.                 // Account is locked
  49.                 // Send an email to user saying their account is locked
  50.                 return false;
  51.             } else {
  52.                 // Check if the password in the database matches
  53.                 // the password the user submitted.
  54.                 if ($db_password == $password) {
  55.                     // Password is correct!
  56.                     // Get the user-agent string of the user.
  57.                     $user_browser = $_SERVER['HTTP_USER_AGENT'];
  58.                     // XSS protection as we might print this value
  59.                     $user_id = preg_replace("/[^0-9]+/", "", $user_id);
  60.                     $_SESSION['user_id'] = $user_id;
  61.                     // XSS protection as we might print this value
  62.                     $username = preg_replace("/[^a-zA-Z0-9_\-]+/",
  63.                         "",
  64.                         $username);
  65.                     $_SESSION['username'] = $username;
  66.                     $_SESSION['login_string'] = hash('sha512',
  67.                         $password . $user_browser);
  68.                     // Login successful.
  69.                     return true;
  70.                 } else {
  71.                     // Password is not correct
  72.                     // We record this attempt in the database
  73.                     $now = time();
  74.                     $mysqli->query("INSERT INTO login_attempts(user_id, time)
  75.                                    VALUES ('$user_id', '$now')");
  76.                     return false;
  77.                 }
  78.             }
  79.         } else {
  80.             // No user exists.
  81.             return false;
  82.         }
  83.     }
  84. }
  85.  
  86. function checkbrute($user_id, $mysqli) {
  87.     // Get timestamp of current time
  88.     $now = time();
  89.  
  90.     // All login attempts are counted from the past 2 hours.
  91.     $valid_attempts = $now - (2 * 60 * 60);
  92.  
  93.     if ($stmt = $mysqli->prepare("SELECT time
  94.                             FROM login_attempts
  95.                             WHERE user_id = ?
  96.                            AND time > '$valid_attempts'")) {
  97.         $stmt->bind_param('i', $user_id);
  98.  
  99.         // Execute the prepared query.
  100.         $stmt->execute();
  101.         $stmt->store_result();
  102.  
  103.         // If there have been more than 5 failed logins
  104.         if ($stmt->num_rows > 5) {
  105.             return true;
  106.         } else {
  107.             return false;
  108.         }
  109.     }
  110. }
  111.  
  112. function login_check($mysqli) {
  113.     // Check if all session variables are set
  114.     if (isset($_SESSION['user_id'],
  115.     $_SESSION['username'],
  116.     $_SESSION['login_string'])) {
  117.  
  118.         $user_id = $_SESSION['user_id'];
  119.         $login_string = $_SESSION['login_string'];
  120.         $username = $_SESSION['username'];
  121.  
  122.         // Get the user-agent string of the user.
  123.         $user_browser = $_SERVER['HTTP_USER_AGENT'];
  124.  
  125.         if ($stmt = $mysqli->prepare("SELECT password
  126.                                      FROM members
  127.                                      WHERE id = ? LIMIT 1")) {
  128.             // Bind "$user_id" to parameter.
  129.             $stmt->bind_param('i', $user_id);
  130.             $stmt->execute();   // Execute the prepared query.
  131.             $stmt->store_result();
  132.  
  133.             if ($stmt->num_rows == 1) {
  134.                 // If the user exists get variables from result.
  135.                 $stmt->bind_result($password);
  136.                 $stmt->fetch();
  137.                 $login_check = hash('sha512', $password . $user_browser);
  138.  
  139.                 if ($login_check == $login_string) {
  140.                     // Logged In!!!!
  141.                     return true;
  142.                 } else {
  143.                     // Not logged in
  144.                     return false;
  145.                 }
  146.             } else {
  147.                 // Not logged in
  148.                 return false;
  149.             }
  150.         } else {
  151.             // Not logged in
  152.             return false;
  153.         }
  154.     } else {
  155.         // Not logged in
  156.         return false;
  157.     }
  158. }
  159.  
  160. function esc_url($url) {
  161.  
  162.     if ('' == $url) {
  163.         return $url;
  164.     }
  165.  
  166.     $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
  167.  
  168.     $strip = array('%0d', '%0a', '%0D', '%0A');
  169.     $url = (string) $url;
  170.  
  171.     $count = 1;
  172.     while ($count) {
  173.         $url = str_replace($strip, '', $url, $count);
  174.     }
  175.  
  176.     $url = str_replace(';//', '://', $url);
  177.  
  178.     $url = htmlentities($url);
  179.  
  180.     $url = str_replace('&amp;', '&#038;', $url);
  181.     $url = str_replace("'", '&#039;', $url);
  182.  
  183.     if ($url[0] !== '/') {
  184.         // We're only interested in relative links from $_SERVER['PHP_SELF']
  185.         return '';
  186.     } else {
  187.         return $url;
  188.     }
  189. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!