function login($email, $password, $mysqli) { if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n FROM members\n WHERE email = ?\n LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); $stmt->bind_result($user_id, $username, $db_password); $stmt->fetch(); // hash the password with the unique salt. //$password = hash('sha512', $password); if ($stmt->num_rows == 1) { if (checkbrute($user_id, $mysqli) == true) { return false; } else { if ($db_password == $password) { return true; } else { // Password is not correct // Log attempts $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')"); return false; } } } else { return false; } } }
function login($email, $password, $mysqli) { if ($stmt = $mysqli->prepare("SELECT idusuario, usuario, contra, salt, tipo FROM usuarios_tb WHERE correo = ? OR usuario = ?")) { $stmt->bind_param('ss', $email, $email); $stmt->execute(); $stmt->store_result(); $stmt->bind_result($user_id, $username, $db_password, $salt, $tipo); $stmt->fetch(); $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { if (checkbrute($user_id, $mysqli) == true) { return false; } else { if ($db_password == $password) { $user_browser = $_SERVER['HTTP_USER_AGENT']; $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['tipo'] = $tipo; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login successful. return true; } else { $now = time(); $mysqli->query("INSERT INTO intentos(idusuario, hora)\n VALUES ('{$user_id}', '{$now}')"); return false; } } } else { return false; } } }
function login($password, $mysqli) { if (!($queryRes = $mysqli->query('SELECT * FROM password;'))) { exit; } $row = $queryRes->fetch_assoc(); // Fetch the next row in an associative array where the keys are column names $hash = $row['hash']; if (checkbrute($mysqli)) { // Account is locked and login is forbidden return array('success' => false, 'isLocked' => true); } else { if (password_verify($password, $hash)) { // Password is correct $user_browser = $_SERVER['HTTP_USER_AGENT']; $_SESSION['login_string'] = hash('sha512', $user_browser); return array('success' => true, 'isLocked' => false); } else { // Password is not correct $now = time(); $mysqli->query('INSERT INTO login_attempts(time) VALUES (' . $now . ');'); return array('success' => false, 'isLocked' => false); } } }
function login($username, $password, $mysqli) { if ($stmt = $mysqli->prepare("SELECT userID, username, password FROM users WHERE username = ? LIMIT 1")) { $stmt->bind_param('s', $username); //bind $username as string(s) $stmt->execute(); $stmt->store_result(); $stmt->bind_result($userID, $username, $correct); $stmt->fetch(); //retrieve bound variables and assign to bind $password = password_hash($password, PASSWORD_DEFAULT); if ($stmt->num_rows == 1) { if (checkbrute($userID, $mysqli) == false) { if (password_verify($password, $hash)) { //XSS protection - hide id, hash login_string $userID = preg_replace("/[^0-9]+/", "", $userID); $_SESSION['userID'] = $userID; $username = preg_replace("/[a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; return true; } //wrong password } else { //record failed attempt $now = time(); $mysqli->query("INSERT INTO logins(userFK, time) VALUES ('{$userID}', '{$now}')"); } } //user doesn't exist } //syntactical error return false; }
function login($email, $password, $mysqli) { if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n FROM members\n WHERE email = ?\n LIMIT 1")) { $stmt->bind_param('s', $email); $stmt->execute(); $stmt->store_result(); $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { if (checkbrute($user_id, $mysqli) == true) { return false; } else { if ($db_password == $password) { $user_browser = $_SERVER['HTTP_USER_AGENT']; $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); return true; } else { $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')"); return false; } } } else { return false; } } }
function login($email, $password, $mysqli) { //echo "l2333333"; // Using prepared statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT id, firstname, lastname, username,role, password, salt \n FROM `members`\n WHERE `email` = ?\n LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($user_id, $firstname, $lastname, $username, $role, $db_password, $salt); $stmt->fetch(); //echo $role; // hash the password with the unique salt. $password = hash('sha512', $password . $salt); //var_dump($password); //var_dump($db_password); if ($stmt->num_rows == 1) { // If the user exists we check if the account is locked // from too many login attempts if (checkbrute($user_id, $mysqli) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { // Check if the password in the database matches // the password the user submitted. if ($db_password == $password) { // Password is correct! // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // XSS protection as we might print this value $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['firstname'] = $firstname; $_SESSION['lastname'] = $lastname; $_SESSION['role'] = $role; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')"); return false; } } } else { // No user exists. //echo "<script type='text/javascript'>alert(1111111);</script>"; return false; } } }
function login($email, $password, $mysqli) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n\t\t\t\t FROM members \n WHERE email = ? LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); // hash the password with the unique salt. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // If the user exists we check if the account is locked // from too many login attempts if (checkbrute($user_id, $mysqli) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { // Check if the password in the database matches // the password the user submitted. if ($db_password == $password) { // Password is correct! // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // XSS protection as we might print this value $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); if (!$mysqli->query("INSERT INTO login_attempts(user_id, time) \n VALUES ('{$user_id}', '{$now}')")) { header("Location: error.php?err=Database error: login_attempts"); exit; } return false; } } } else { // No user exists. return false; } } else { // Could not create a prepared statement header("Location: error.php?err=Database error: cannot prepare statement"); exit; } }
function login($user, $password) { $mysqli = conectabd(BD_PRINCIPAL); // Usando definições pré-estabelecidas significa que a injeção de SQL (um tipo de ataque) não é possível. if ($stmt = $mysqli->prepare("SELECT codigo, uid, senha, salt, status FROM usuario WHERE uid = ? LIMIT 1")) { $stmt->bind_param('s', $user); // Relaciona "$email" ao parâmetro. $stmt->execute(); // Executa a tarefa estabelecida. $stmt->store_result(); // obtém variáveis a partir dos resultados. $stmt->bind_result($user_id, $username, $db_password, $salt, $status); $stmt->fetch(); // faz o hash da senha com um salt excusivo. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // Caso o usuário exista, conferimos se a conta está bloqueada // devido ao limite de tentativas de login ter sido ultrapassado if (checkbrute($user_id) == true) { // A conta está bloqueada // Envia um email ao usuário informando que a conta está bloqueada $_SESSION['login-error'] = 'A conta deste usuário está bloqueada temporáriamente'; return false; } else { // Verifica se a senha confere com o que consta no banco de dados // a senha do usuário é enviada. if ($db_password == $password && $status === 'ativo') { // A senha está correta! // Obtém o string usuário-agente do usuário. $user_browser = $_SERVER['HTTP_USER_AGENT']; // proteção XSS conforme imprimimos este valor $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // proteção XSS conforme imprimimos este valor $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login concluído com sucesso. return true; } else { // A senha não está correta // Registramos essa tentativa no banco de dados $_SESSION['login-error'] = 'Senha inválida ou usuário está inativo!'; $now = time(); $ip = $_SERVER['REMOTE_ADDR']; $mysqli->query("INSERT INTO login_tentativa(user_id, time, ip) VALUES ('{$user_id}', '{$now}', '{$ip}')"); return false; } } } else { // Tal usuário não existe. $_SESSION['login-error'] = 'Usuário inválido!'; return false; } } }
function login($email, $user_password, $conn) { // define local variables $success = TRUE; // query db using email $sql = "SELECT id, username, password, salt FROM Users WHERE email = '" . $email . "' LIMIT 1"; $result = $conn->query($sql); // check to see if user info was found in the db if ($result->num_rows > 0) { // get user info $row = $result->fetch_assoc(); // define and assign local variables to store data from db $userId = $row['id']; $username = $row['username']; $dbPassword = $row['password']; $salt = $row['salt']; // hash the password with the unique salt. $password = hash('sha512', $user_password . $salt); // a user was found, so now check to see if the user // has tried to login too many times if (checkbrute($userId, $conn) == true) { // user tried to login too many times ergo the account is locked // send an email to user saying their account is locked $GLOBALS['errorMsg'] .= '<p class="error">Too many login attempts.</p>'; $success = FALSE; } else { // check if the password in the database matches // the password the user submitted. if ($dbPassword == $password) { // password is correct! // get the user-agent string of the user. $userBrowser = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT'); // XSS protection as we might print this value $userId = preg_replace("/[^0-9]+/", "", $userId); // set the session user_id based on the userId from the database $_SESSION['user_id'] = $userId; // XSS protection as we might print this value $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); // set the session username $_SESSION['username'] = $username; // set the session login_string for the given user $_SESSION['login_string'] = hash('sha512', $password . $userBrowser); } else { // password is not correct // record this attempt in the database $conn->query("INSERT INTO LoginAttempts(userId) VALUES ('{$userId}')"); $GLOBALS['errorMsg'] .= '<p class="error">Incorrect Username/Password combination.</p>'; $success = FALSE; } } } else { // No user info exists in the database $success = FALSE; } return $success; }
function login($usuario, $password, $conexion) { // Usar consultas preparadas previene de los ataques SQL injection. if ($stmt = $conexion->prepare("SELECT id, usuario, password\n FROM clientes\nWHERE usuario = ?\nLIMIT 1")) { $stmt->bind_param('s', $usuario); $stmt->execute(); $stmt->store_result(); // recogemos el resultado de la consulta $stmt->bind_result($id, $usuario, $db_password); //password de la bd $stmt->fetch(); // calculamos el sha512 del password if ($stmt->num_rows == 1) { // Si el usuario existe comprobamos que la cuenta no esté bloqueada // por haber hecho demasiados intentos. if (checkbrute($id, $conexion) == true) { //la veremos luego // La cuenta está bloqueada. Aquí escribir las acciones de aviso al usuario pertinentes: // enviar un correo $error = "Cuenta Bloqueada"; echo $error; return false; } else { // Comprobar si el password de la bd coincide con la enviada por el usuario if ($db_password == $password) { //las dos en sha512 // Password es correcto: Tomamos user-agent string del navegador del usuario // por ejemplo Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) $user_browser = $_SERVER['HTTP_USER_AGENT']; // Esto es una protección contra ataques XSS //elimina los caracteres que no son digitos $user_id = preg_replace("/[^0-9]+/", "", $id); $_SESSION['id'] = $id; // Esto es una protección contra ataques XSS //elimina los caracteres que no son digitos, ni letras, ni _,\,- $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $usuario); $_SESSION['usuario'] = $username; //para que nadie se haga pasar por nosotros, podía ser la IP del cliente. $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Éxito en la validación. return true; } else { // Password no es correcto. Registramos el intento $now = time(); $conexion->query("INSERT INTO login_attempts(id, time)\nVALUES ('{$id}', '{$now}')"); return false; } } } else { // No existe el usuario return false; } } }
function login($email, $password, $db) { // Using prepared Statements means that SQL injection is not possible. if ($stmt = $db->prepare("SELECT id, user, passwordHash, salt FROM login WHERE email = ? LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); $stmt->bind_result($user_id, $username, $db_password, $salt); // get variables from result. $stmt->fetch(); $password = hash('sha512', $password . $salt); // hash the password with the unique salt. //$_SESSION['currentHash'] = $password; if ($stmt->num_rows == 1) { // If the user exists // We check if the account is locked from too many login attempts if (checkbrute($user_id, $db) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { if ($db_password == $password) { // Check if the password in the database matches the password the user submitted. // Password is correct! $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user. $user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value $_SESSION['user_id'] = $user_id; $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); // XSS protection as we might print this value $_SESSION['username'] = $username; $_SESSION['admin'] = 1; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login successful. $now = time(); $db->query("INSERT INTO userevents (userId, eventType, date, modifiedUser) VALUES ('{$user_id}', 'logged in', '{$now}', '{$user_id}')"); return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $db->query("INSERT INTO userevents (userId, eventType, date, modifiedUser) VALUES ('{$user_id}', 'password incorrect', '{$now}', '{$user_id}')"); return false; } } } else { // No user exists. return false; } } }
function login($email, $password, $mysqli) { $errorr = "vacio"; // Usar declaraciones preparadas significa que la inyección de SQL no será posible. if ($stmt = $mysqli->prepare("select user_id,user_name,user_password,salt from user where user_email= ?")) { $stmt->bind_param('s', $email); // Une “$email” al parámetro. $stmt->execute(); // Ejecuta la consulta preparada. $stmt->store_result(); // Obtiene las variables del resultado. $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); // Hace el hash de la contraseña con una sal única. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // Si el usuario existe, revisa si la cuenta está bloqueada // por muchos intentos de conexión. if (checkbrute($user_id, $mysqli) == true) { // La cuenta está bloqueada. // Envía un correo electrónico al usuario que le informa que su cuenta está bloqueada. return false; } else { // Revisa que la contraseña en la base de datos coincida // con la contraseña que el usuario envió. if ($db_password == $password) { // ¡La contraseña es correcta! // Obtén el agente de usuario del usuario. $user_browser = $_SERVER['HTTP_USER_AGENT']; // Protección XSS ya que podríamos imprimir este valor. $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // Protección XSS ya que podríamos imprimir este valor. $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Inicio de sesión exitoso actualizacionexion($mysqli, $user_id); return true; } else { // La contraseña no es correcta. // Se graba este intento en la base de datos. $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')"); return false; } } } else { // El usuario no existe. return false; } } }
function login($username, $password, $mysqli) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT UserId, UserMail, UserPassword, UserSalt FROM ha_users WHERE UserName = ? LIMIT 1")) { $stmt->bind_param('s', $username); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($user_id, $mail, $db_password, $salt); $stmt->fetch(); // hash the password with the unique salt. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // If the user exists we check if the account is locked // from too many login attempts if (checkbrute($user_id, $mysqli) == true) { // Account is locked header('HTTP/1.1 500 Account is locked!'); return false; } else { // Check if the password in the database matches // the password the user submitted. if ($db_password == $password) { // Password is correct! // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $user_id = preg_replace("/[^0-9]+/", "", $user_id); setcookie("user_id", $user_id, time() + 10 * 365 * 24 * 60 * 60, "/"); // XSS protection as we might print this value $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); setcookie("username", $username, time() + 10 * 365 * 24 * 60 * 60, "/"); setcookie("login_string", hash('sha512', $password . $user_browser), time() + 10 * 365 * 24 * 60 * 60, "/"); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $mysqli->query("INSERT INTO ha_user_login(UserId, Date) VALUES ('" . $user_id . "', NOW())"); header('HTTP/1.1 500 Username/Password is not correct!'); return false; } } } else { // No user exists. header('HTTP/1.1 500 Username/Password is not correct!'); return false; } } }
function performLogin($user, $password) { if (!isset($user) || !isset($password)) { return "bad input"; } $mysqli = new mysqli(DB_SERVER, DB_READER_USER, DB_READER_PASSWORD, SEC_DB_NAME); if ($mysqli->connect_errno) { echo $mysqli->connect_error; return "inteneral server error"; } if ($stmt = $mysqli->prepare("SELECT id, username, password, salt FROM members WHERE username = ? LIMIT 1")) { $stmt->bind_param('s', $user); $stmt->execute(); $stmt->store_result(); $stmt->bind_result($user_id, $username, $stored_password, $salt); $stmt->fetch(); $password = hash('sha512', $password . $salt); //if not one result, some error occured if ($stmt->num_rows == 1) { //check to see for brute force attacks if (checkbrute($user_id, $mysqli)) { //account has been locked //notify of locked $mysqli_close($mysqli); return "Brute force, try again in 2 hours"; } else { if ($stored_password === $password) { $user_browser = $_SERVER['HTTP_USER_AGENT']; $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); $mysqli->close(); return NULL; } else { $mysqli->close(); $mysqli = new mysqli(DB_SERVER, DB_WRITER_USER, DB_WRITER_PASSWORD, SEC_DB_NAME); if ($mysqli->connect_errno) { echo $mysqli->connect_error; return "inteneral server error"; } $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')"); return "bad login"; } } } } $mysqli->close(); //no such user return "no such user"; }
function login($username, $password, $db) { // Using prepared Statements means that SQL injection is not possible. if ($stmt = $db->prepare("SELECT id, password, salt FROM users WHERE username = ? LIMIT 1")) { $stmt->bind_param('s', $username); // Bind "$username" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); $stmt->bind_result($user_id, $db_password, $salt); // get variables from result. $stmt->fetch(); $password = hash('sha512', $password . $salt); // hash the password with the unique salt. if ($stmt->num_rows == 1) { // If the user exists // We check if the account is locked from too many login attempts if (checkbrute($user_id, $db) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { $ip_address = $_SERVER['REMOTE_ADDR']; // Get the IP address of the user. $user_agent = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user. if ($db_password == $password) { // Check if the password in the database matches the password the user submitted. // Password is correct! $user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value $_SESSION['user_id'] = $user_id; $username = preg_replace("/[^a-zA-Z0-9@._\\-]+/", "", $username); // XSS protection as we might print this value $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $ip_address . $user_agent); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $result = $db->query("INSERT INTO login_attempts (user_id, when, ip, user_agent) VALUES ('" . $user_id . "', '" . $now . "', '" . ip2long($ip_address) . "', '" . $user_agent . "')"); return false; } } } else { // No user exists. return false; } } }
function login($email, $password, $mysqli) { // Das Benutzen vorbereiteter Statements verhindert SQL-Injektion. if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n FROM members\n WHERE email = ?\n LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Führe die vorbereitete Anfrage aus. $stmt->store_result(); // hole Variablen von result. $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); // hash das Passwort mit dem eindeutigen salt. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // Wenn es den Benutzer gibt, dann wird überprüft ob das Konto // blockiert ist durch zu viele Login-Versuche if (checkbrute($user_id, $mysqli) == true) { // Konto ist blockiert // Schicke E-Mail an Benutzer, dass Konto blockiert ist return false; } else { // Überprüfe, ob das Passwort in der Datenbank mit dem vom // Benutzer angegebenen übereinstimmt. if ($db_password == $password) { // Passwort ist korrekt! // Hole den user-agent string des Benutzers. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS-Schutz, denn eventuell wir der Wert gedruckt $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // XSS-Schutz, denn eventuell wir der Wert gedruckt $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login erfolgreich. return true; } else { // Passwort ist nicht korrekt // Der Versuch wird in der Datenbank gespeichert $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')"); return false; } } } else { //Es gibt keinen Benutzer. return false; } } }
function login($username, $password, $mysqli) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT userName, password, userID, type \n FROM Users\n WHERE userName = ?\n LIMIT 1")) { $stmt->bind_param('s', $username); //Bind $username $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($username, $db_password, $userID, $type); $stmt->fetch(); // hash the password with the unique salt. // $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // If the user exists we check if the account is locked // from too many login attempts if (checkbrute($username, $mysqli) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { // Check if the passwordin database matches // the password the user submitted. //if ($db_password == $password) { if (password_verify($password, $db_password)) { // Password is correct! // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['userID'] = $userID; $_SESSION['type'] = $type; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $mysqli->query("INSERT INTO loginAttempts(userName, time)\n VALUES ('{$username}', '{$now}')"); return false; } } } else { // No user exists. return false; } } }
function login($email, $password, $mysqli) { // Das Benutzen vorbereiteter Statements verhindert SQL-Injektion. if ($stmt = $mysqli->prepare("SELECT * FROM `members` WHERE `username` = ? OR `email` = ?")) { $stmt->bind_param('ss', $email, $email); // Bind "$email" to parameter. $stmt->execute(); // Führe die vorbereitete Anfrage aus. $stmt->store_result(); // hole Variablen von result. $stmt->bind_result($user_id, $username, $user_email, $db_password, $salt, $user_vorname, $user_nachname, $user_action, $user_permission); $stmt->fetch(); // hash das Passwort mit dem eindeutigen salt. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // Wenn es den Benutzer gibt, dann wird überprüft ob das Konto // blockiert ist durch zu viele Login-Versuche if (checkbrute($user_id, $mysqli) == true) { // Konto ist blockiert // Schicke E-Mail an Benutzer, dass Konto blockiert ist return false; } else { // Überprüfe, ob das Passwort in der Datenbank mit dem vom // Benutzer angegebenen übereinstimmt. if ($db_password == $password) { $user_browser = $_SERVER['HTTP_USER_AGENT']; $_SESSION['user_id'] = $user_id; $_SESSION['username'] = $username; $_SESSION['user_email'] = $user_email; $_SESSION['user_vorname'] = $user_vorname; $_SESSION['user_nachname'] = $user_nachname; $_SESSION['user_action'] = $user_action; $_SESSION['user_permission'] = $user_permission; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login erfolgreich. return true; } else { // Passwort ist nicht korrekt // Der Versuch wird in der Datenbank gespeichert $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time) VALUES ('{$user_id}', '{$now}')"); return false; } } } else { //Es gibt keinen Benutzer. return false; } } }
function login($user, $pass, $dbh) { global $table_prefix; include $_SERVER['DOCUMENT_ROOT'] . '/config.php'; if ($stmt = $dbh->prepare("SELECT id, username, password, salt FROM " . $table_prefix . "_users WHERE username = ? LIMIT 1")) { $stmt->bindParam('1', $user, PDO::PARAM_STR); $stmt->execute(); $stmt->result = $stmt->fetch(); $id = $stmt->result['id']; //has the typed password with the salt from the databe and compare with the one in the database $password = hash('sha512', $pass . $stmt->result['salt']); if ($stmt->rowCount() == 1) { if (checkbrute($id, $dbh) == true) { echo "Váš účet bol zablokovaný z dôvodu viacerých nesprávnych prihlásení."; header('HTTP/1.1 401 Unauthorized', true, 401); return false; } else { if ($stmt->result['password'] == $password) { // Check if the password in the database matches the password the user submitted. // Password is correct! $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user. $user_id = preg_replace("/[^0-9]+/", "", $stmt->result['id']); // XSS protection as we might print this value $_SESSION['user_id'] = $user_id; $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $stmt->result['username']); // XSS protection as we might print this value $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); $clear_log_attempt = $dbh->prepare("DELETE FROM " . $table_prefix . "_users_login_attempts WHERE user_id = ?"); $clear_log_attempt->bindValue(1, $id); $clear_log_attempt->execute(); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $dbh->query("INSERT INTO " . $table_prefix . "_users_login_attempts (user_id, time) VALUES ('{$id}', '{$now}')"); return false; } } } else { echo ""; return false; } } }
function login($email, $password, $mysqli) { if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n FROM members\n WHERE email = ?\n LIMIT 1")) { $stmt->bind_param('s', $email); // $email naar parameter. $stmt->execute(); // Voer de Query uit. $stmt->store_result(); // Krijg een variabele van de uitkomst. $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); // hash the password with the unique salt. // beveilig het wachtwoord door het password te hashen met Salt. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // Als de gebruiker bestaat controleer dan of de gebruiker geblokkeerd is voor teveel inlogpogingen if (checkbrute($user_id, $mysqli) == true) { // Account is geblokkeerd // Een E-mail word verzonden met het bericht dat het verzonden is. (Zal alleen werken als er een mailserver is verbonden). return false; } else { // Controleer of de ingegeven wachtwoorden met elkaar overeenkomen. if ($db_password == $password) { // Het wachtwoord is goed! $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS Beveiligen, zoals we de waarde printen. $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // XSS BEveiligen, zoals we de waarden kunnen printen. $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Je bent met success ingelogd. return true; } else { // Wachtwoord is niet hetzelfde! // De poging word genoteerd op de database. $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')"); return false; } } } else { // Ne gebruiker bestaat niet. return false; } } }
function login($club_id, $password, $mysqli) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n FROM users\n WHERE id = ?\n LIMIT 1")) { $stmt->bind_param('s', $club_id); $stmt->execute(); $stmt->store_result(); $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); // hash the password with the unique salt. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // If the user exists we check if the account is locked if (checkbrute($user_id, $mysqli) == true) { // Account is locked return false; } else { // Check if the password matches the one in the database if ($db_password == $password) { // Password is correct! $user_browser = $_SERVER['HTTP_USER_AGENT']; $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login successful. // store login date. $date = date("Y-m-d"); mysqli_query($mysqli, "UPDATE users SET last_online = '{$date}' \n WHERE id = {$user_id}"); mysqli_close($mysqli); return true; } else { // Password is not correct $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')"); return false; } } } else { // No user exists. return false; } } }
function login($email, $password, $mysqli) { //using prepared statements denies possibility for SQL injection if ($stmt = $mysqli->prepare('SELECT id,username,password,salt FROM members WHERE email = ? limit 1')) { $stmt->bind_param('s', $email); $stmt->execute(); //execute the prepared query upside in() $stmt->store_result(); //get result from variables $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); //hash the pasword $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { //check does the acc exist ---> check is locked cause too many login attempts if (checkbrute($user_id, $mysqli) == true) { return false; } else { //check if the password in the db matches to that what was submitted if ($db_password == $password) { # password is correct # get the user-browser $user_brouser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $username = preg_replace('/[^a-zA-Z0-9_\\-]+/', '', $username); $_session['username'] = $username; $_session['login_string'] = hash('sha512', $password . $user_brouser); //login successful return true; } else { //pswd is incorrect //record thus in db $now = time(); $mysqli = query('INSERT INTO login_attempts(user_id,time) values (\'$user_id\',"$now")'); return false; } } } else { //no user exists return false; } } }
function login($username, $password, $mysqli) { if ($stmt = $mysqli->prepare('SELECT id, username, password, salt, permission FROM auth_user WHERE username = ? LIMIT 1')) { $stmt->bind_param('s', $username); $stmt->execute(); $stmt->store_result(); $stmt->bind_result($userID, $username, $dbPassword, $salt, $perms); $stmt->fetch(); $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // user exists: if (checkbrute($userID, $mysqli) == true) { // user was banned for multiple incorrect login attempts return 2; } else { if ($dbPassword == $password) { // password's correct $userBrowser = $_SERVER['HTTP_USER_AGENT']; $userID = preg_replace("/[^0-9]+/", "", $userID); $_SESSION['userID'] = $userID; $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['loginString'] = hash('sha512', $password . $userBrowser); $_SESSION['permissions'] = $perms; $_SESSION['shop_id'] = 1; return 1; } else { $now = time(); $mysqli->query("INSERT INTO auth_attempts(userID, time) VALUES ('{$userID}', '{$now}')"); return 3; } } } else { return 4; } } else { return 5; } }
function login($u_email, $L2, $mysqli) { $stmt = $mysqli->prepare("SELECT ID,name, L2, salt FROM `signup`.`members` WHERE email = '{$u_email}' "); if ($stmt) { $stmt->execute(); $stmt->store_result(); $stmt->bind_result($u_ID, $u_name, $db_L2, $salt); $stmt->fetch(); $L2 = hash('sha512', $L2 . $salt); if ($stmt->num_rows == 1) { if (checkbrute($u_ID, $mysqli) == true) { echo "Sorry! Try After Sometime."; return false; } else { if ($db_L2 == $L2) { $email_xplode = explode("@", $u_email); $user_browser = $_SERVER['HTTP_USER_AGENT']; $u_ID = preg_replace("/[^0-9]+/", "", $u_ID); $_SESSION['u_ID'] = $u_ID; $email_xplode = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $email_xplode[0]); $u_namae = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $u_name); $_SESSION['u_name'] = $u_name; $_SESSION['u_email'] = $u_email; $_SESSION['xploded_u_email'] = $email_xplode; $_SESSION['login_string'] = hash('sha512', $L2 . $user_browser); return true; } else { $now = time(); $mysqli->query("INSERT INTO login_attempts (ID, time) VALUES ('{$u_ID}', '{$now}')"); return false; } } } else { $error_messege = "Oops!! We Could Find The Records From Data You Provided."; return false; } } }
function login($username, $password, $link) { if ($stmt = $link->prepare("SELECT id, password, salt, status FROM users WHERE username = LOWER(?) LIMIT 1")) { $stmt->bind_param('s', $username); $stmt->execute(); $stmt->store_result(); $stmt->bind_result($user_id, $db_password, $salt, $status); //get variables from result $stmt->fetch(); $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { if ($status == 1) { if (checkbrute($user_id, $link) == true) { //Account is locked //Send an email to user and Administrators //Change status to locked return 3; //return 3 if account has just been locked } else { if ($db_password == $password) { return 5; } else { //Insert into login_attempts table return 4; } } //return 4 if password is incorrect } else { return 2; } //return 2 is account is not active } return 1; // return 1 if username does not exist } }
function login($email, $password, $db_CS) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $db_CS->prepare("SELECT id, password, salt, familiya, imya, template, int_phone \r\n FROM members\r\n WHERE email = ?\r\n LIMIT 1")) { print "SELECT id, password, salt, familiya, imya, template, int_phone \r\n FROM members\r\n WHERE email = '{$email}'\r\n LIMIT 1"; $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($user_id, $db_password, $salt, $familiya, $imya, $template, $int_phone); $stmt->fetch(); //print $db_password; // hash the password with the unique salt. //$password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { //print_r($stmt); // If the user exists we check if the account is locked // from too many login attempts //print "<br /> $db_password == $password"; if (checkbrute($user_id, $db_CS) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { // Check if the password in the database matches // the password the user submitted. if ($db_password == $password) { // Password is correct! // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; $_SESSION['int_phone'] = $int_phone; // XSS protection as we might print this value //$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); $_SESSION['username'] = $email; $_SESSION['familiya'] = $familiya; $_SESSION['imya'] = $imya; $_SESSION['template'] = $template; $_SESSION['show20'] = true; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); $now = time(); $temp = $db_CS->query("SELECT name,value FROM memberTemplatesSettings WHERE templateID = '{$template}'"); //echo $temp; while ($opt = $temp->fetch_object()) { $rights[] = $opt; } $_SESSION['rights'] = $rights; $db_CS->query("INSERT INTO login_attempts(user_id, time)\r\n VALUES ('{$user_id}', '{$now}')"); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $db_CS->query("INSERT INTO login_attempts(user_id, time)\r\n VALUES ('{$user_id}', '{$now}')"); return false; } } } else { // No user exists. return false; } } }
function login($param, $password, $mysqli) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT usr.USR_Id,\r\n -- usr.USR_Username,\r\n usr.USR_Mail,\r\n usr.USR_AGN_Id,\r\n COALESCE(agn.AGN_Nombre, 'Administrador') AGN_Nombre,\r\n COALESCE(agn.AGN_Logo1, 'admin.png') AGN_Logo1,\r\n COALESCE(agn.AGN_Logo2, 'admin.png') AGN_Logo2,\r\n usr.USR_Tipo,\r\n usr.USR_Password,\r\n usr.USR_Salt,\r\n COALESCE(agn.AGN_Header, '') AGN_Header,\r\n USR_AdminAccess\r\n FROM camUsuarios usr\r\n LEFT JOIN camAgencias agn\r\n ON usr.USR_AGN_Id = agn.AGN_Id\r\n WHERE USR_Mail = ?\r\n -- OR USR_Username = ?\r\n AND USR_Control = ?\r\n LIMIT 1")) { $usercontrol = 1; //$stmt->bind_param('sss', $param, $param, $usercontrol); // Bind "$param" to parameters. $stmt->bind_param('ss', $param, $usercontrol); // Bind "$param" to parameters. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($user_id, $email, $agnId, $agency, $agn_logo1, $agn_logo2, $type, $db_password, $user_salt, $agn_header, $admin_access); $stmt->fetch(); if ($stmt->num_rows == 1) { // If the user exists we check if the account is locked // from too many login attempts if (checkbrute($user_id, $mysqli) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { // hash the password with the unique salt. $password_sha = $password; $password_final = hash('sha512', $password_sha . $user_salt); // Check if the password in the database matches // the password the user submitted. if ($db_password == $password_final) { // Password is correct! // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // XSS protection as we might print this value //$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); //$_SESSION['username'] = $username; $_SESSION['email'] = $email; $_SESSION['usr_agn_id'] = $agnId; //$agency = preg_replace("^[a-zA-ZñÑáéíóúÁÉÍÓÚ\ ]", "", $agency); $agency = utf8_encode($agency); $_SESSION['usr_agn_nombre'] = $agency; $_SESSION['usr_agn_logo1'] = $agn_logo1; $_SESSION['usr_agn_logo2'] = $agn_logo2; $_SESSION['usr_agn_header'] = $agn_header; $_SESSION['usr_type'] = $type; $_SESSION['usr_adm_access'] = $admin_access; $_SESSION['login_string'] = hash('sha512', $password_final . $user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database //$now = time(); //$mysqli->query("INSERT INTO m1ton_login_attempts(user_id, time) //VALUES ('$user_id', '$now')"); //return false; } } } else { // No user exists. return false; } } else { return false; } }
function autologin($username, $password, $mysql) { //Using prepare statments means that SQL injection is not possible if ($stmt = $mysql->prepare("SELECT UserID, Username, Password, Salt, `Access Level` FROM Users WHERE Username = ? LIMIT 1")) { $stmt->bind_param('s', $username); //Bind "$email" to parameter. $stmt->execute(); //Execute the prepared query. $stmt->store_result(); // Get variables from results $stmt->bind_result($userid, $username, $db_password, $salt, $level); $stmt->fetch(); if ($stmt->num_rows == 1) { //If the user exists we check if their account is locked from too many login attempts if (checkbrute($userid, $mysql) == true) { //Account is locked //Send an email to user saying their account is locked return 0; } else { //Check if the password in the database matches the password the user submitted. if ($db_password == $password) { //Password is correct! Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; //XSS protection as we might print this value $userid = preg_replace("/[^0-9]+/", "", $userid); $_SESSION['userid'] = $userid; $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; //Work around no user browser being returned $_SESSION['login-string'] = hash('sha512', $password . "hello"); //Login successful //Check to see if security questions have been answered if ($pstmt = $mysql->prepare("SELECT `ID` From `Security Answers` WHERE UserID = ?")) { $pstmt->bind_param('i', $userid); $pstmt->execute(); $pstmt->store_result(); if ($pstmt->num_rows > 1) { return $level; } else { return -1; } } return 0; } else { //Password is not correct. We record this attempt in the database $now = time(); $mysql->query("INSERT INTO Login_Attempts(UserID, Time) VALUES ('{$userid}', '{$now}')"); return 0; } } } else { //No user exists return 0; } } }
function login($email, $password, $mysqli) { // Using prepared Statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT id, username,role, password, salt FROM mdl_user WHERE nim = ? LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); $stmt->bind_result($user_id, $username, $role, $db_password, $salt); // get variables from result. // hash the password with the unique salt. $stmt->fetch(); $leng = strlen($db_password); $salt = hash('sha512', $salt); if ($leng < 100) { $db_password = hash('sha512', $db_password); $db_password = $db_password + $salt; } else { $db_password = $db_password + $salt; } if ($salt != "") { $password = $password + $salt; } else { $password = $password; } // hash the password with the unique salt. //echo $password; echo " "; echo $db_password; echo " ";echo $salt; if ($stmt->num_rows == 1) { // If the user exists if (checkbrute($user_id, $mysqli) == true) { ?> <script type=text/javascript> alert("Akun anda Di lock untuk sementara waktu mohon dicoba 2 jam kedepan"); window.location('../index.php'); </script> <?php return false; } else { if ($db_password == $password) { // Check if the password in the database matches the password the user submitted. // Password is correct! // We check if the account is locked from too many login attempts $ip_address = $_SERVER['REMOTE_ADDR']; // Get the IP address of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user. // $user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value $_SESSION['user_id'] = $user_id; $_SESSION['role'] = $role; $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); // XSS protection as we might print this value $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $ip_address . $user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $mysqli->query("INSERT INTO login_attempts (userid, time) VALUES ('{$user_id}', '{$now}')"); return false; } } } else { // No user exists. return false; } } }
function login($email, $password, $mysqli) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT members.userid, members.username, members.fname, members_password.password, members_password.salt\n\t\t\t\t\t\t\t\t\tfrom members\n\t\t\t\t\t\t\t\t\tINNER JOIN members_password\n\t\t\t\t\t\t\t\t\tON members.email = members_password.email\n \t\t\t\t\t\t\t\tWHERE members.email = ?\n \t\t\t\t\t\t\t\tLIMIT 1\n\t\t")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($user_id, $username, $fname, $db_password, $salt); $stmt->fetch(); //Assign userID to from Username in DB. //$user_id = $username; // hash the password with the unique salt. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // If the user exists we check if the account is locked // from too many login attempts if (checkbrute($email, $mysqli) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { // Check if the password in the database matches // the password the user submitted. if ($db_password == $password) { // Password is correct! // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // XSS protection as we might print this value $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['fname'] = $fname; /*$_SESSION['lname'] = $lname; $_SESSION['hnumber'] = $hnumber; $_SESSION['hname'] = $hname; $_SESSION['hcity'] = $hcity; $_SESSION['hstate'] = $hstate; $_SESSION['hcode'] = $hcode;*/ //$_SESSION['sClass'] = $sClass; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $mysqli->query("INSERT INTO login_attempts(email, time)\n VALUES ('{$email}', '{$now}')"); return false; } } } else { // No user exists. return false; } } }