コード例 #1
0
ファイル: functions.php プロジェクト: jstsumguy/Timesheet 
function login($email, $password, $mysqli)
{
    if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n        FROM members\n       WHERE email = ?\n        LIMIT 1")) {
        $stmt->bind_param('s', $email);
        // Bind "$email" to parameter.
        $stmt->execute();
        // Execute the prepared query.
        $stmt->store_result();
        $stmt->bind_result($user_id, $username, $db_password);
        $stmt->fetch();
        // hash the password with the unique salt.
        //$password = hash('sha512', $password);
        if ($stmt->num_rows == 1) {
            if (checkbrute($user_id, $mysqli) == true) {
                return false;
            } else {
                if ($db_password == $password) {
                    return true;
                } else {
                    // Password is not correct
                    // Log attempts
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts(user_id, time)\n                                    VALUES ('{$user_id}', '{$now}')");
                    return false;
                }
            }
        } else {
            return false;
        }
    }
}
コード例 #2
0
ファイル: funciones.php プロジェクト: renatomartinez96/Blink 
function login($email, $password, $mysqli)
{
    if ($stmt = $mysqli->prepare("SELECT idusuario, usuario, contra, salt, tipo FROM usuarios_tb WHERE correo = ? OR usuario = ?")) {
        $stmt->bind_param('ss', $email, $email);
        $stmt->execute();
        $stmt->store_result();
        $stmt->bind_result($user_id, $username, $db_password, $salt, $tipo);
        $stmt->fetch();
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            if (checkbrute($user_id, $mysqli) == true) {
                return false;
            } else {
                if ($db_password == $password) {
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['tipo'] = $tipo;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Login successful.
                    return true;
                } else {
                    $now = time();
                    $mysqli->query("INSERT INTO intentos(idusuario, hora)\n                                    VALUES ('{$user_id}', '{$now}')");
                    return false;
                }
            }
        } else {
            return false;
        }
    }
}
コード例 #3
0
ファイル: db.php プロジェクト: pelican2014/CVWO-Assignment-1 
function login($password, $mysqli)
{
    if (!($queryRes = $mysqli->query('SELECT * FROM password;'))) {
        exit;
    }
    $row = $queryRes->fetch_assoc();
    // Fetch the next row in an associative array where the keys are column names
    $hash = $row['hash'];
    if (checkbrute($mysqli)) {
        // Account is locked and login is forbidden
        return array('success' => false, 'isLocked' => true);
    } else {
        if (password_verify($password, $hash)) {
            // Password is correct
            $user_browser = $_SERVER['HTTP_USER_AGENT'];
            $_SESSION['login_string'] = hash('sha512', $user_browser);
            return array('success' => true, 'isLocked' => false);
        } else {
            // Password is not correct
            $now = time();
            $mysqli->query('INSERT INTO login_attempts(time)
                                VALUES (' . $now . ');');
            return array('success' => false, 'isLocked' => false);
        }
    }
}
コード例 #4
0
ファイル: functions.php プロジェクト: Afrodeity/Gymnest 
function login($username, $password, $mysqli)
{
    if ($stmt = $mysqli->prepare("SELECT userID, username, password FROM users WHERE username = ? LIMIT 1")) {
        $stmt->bind_param('s', $username);
        //bind $username as string(s)
        $stmt->execute();
        $stmt->store_result();
        $stmt->bind_result($userID, $username, $correct);
        $stmt->fetch();
        //retrieve bound variables and assign to bind
        $password = password_hash($password, PASSWORD_DEFAULT);
        if ($stmt->num_rows == 1) {
            if (checkbrute($userID, $mysqli) == false) {
                if (password_verify($password, $hash)) {
                    //XSS protection - hide id, hash login_string
                    $userID = preg_replace("/[^0-9]+/", "", $userID);
                    $_SESSION['userID'] = $userID;
                    $username = preg_replace("/[a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    return true;
                }
                //wrong password
            } else {
                //record failed attempt
                $now = time();
                $mysqli->query("INSERT INTO logins(userFK, time) VALUES ('{$userID}', '{$now}')");
            }
        }
        //user doesn't exist
    }
    //syntactical error
    return false;
}
コード例 #5
0
ファイル: functions.php プロジェクト: BoBrebel/YD.tn 
function login($email, $password, $mysqli)
{
    if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n        FROM members\n       WHERE email = ?\n        LIMIT 1")) {
        $stmt->bind_param('s', $email);
        $stmt->execute();
        $stmt->store_result();
        $stmt->bind_result($user_id, $username, $db_password, $salt);
        $stmt->fetch();
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            if (checkbrute($user_id, $mysqli) == true) {
                return false;
            } else {
                if ($db_password == $password) {
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    return true;
                } else {
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts(user_id, time)\n                                    VALUES ('{$user_id}', '{$now}')");
                    return false;
                }
            }
        } else {
            return false;
        }
    }
}
コード例 #6
0
ファイル: functions.php プロジェクト: epolixa/cs546 
function login($email, $password, $mysqli)
{
    //echo "l2333333";
    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT id, firstname, lastname, username,role, password, salt \n        FROM `members`\n       WHERE `email` = ?\n        LIMIT 1")) {
        $stmt->bind_param('s', $email);
        // Bind "$email" to parameter.
        $stmt->execute();
        // Execute the prepared query.
        $stmt->store_result();
        // get variables from result.
        $stmt->bind_result($user_id, $firstname, $lastname, $username, $role, $db_password, $salt);
        $stmt->fetch();
        //echo $role;
        // hash the password with the unique salt.
        $password = hash('sha512', $password . $salt);
        //var_dump($password);
        //var_dump($db_password);
        if ($stmt->num_rows == 1) {
            // If the user exists we check if the account is locked
            // from too many login attempts
            if (checkbrute($user_id, $mysqli) == true) {
                // Account is locked
                // Send an email to user saying their account is locked
                return false;
            } else {
                // Check if the password in the database matches
                // the password the user submitted.
                if ($db_password == $password) {
                    // Password is correct!
                    // Get the user-agent string of the user.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // XSS protection as we might print this value
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    // XSS protection as we might print this value
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['firstname'] = $firstname;
                    $_SESSION['lastname'] = $lastname;
                    $_SESSION['role'] = $role;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Login successful.
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts(user_id, time)\n                                    VALUES ('{$user_id}', '{$now}')");
                    return false;
                }
            }
        } else {
            // No user exists.
            //echo "<script type='text/javascript'>alert(1111111);</script>";
            return false;
        }
    }
}
コード例 #7
0
ファイル: functions.php プロジェクト: admonkey/phpSecureLogin 
function login($email, $password, $mysqli)
{
    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n\t\t\t\t  FROM members \n                                  WHERE email = ? LIMIT 1")) {
        $stmt->bind_param('s', $email);
        // Bind "$email" to parameter.
        $stmt->execute();
        // Execute the prepared query.
        $stmt->store_result();
        // get variables from result.
        $stmt->bind_result($user_id, $username, $db_password, $salt);
        $stmt->fetch();
        // hash the password with the unique salt.
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // If the user exists we check if the account is locked
            // from too many login attempts
            if (checkbrute($user_id, $mysqli) == true) {
                // Account is locked
                // Send an email to user saying their account is locked
                return false;
            } else {
                // Check if the password in the database matches
                // the password the user submitted.
                if ($db_password == $password) {
                    // Password is correct!
                    // Get the user-agent string of the user.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // XSS protection as we might print this value
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    // XSS protection as we might print this value
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Login successful.
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    if (!$mysqli->query("INSERT INTO login_attempts(user_id, time) \n                                    VALUES ('{$user_id}', '{$now}')")) {
                        header("Location: error.php?err=Database error: login_attempts");
                        exit;
                    }
                    return false;
                }
            }
        } else {
            // No user exists.
            return false;
        }
    } else {
        // Could not create a prepared statement
        header("Location: error.php?err=Database error: cannot prepare statement");
        exit;
    }
}
コード例 #8
0
function login($user, $password)
{
    $mysqli = conectabd(BD_PRINCIPAL);
    // Usando definições pré-estabelecidas significa que a injeção de SQL (um tipo de ataque) não é possível.
    if ($stmt = $mysqli->prepare("SELECT codigo, uid, senha, salt, status FROM usuario WHERE uid = ? LIMIT 1")) {
        $stmt->bind_param('s', $user);
        // Relaciona  "$email" ao parâmetro.
        $stmt->execute();
        // Executa a tarefa estabelecida.
        $stmt->store_result();
        // obtém variáveis a partir dos resultados.
        $stmt->bind_result($user_id, $username, $db_password, $salt, $status);
        $stmt->fetch();
        // faz o hash da senha com um salt excusivo.
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // Caso o usuário exista, conferimos se a conta está bloqueada
            // devido ao limite de tentativas de login ter sido ultrapassado
            if (checkbrute($user_id) == true) {
                // A conta está bloqueada
                // Envia um email ao usuário informando que a conta está bloqueada
                $_SESSION['login-error'] = 'A conta deste usuário está bloqueada temporáriamente';
                return false;
            } else {
                // Verifica se a senha confere com o que consta no banco de dados
                // a senha do usuário é enviada.
                if ($db_password == $password && $status === 'ativo') {
                    // A senha está correta!
                    // Obtém o string usuário-agente do usuário.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // proteção XSS conforme imprimimos este valor
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    // proteção XSS conforme imprimimos este valor
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Login concluído com sucesso.
                    return true;
                } else {
                    // A senha não está correta
                    // Registramos essa tentativa no banco de dados
                    $_SESSION['login-error'] = 'Senha inválida ou usuário está inativo!';
                    $now = time();
                    $ip = $_SERVER['REMOTE_ADDR'];
                    $mysqli->query("INSERT INTO login_tentativa(user_id, time, ip) VALUES ('{$user_id}', '{$now}', '{$ip}')");
                    return false;
                }
            }
        } else {
            // Tal usuário não existe.
            $_SESSION['login-error'] = 'Usuário inválido!';
            return false;
        }
    }
}
コード例 #9
0
ファイル: functions.php プロジェクト: hippy-runner/HireMeHigh 
function login($email, $user_password, $conn)
{
    // define local variables
    $success = TRUE;
    // query db using email
    $sql = "SELECT id, username, password, salt FROM Users WHERE email = '" . $email . "' LIMIT 1";
    $result = $conn->query($sql);
    // check to see if user info was found in the db
    if ($result->num_rows > 0) {
        // get user info
        $row = $result->fetch_assoc();
        // define and assign local variables to store data from db
        $userId = $row['id'];
        $username = $row['username'];
        $dbPassword = $row['password'];
        $salt = $row['salt'];
        // hash the password with the unique salt.
        $password = hash('sha512', $user_password . $salt);
        // a user was found, so now check to see if the user
        // has tried to login too many times
        if (checkbrute($userId, $conn) == true) {
            // user tried to login too many times ergo the account is locked
            // send an email to user saying their account is locked
            $GLOBALS['errorMsg'] .= '<p class="error">Too many login attempts.</p>';
            $success = FALSE;
        } else {
            // check if the password in the database matches
            // the password the user submitted.
            if ($dbPassword == $password) {
                // password is correct!
                // get the user-agent string of the user.
                $userBrowser = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT');
                // XSS protection as we might print this value
                $userId = preg_replace("/[^0-9]+/", "", $userId);
                // set the session user_id based on the userId from the database
                $_SESSION['user_id'] = $userId;
                // XSS protection as we might print this value
                $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                // set the session username
                $_SESSION['username'] = $username;
                // set the session login_string for the given user
                $_SESSION['login_string'] = hash('sha512', $password . $userBrowser);
            } else {
                // password is not correct
                // record this attempt in the database
                $conn->query("INSERT INTO LoginAttempts(userId) VALUES ('{$userId}')");
                $GLOBALS['errorMsg'] .= '<p class="error">Incorrect Username/Password combination.</p>';
                $success = FALSE;
            }
        }
    } else {
        // No user info exists in the database
        $success = FALSE;
    }
    return $success;
}
コード例 #10
0
ファイル: functions.php プロジェクト: Lybert/CRUD 
function login($usuario, $password, $conexion)
{
    // Usar consultas preparadas previene de los ataques SQL injection.
    if ($stmt = $conexion->prepare("SELECT id, usuario, password\n    FROM clientes\nWHERE usuario = ?\nLIMIT 1")) {
        $stmt->bind_param('s', $usuario);
        $stmt->execute();
        $stmt->store_result();
        // recogemos el resultado de la consulta
        $stmt->bind_result($id, $usuario, $db_password);
        //password de la bd
        $stmt->fetch();
        // calculamos el sha512 del password
        if ($stmt->num_rows == 1) {
            // Si el usuario existe comprobamos que la cuenta no esté bloqueada
            // por haber hecho demasiados intentos.
            if (checkbrute($id, $conexion) == true) {
                //la veremos luego
                // La cuenta está bloqueada. Aquí escribir las acciones de aviso al usuario pertinentes:
                // enviar un correo
                $error = "Cuenta Bloqueada";
                echo $error;
                return false;
            } else {
                // Comprobar si el password de la bd coincide con la enviada por el usuario
                if ($db_password == $password) {
                    //las dos en sha512
                    // Password es correcto: Tomamos user-agent string del navegador del usuario
                    // por ejemplo Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // Esto es una protección contra ataques XSS
                    //elimina los caracteres que no son digitos
                    $user_id = preg_replace("/[^0-9]+/", "", $id);
                    $_SESSION['id'] = $id;
                    // Esto es una protección contra ataques XSS
                    //elimina los caracteres que no son digitos, ni letras, ni _,\,-
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $usuario);
                    $_SESSION['usuario'] = $username;
                    //para que nadie se haga pasar por nosotros, podía ser la IP del cliente.
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Éxito en la validación.
                    return true;
                } else {
                    // Password no es correcto. Registramos el intento
                    $now = time();
                    $conexion->query("INSERT INTO login_attempts(id, time)\nVALUES ('{$id}', '{$now}')");
                    return false;
                }
            }
        } else {
            // No existe el usuario
            return false;
        }
    }
}
コード例 #11
0
function login($email, $password, $db)
{
    // Using prepared Statements means that SQL injection is not possible.
    if ($stmt = $db->prepare("SELECT id, user, passwordHash, salt FROM login WHERE email = ? LIMIT 1")) {
        $stmt->bind_param('s', $email);
        // Bind "$email" to parameter.
        $stmt->execute();
        // Execute the prepared query.
        $stmt->store_result();
        $stmt->bind_result($user_id, $username, $db_password, $salt);
        // get variables from result.
        $stmt->fetch();
        $password = hash('sha512', $password . $salt);
        // hash the password with the unique salt.
        //$_SESSION['currentHash'] = $password;
        if ($stmt->num_rows == 1) {
            // If the user exists
            // We check if the account is locked from too many login attempts
            if (checkbrute($user_id, $db) == true) {
                // Account is locked
                // Send an email to user saying their account is locked
                return false;
            } else {
                if ($db_password == $password) {
                    // Check if the password in the database matches the password the user submitted.
                    // Password is correct!
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // Get the user-agent string of the user.
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    // XSS protection as we might print this value
                    $_SESSION['user_id'] = $user_id;
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    // XSS protection as we might print this value
                    $_SESSION['username'] = $username;
                    $_SESSION['admin'] = 1;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Login successful.
                    $now = time();
                    $db->query("INSERT INTO userevents (userId, eventType, date, modifiedUser) VALUES ('{$user_id}', 'logged in', '{$now}', '{$user_id}')");
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    $db->query("INSERT INTO userevents (userId, eventType, date, modifiedUser) VALUES ('{$user_id}', 'password incorrect', '{$now}', '{$user_id}')");
                    return false;
                }
            }
        } else {
            // No user exists.
            return false;
        }
    }
}
コード例 #12
0
ファイル: functions.php プロジェクト: juliovalverde/TFG 
function login($email, $password, $mysqli)
{
    $errorr = "vacio";
    // Usar declaraciones preparadas significa que la inyección de SQL no será posible.
    if ($stmt = $mysqli->prepare("select user_id,user_name,user_password,salt from user where user_email= ?")) {
        $stmt->bind_param('s', $email);
        // Une “$email” al parámetro.
        $stmt->execute();
        // Ejecuta la consulta preparada.
        $stmt->store_result();
        // Obtiene las variables del resultado.
        $stmt->bind_result($user_id, $username, $db_password, $salt);
        $stmt->fetch();
        // Hace el hash de la contraseña con una sal única.
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // Si el usuario existe, revisa si la cuenta está bloqueada
            // por muchos intentos de conexión.
            if (checkbrute($user_id, $mysqli) == true) {
                // La cuenta está bloqueada.
                // Envía un correo electrónico al usuario que le informa que su cuenta está bloqueada.
                return false;
            } else {
                // Revisa que la contraseña en la base de datos coincida
                // con la contraseña que el usuario envió.
                if ($db_password == $password) {
                    // ¡La contraseña es correcta!
                    // Obtén el agente de usuario del usuario.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    //  Protección XSS ya que podríamos imprimir este valor.
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    // Protección XSS ya que podríamos imprimir este valor.
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Inicio de sesión exitoso
                    actualizacionexion($mysqli, $user_id);
                    return true;
                } else {
                    // La contraseña no es correcta.
                    // Se graba este intento en la base de datos.
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts(user_id, time)\n                                    VALUES ('{$user_id}', '{$now}')");
                    return false;
                }
            }
        } else {
            // El usuario no existe.
            return false;
        }
    }
}
コード例 #13
0
function login($username, $password, $mysqli)
{
    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT UserId, UserMail, UserPassword, UserSalt FROM ha_users WHERE UserName = ? LIMIT 1")) {
        $stmt->bind_param('s', $username);
        // Bind "$email" to parameter.
        $stmt->execute();
        // Execute the prepared query.
        $stmt->store_result();
        // get variables from result.
        $stmt->bind_result($user_id, $mail, $db_password, $salt);
        $stmt->fetch();
        // hash the password with the unique salt.
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // If the user exists we check if the account is locked
            // from too many login attempts
            if (checkbrute($user_id, $mysqli) == true) {
                // Account is locked
                header('HTTP/1.1 500 Account is locked!');
                return false;
            } else {
                // Check if the password in the database matches
                // the password the user submitted.
                if ($db_password == $password) {
                    // Password is correct!
                    // Get the user-agent string of the user.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // XSS protection as we might print this value
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    setcookie("user_id", $user_id, time() + 10 * 365 * 24 * 60 * 60, "/");
                    // XSS protection as we might print this value
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    setcookie("username", $username, time() + 10 * 365 * 24 * 60 * 60, "/");
                    setcookie("login_string", hash('sha512', $password . $user_browser), time() + 10 * 365 * 24 * 60 * 60, "/");
                    // Login successful.
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    $mysqli->query("INSERT INTO ha_user_login(UserId, Date) VALUES ('" . $user_id . "', NOW())");
                    header('HTTP/1.1 500 Username/Password is not correct!');
                    return false;
                }
            }
        } else {
            // No user exists.
            header('HTTP/1.1 500 Username/Password is not correct!');
            return false;
        }
    }
}
コード例 #14
0
ファイル: login.php プロジェクト: minogb/phploginscript 
function performLogin($user, $password)
{
    if (!isset($user) || !isset($password)) {
        return "bad input";
    }
    $mysqli = new mysqli(DB_SERVER, DB_READER_USER, DB_READER_PASSWORD, SEC_DB_NAME);
    if ($mysqli->connect_errno) {
        echo $mysqli->connect_error;
        return "inteneral server error";
    }
    if ($stmt = $mysqli->prepare("SELECT id, username, password, salt FROM members WHERE username = ? LIMIT 1")) {
        $stmt->bind_param('s', $user);
        $stmt->execute();
        $stmt->store_result();
        $stmt->bind_result($user_id, $username, $stored_password, $salt);
        $stmt->fetch();
        $password = hash('sha512', $password . $salt);
        //if not one result, some error occured
        if ($stmt->num_rows == 1) {
            //check to see for brute force attacks
            if (checkbrute($user_id, $mysqli)) {
                //account has been locked
                //notify of locked
                $mysqli_close($mysqli);
                return "Brute force, try again in 2 hours";
            } else {
                if ($stored_password === $password) {
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    $mysqli->close();
                    return NULL;
                } else {
                    $mysqli->close();
                    $mysqli = new mysqli(DB_SERVER, DB_WRITER_USER, DB_WRITER_PASSWORD, SEC_DB_NAME);
                    if ($mysqli->connect_errno) {
                        echo $mysqli->connect_error;
                        return "inteneral server error";
                    }
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts(user_id, time)\n                                    VALUES ('{$user_id}', '{$now}')");
                    return "bad login";
                }
            }
        }
    }
    $mysqli->close();
    //no such user
    return "no such user";
}
コード例 #15
0
function login($username, $password, $db)
{
    // Using prepared Statements means that SQL injection is not possible.
    if ($stmt = $db->prepare("SELECT id, password, salt FROM users WHERE username = ? LIMIT 1")) {
        $stmt->bind_param('s', $username);
        // Bind "$username" to parameter.
        $stmt->execute();
        // Execute the prepared query.
        $stmt->store_result();
        $stmt->bind_result($user_id, $db_password, $salt);
        // get variables from result.
        $stmt->fetch();
        $password = hash('sha512', $password . $salt);
        // hash the password with the unique salt.
        if ($stmt->num_rows == 1) {
            // If the user exists
            // We check if the account is locked from too many login attempts
            if (checkbrute($user_id, $db) == true) {
                // Account is locked
                // Send an email to user saying their account is locked
                return false;
            } else {
                $ip_address = $_SERVER['REMOTE_ADDR'];
                // Get the IP address of the user.
                $user_agent = $_SERVER['HTTP_USER_AGENT'];
                // Get the user-agent string of the user.
                if ($db_password == $password) {
                    // Check if the password in the database matches the password the user submitted.
                    // Password is correct!
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    // XSS protection as we might print this value
                    $_SESSION['user_id'] = $user_id;
                    $username = preg_replace("/[^a-zA-Z0-9@._\\-]+/", "", $username);
                    // XSS protection as we might print this value
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password . $ip_address . $user_agent);
                    // Login successful.
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    $result = $db->query("INSERT INTO login_attempts (user_id, when, ip, user_agent) VALUES ('" . $user_id . "', '" . $now . "', '" . ip2long($ip_address) . "', '" . $user_agent . "')");
                    return false;
                }
            }
        } else {
            // No user exists.
            return false;
        }
    }
}
コード例 #16
0
ファイル: functions.php プロジェクト: janarpe/FabLab-Parallax 
function login($email, $password, $mysqli)
{
    // Das Benutzen vorbereiteter Statements verhindert SQL-Injektion.
    if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n        FROM members\n       WHERE email = ?\n        LIMIT 1")) {
        $stmt->bind_param('s', $email);
        // Bind "$email" to parameter.
        $stmt->execute();
        // Führe die vorbereitete Anfrage aus.
        $stmt->store_result();
        // hole Variablen von result.
        $stmt->bind_result($user_id, $username, $db_password, $salt);
        $stmt->fetch();
        // hash das Passwort mit dem eindeutigen salt.
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // Wenn es den Benutzer gibt, dann wird überprüft ob das Konto
            // blockiert ist durch zu viele Login-Versuche
            if (checkbrute($user_id, $mysqli) == true) {
                // Konto ist blockiert
                // Schicke E-Mail an Benutzer, dass Konto blockiert ist
                return false;
            } else {
                // Überprüfe, ob das Passwort in der Datenbank mit dem vom
                // Benutzer angegebenen übereinstimmt.
                if ($db_password == $password) {
                    // Passwort ist korrekt!
                    // Hole den user-agent string des Benutzers.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // XSS-Schutz, denn eventuell wir der Wert gedruckt
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    // XSS-Schutz, denn eventuell wir der Wert gedruckt
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Login erfolgreich.
                    return true;
                } else {
                    // Passwort ist nicht korrekt
                    // Der Versuch wird in der Datenbank gespeichert
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts(user_id, time)\n                                    VALUES ('{$user_id}', '{$now}')");
                    return false;
                }
            }
        } else {
            //Es gibt keinen Benutzer.
            return false;
        }
    }
}
コード例 #17
0
function login($username, $password, $mysqli)
{
    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT userName, password, userID, type \n        FROM Users\n       WHERE userName = ?\n        LIMIT 1")) {
        $stmt->bind_param('s', $username);
        //Bind $username
        $stmt->execute();
        // Execute the prepared query.
        $stmt->store_result();
        // get variables from result.
        $stmt->bind_result($username, $db_password, $userID, $type);
        $stmt->fetch();
        // hash the password with the unique salt.
        //  $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // If the user exists we check if the account is locked
            // from too many login attempts
            if (checkbrute($username, $mysqli) == true) {
                // Account is locked
                // Send an email to user saying their account is locked
                return false;
            } else {
                // Check if the passwordin database matches
                // the password the user submitted.
                //if ($db_password == $password) {
                if (password_verify($password, $db_password)) {
                    // Password is correct!
                    // Get the user-agent string of the user.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // XSS protection as we might print this value
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['userID'] = $userID;
                    $_SESSION['type'] = $type;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Login successful.
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    $mysqli->query("INSERT INTO loginAttempts(userName, time)\n                                    VALUES ('{$username}', '{$now}')");
                    return false;
                }
            }
        } else {
            // No user exists.
            return false;
        }
    }
}
コード例 #18
0
ファイル: functions.php プロジェクト: eWert-Online/Verwaltung 
function login($email, $password, $mysqli)
{
    // Das Benutzen vorbereiteter Statements verhindert SQL-Injektion.
    if ($stmt = $mysqli->prepare("SELECT * FROM `members` WHERE `username` = ? OR `email` = ?")) {
        $stmt->bind_param('ss', $email, $email);
        // Bind "$email" to parameter.
        $stmt->execute();
        // Führe die vorbereitete Anfrage aus.
        $stmt->store_result();
        // hole Variablen von result.
        $stmt->bind_result($user_id, $username, $user_email, $db_password, $salt, $user_vorname, $user_nachname, $user_action, $user_permission);
        $stmt->fetch();
        // hash das Passwort mit dem eindeutigen salt.
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // Wenn es den Benutzer gibt, dann wird überprüft ob das Konto
            // blockiert ist durch zu viele Login-Versuche
            if (checkbrute($user_id, $mysqli) == true) {
                // Konto ist blockiert
                // Schicke E-Mail an Benutzer, dass Konto blockiert ist
                return false;
            } else {
                // Überprüfe, ob das Passwort in der Datenbank mit dem vom
                // Benutzer angegebenen übereinstimmt.
                if ($db_password == $password) {
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    $_SESSION['user_id'] = $user_id;
                    $_SESSION['username'] = $username;
                    $_SESSION['user_email'] = $user_email;
                    $_SESSION['user_vorname'] = $user_vorname;
                    $_SESSION['user_nachname'] = $user_nachname;
                    $_SESSION['user_action'] = $user_action;
                    $_SESSION['user_permission'] = $user_permission;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Login erfolgreich.
                    return true;
                } else {
                    // Passwort ist nicht korrekt
                    // Der Versuch wird in der Datenbank gespeichert
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts(user_id, time) VALUES ('{$user_id}', '{$now}')");
                    return false;
                }
            }
        } else {
            //Es gibt keinen Benutzer.
            return false;
        }
    }
}
コード例 #19
0
ファイル: login.php プロジェクト: centaurustech/Funduj 
function login($user, $pass, $dbh)
{
    global $table_prefix;
    include $_SERVER['DOCUMENT_ROOT'] . '/config.php';
    if ($stmt = $dbh->prepare("SELECT id, username, password, salt FROM " . $table_prefix . "_users WHERE username = ? LIMIT 1")) {
        $stmt->bindParam('1', $user, PDO::PARAM_STR);
        $stmt->execute();
        $stmt->result = $stmt->fetch();
        $id = $stmt->result['id'];
        //has the typed password with the salt from the databe and compare with the one in the database
        $password = hash('sha512', $pass . $stmt->result['salt']);
        if ($stmt->rowCount() == 1) {
            if (checkbrute($id, $dbh) == true) {
                echo "Váš účet bol zablokovaný z dôvodu viacerých nesprávnych prihlásení.";
                header('HTTP/1.1 401 Unauthorized', true, 401);
                return false;
            } else {
                if ($stmt->result['password'] == $password) {
                    // Check if the password in the database matches the password the user submitted.
                    // Password is correct!
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // Get the user-agent string of the user.
                    $user_id = preg_replace("/[^0-9]+/", "", $stmt->result['id']);
                    // XSS protection as we might print this value
                    $_SESSION['user_id'] = $user_id;
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $stmt->result['username']);
                    // XSS protection as we might print this value
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    $clear_log_attempt = $dbh->prepare("DELETE FROM " . $table_prefix . "_users_login_attempts WHERE user_id = ?");
                    $clear_log_attempt->bindValue(1, $id);
                    $clear_log_attempt->execute();
                    // Login successful.
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    $dbh->query("INSERT INTO " . $table_prefix . "_users_login_attempts (user_id, time) VALUES ('{$id}', '{$now}')");
                    return false;
                }
            }
        } else {
            echo "";
            return false;
        }
    }
}
コード例 #20
0
function login($email, $password, $mysqli)
{
    if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n        FROM members\n       WHERE email = ?\n        LIMIT 1")) {
        $stmt->bind_param('s', $email);
        // $email naar parameter.
        $stmt->execute();
        // Voer de Query uit.
        $stmt->store_result();
        // Krijg een variabele van de uitkomst.
        $stmt->bind_result($user_id, $username, $db_password, $salt);
        $stmt->fetch();
        // hash the password with the unique salt.
        // beveilig het wachtwoord door het password te hashen met Salt.
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // Als de gebruiker bestaat controleer dan of de gebruiker geblokkeerd is voor teveel inlogpogingen
            if (checkbrute($user_id, $mysqli) == true) {
                // Account is geblokkeerd
                // Een E-mail word verzonden met het bericht dat het verzonden is. (Zal alleen werken als er een mailserver is verbonden).
                return false;
            } else {
                // Controleer of de ingegeven wachtwoorden met elkaar overeenkomen.
                if ($db_password == $password) {
                    // Het wachtwoord is goed!
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // XSS Beveiligen, zoals we de waarde printen.
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    // XSS BEveiligen, zoals we de waarden kunnen printen.
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Je bent met success ingelogd.
                    return true;
                } else {
                    // Wachtwoord is niet hetzelfde!
                    // De poging word genoteerd op de database.
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts(user_id, time)\n                                    VALUES ('{$user_id}', '{$now}')");
                    return false;
                }
            }
        } else {
            // Ne gebruiker bestaat niet.
            return false;
        }
    }
}
コード例 #21
0
ファイル: functions.php プロジェクト: michgor26/Project 
function login($club_id, $password, $mysqli)
{
    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n        FROM users\n        WHERE id = ?\n        LIMIT 1")) {
        $stmt->bind_param('s', $club_id);
        $stmt->execute();
        $stmt->store_result();
        $stmt->bind_result($user_id, $username, $db_password, $salt);
        $stmt->fetch();
        // hash the password with the unique salt.
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // If the user exists we check if the account is locked
            if (checkbrute($user_id, $mysqli) == true) {
                // Account is locked
                return false;
            } else {
                // Check if the password matches the one in the database
                if ($db_password == $password) {
                    // Password is correct!
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Login successful.
                    // store login date.
                    $date = date("Y-m-d");
                    mysqli_query($mysqli, "UPDATE users SET last_online = '{$date}'     \n                    WHERE id = {$user_id}");
                    mysqli_close($mysqli);
                    return true;
                } else {
                    // Password is not correct
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts(user_id, time)\n                                    VALUES ('{$user_id}', '{$now}')");
                    return false;
                }
            }
        } else {
            // No user exists.
            return false;
        }
    }
}
コード例 #22
0
ファイル: functions.php プロジェクト: bashork/project1 
function login($email, $password, $mysqli)
{
    //using prepared statements denies possibility for SQL injection
    if ($stmt = $mysqli->prepare('SELECT id,username,password,salt FROM members WHERE email = ? limit 1')) {
        $stmt->bind_param('s', $email);
        $stmt->execute();
        //execute the prepared query upside in()
        $stmt->store_result();
        //get result from variables
        $stmt->bind_result($user_id, $username, $db_password, $salt);
        $stmt->fetch();
        //hash the pasword
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            //check does the acc exist ---> check is locked cause too many login attempts
            if (checkbrute($user_id, $mysqli) == true) {
                return false;
            } else {
                //check if the password in the db matches to that what was submitted
                if ($db_password == $password) {
                    # password is correct
                    # get the user-browser
                    $user_brouser = $_SERVER['HTTP_USER_AGENT'];
                    // XSS protection as we might print this value
                    $username = preg_replace('/[^a-zA-Z0-9_\\-]+/', '', $username);
                    $_session['username'] = $username;
                    $_session['login_string'] = hash('sha512', $password . $user_brouser);
                    //login successful
                    return true;
                } else {
                    //pswd is incorrect
                    //record thus in db
                    $now = time();
                    $mysqli = query('INSERT INTO login_attempts(user_id,time) values (\'$user_id\',"$now")');
                    return false;
                }
            }
        } else {
            //no user exists
            return false;
        }
    }
}
コード例 #23
0
function login($username, $password, $mysqli)
{
    if ($stmt = $mysqli->prepare('SELECT id, username, password, salt, permission
								  FROM auth_user
								  WHERE username = ?
								  LIMIT 1')) {
        $stmt->bind_param('s', $username);
        $stmt->execute();
        $stmt->store_result();
        $stmt->bind_result($userID, $username, $dbPassword, $salt, $perms);
        $stmt->fetch();
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // user exists:
            if (checkbrute($userID, $mysqli) == true) {
                // user was banned for multiple incorrect login attempts
                return 2;
            } else {
                if ($dbPassword == $password) {
                    // password's correct
                    $userBrowser = $_SERVER['HTTP_USER_AGENT'];
                    $userID = preg_replace("/[^0-9]+/", "", $userID);
                    $_SESSION['userID'] = $userID;
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['loginString'] = hash('sha512', $password . $userBrowser);
                    $_SESSION['permissions'] = $perms;
                    $_SESSION['shop_id'] = 1;
                    return 1;
                } else {
                    $now = time();
                    $mysqli->query("INSERT INTO auth_attempts(userID, time) VALUES ('{$userID}', '{$now}')");
                    return 3;
                }
            }
        } else {
            return 4;
        }
    } else {
        return 5;
    }
}
コード例 #24
0
function login($u_email, $L2, $mysqli)
{
    $stmt = $mysqli->prepare("SELECT ID,name, L2, salt FROM `signup`.`members` WHERE email = '{$u_email}' ");
    if ($stmt) {
        $stmt->execute();
        $stmt->store_result();
        $stmt->bind_result($u_ID, $u_name, $db_L2, $salt);
        $stmt->fetch();
        $L2 = hash('sha512', $L2 . $salt);
        if ($stmt->num_rows == 1) {
            if (checkbrute($u_ID, $mysqli) == true) {
                echo "Sorry! Try After Sometime.";
                return false;
            } else {
                if ($db_L2 == $L2) {
                    $email_xplode = explode("@", $u_email);
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    $u_ID = preg_replace("/[^0-9]+/", "", $u_ID);
                    $_SESSION['u_ID'] = $u_ID;
                    $email_xplode = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $email_xplode[0]);
                    $u_namae = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $u_name);
                    $_SESSION['u_name'] = $u_name;
                    $_SESSION['u_email'] = $u_email;
                    $_SESSION['xploded_u_email'] = $email_xplode;
                    $_SESSION['login_string'] = hash('sha512', $L2 . $user_browser);
                    return true;
                } else {
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts (ID, time) VALUES ('{$u_ID}', '{$now}')");
                    return false;
                }
            }
        } else {
            $error_messege = "Oops!! We Could Find The Records From Data You Provided.";
            return false;
        }
    }
}
コード例 #25
0
ファイル: functions.php プロジェクト: CagedAnimal/i2iRebuild 
function login($username, $password, $link)
{
    if ($stmt = $link->prepare("SELECT id, password, salt, status FROM users WHERE username = LOWER(?) LIMIT 1")) {
        $stmt->bind_param('s', $username);
        $stmt->execute();
        $stmt->store_result();
        $stmt->bind_result($user_id, $db_password, $salt, $status);
        //get variables from result
        $stmt->fetch();
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            if ($status == 1) {
                if (checkbrute($user_id, $link) == true) {
                    //Account is locked
                    //Send an email to user and Administrators
                    //Change status to locked
                    return 3;
                    //return 3 if account has just been locked
                } else {
                    if ($db_password == $password) {
                        return 5;
                    } else {
                        //Insert into login_attempts table
                        return 4;
                    }
                }
                //return 4 if password is incorrect
            } else {
                return 2;
            }
            //return 2 is account is not active
        }
        return 1;
        // return 1 if username does not exist
    }
}
コード例 #26
0
ファイル: session.php プロジェクト: HomelessCoder/weedo 
function login($email, $password, $db_CS)
{
    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $db_CS->prepare("SELECT id, password, salt, familiya, imya, template, int_phone \r\n        FROM members\r\n       WHERE email = ?\r\n        LIMIT 1")) {
        print "SELECT id, password, salt, familiya, imya, template, int_phone \r\n        FROM members\r\n       WHERE email = '{$email}'\r\n        LIMIT 1";
        $stmt->bind_param('s', $email);
        // Bind "$email" to parameter.
        $stmt->execute();
        // Execute the prepared query.
        $stmt->store_result();
        // get variables from result.
        $stmt->bind_result($user_id, $db_password, $salt, $familiya, $imya, $template, $int_phone);
        $stmt->fetch();
        //print $db_password;
        // hash the password with the unique salt.
        //$password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            //print_r($stmt);
            // If the user exists we check if the account is locked
            // from too many login attempts
            //print "<br /> $db_password == $password";
            if (checkbrute($user_id, $db_CS) == true) {
                // Account is locked
                // Send an email to user saying their account is locked
                return false;
            } else {
                // Check if the password in the database matches
                // the password the user submitted.
                if ($db_password == $password) {
                    // Password is correct!
                    // Get the user-agent string of the user.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // XSS protection as we might print this value
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    $_SESSION['int_phone'] = $int_phone;
                    // XSS protection as we might print this value
                    //$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
                    $_SESSION['username'] = $email;
                    $_SESSION['familiya'] = $familiya;
                    $_SESSION['imya'] = $imya;
                    $_SESSION['template'] = $template;
                    $_SESSION['show20'] = true;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    $now = time();
                    $temp = $db_CS->query("SELECT name,value FROM memberTemplatesSettings WHERE templateID = '{$template}'");
                    //echo $temp;
                    while ($opt = $temp->fetch_object()) {
                        $rights[] = $opt;
                    }
                    $_SESSION['rights'] = $rights;
                    $db_CS->query("INSERT INTO login_attempts(user_id, time)\r\n                                    VALUES ('{$user_id}', '{$now}')");
                    // Login successful.
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    $db_CS->query("INSERT INTO login_attempts(user_id, time)\r\n                                    VALUES ('{$user_id}', '{$now}')");
                    return false;
                }
            }
        } else {
            // No user exists.
            return false;
        }
    }
}
コード例 #27
0
function login($param, $password, $mysqli)
{
    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT usr.USR_Id,\r\n                    -- usr.USR_Username,\r\n                    usr.USR_Mail,\r\n                    usr.USR_AGN_Id,\r\n                    COALESCE(agn.AGN_Nombre, 'Administrador') AGN_Nombre,\r\n                    COALESCE(agn.AGN_Logo1, 'admin.png') AGN_Logo1,\r\n                    COALESCE(agn.AGN_Logo2, 'admin.png') AGN_Logo2,\r\n                    usr.USR_Tipo,\r\n                    usr.USR_Password,\r\n                    usr.USR_Salt,\r\n                    COALESCE(agn.AGN_Header, '') AGN_Header,\r\n                    USR_AdminAccess\r\n             FROM camUsuarios usr\r\n             LEFT JOIN camAgencias agn\r\n             ON usr.USR_AGN_Id = agn.AGN_Id\r\n             WHERE USR_Mail = ?\r\n             -- OR USR_Username = ?\r\n             AND USR_Control = ?\r\n             LIMIT 1")) {
        $usercontrol = 1;
        //$stmt->bind_param('sss', $param, $param, $usercontrol);  // Bind "$param" to parameters.
        $stmt->bind_param('ss', $param, $usercontrol);
        // Bind "$param" to parameters.
        $stmt->execute();
        // Execute the prepared query.
        $stmt->store_result();
        // get variables from result.
        $stmt->bind_result($user_id, $email, $agnId, $agency, $agn_logo1, $agn_logo2, $type, $db_password, $user_salt, $agn_header, $admin_access);
        $stmt->fetch();
        if ($stmt->num_rows == 1) {
            // If the user exists we check if the account is locked
            // from too many login attempts
            if (checkbrute($user_id, $mysqli) == true) {
                // Account is locked
                // Send an email to user saying their account is locked
                return false;
            } else {
                // hash the password with the unique salt.
                $password_sha = $password;
                $password_final = hash('sha512', $password_sha . $user_salt);
                // Check if the password in the database matches
                // the password the user submitted.
                if ($db_password == $password_final) {
                    // Password is correct!
                    // Get the user-agent string of the user.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // XSS protection as we might print this value
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    // XSS protection as we might print this value
                    //$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
                    //$_SESSION['username'] = $username;
                    $_SESSION['email'] = $email;
                    $_SESSION['usr_agn_id'] = $agnId;
                    //$agency = preg_replace("^[a-zA-ZñÑáéíóúÁÉÍÓÚ\ ]", "", $agency);
                    $agency = utf8_encode($agency);
                    $_SESSION['usr_agn_nombre'] = $agency;
                    $_SESSION['usr_agn_logo1'] = $agn_logo1;
                    $_SESSION['usr_agn_logo2'] = $agn_logo2;
                    $_SESSION['usr_agn_header'] = $agn_header;
                    $_SESSION['usr_type'] = $type;
                    $_SESSION['usr_adm_access'] = $admin_access;
                    $_SESSION['login_string'] = hash('sha512', $password_final . $user_browser);
                    // Login successful.
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    //$now = time();
                    //$mysqli->query("INSERT INTO m1ton_login_attempts(user_id, time)
                    //VALUES ('$user_id', '$now')");
                    //return false;
                }
            }
        } else {
            // No user exists.
            return false;
        }
    } else {
        return false;
    }
}
コード例 #28
0
function autologin($username, $password, $mysql)
{
    //Using prepare statments means that SQL injection is not possible
    if ($stmt = $mysql->prepare("SELECT UserID, Username, Password, Salt, `Access Level` FROM Users WHERE Username = ? LIMIT 1")) {
        $stmt->bind_param('s', $username);
        //Bind "$email" to parameter.
        $stmt->execute();
        //Execute the prepared query.
        $stmt->store_result();
        // Get variables from results
        $stmt->bind_result($userid, $username, $db_password, $salt, $level);
        $stmt->fetch();
        if ($stmt->num_rows == 1) {
            //If the user exists we check if their account is locked from too many login attempts
            if (checkbrute($userid, $mysql) == true) {
                //Account is locked
                //Send an email to user saying their account is locked
                return 0;
            } else {
                //Check if the password in the database matches the password the user submitted.
                if ($db_password == $password) {
                    //Password is correct! Get the user-agent string of the user.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    //XSS protection as we might print this value
                    $userid = preg_replace("/[^0-9]+/", "", $userid);
                    $_SESSION['userid'] = $userid;
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    //Work around no user browser being returned
                    $_SESSION['login-string'] = hash('sha512', $password . "hello");
                    //Login successful
                    //Check to see if security questions have been answered
                    if ($pstmt = $mysql->prepare("SELECT `ID` From `Security Answers` WHERE UserID = ?")) {
                        $pstmt->bind_param('i', $userid);
                        $pstmt->execute();
                        $pstmt->store_result();
                        if ($pstmt->num_rows > 1) {
                            return $level;
                        } else {
                            return -1;
                        }
                    }
                    return 0;
                } else {
                    //Password is not correct. We record this attempt in the database
                    $now = time();
                    $mysql->query("INSERT INTO Login_Attempts(UserID, Time) VALUES ('{$userid}', '{$now}')");
                    return 0;
                }
            }
        } else {
            //No user exists
            return 0;
        }
    }
}
コード例 #29
0
function login($email, $password, $mysqli)
{
    // Using prepared Statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT id, username,role, password, salt FROM mdl_user WHERE nim = ? LIMIT 1")) {
        $stmt->bind_param('s', $email);
        // Bind "$email" to parameter.
        $stmt->execute();
        // Execute the prepared query.
        $stmt->store_result();
        $stmt->bind_result($user_id, $username, $role, $db_password, $salt);
        // get variables from result.
        // hash the password with the unique salt.
        $stmt->fetch();
        $leng = strlen($db_password);
        $salt = hash('sha512', $salt);
        if ($leng < 100) {
            $db_password = hash('sha512', $db_password);
            $db_password = $db_password + $salt;
        } else {
            $db_password = $db_password + $salt;
        }
        if ($salt != "") {
            $password = $password + $salt;
        } else {
            $password = $password;
        }
        // hash the password with the unique salt.
        //echo $password; echo "    "; echo $db_password; echo "    ";echo $salt;
        if ($stmt->num_rows == 1) {
            // If the user exists
            if (checkbrute($user_id, $mysqli) == true) {
                ?>
				<script type=text/javascript>
				alert("Akun anda Di lock untuk sementara waktu mohon dicoba 2 jam kedepan");
				window.location('../index.php');
				</script>
				<?php 
                return false;
            } else {
                if ($db_password == $password) {
                    // Check if the password in the database matches the password the user submitted.
                    // Password is correct!
                    // We check if the account is locked from too many login attempts
                    $ip_address = $_SERVER['REMOTE_ADDR'];
                    // Get the IP address of the user.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // Get the user-agent string of the user.
                    // $user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value
                    $_SESSION['user_id'] = $user_id;
                    $_SESSION['role'] = $role;
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    // XSS protection as we might print this value
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512', $password . $ip_address . $user_browser);
                    // Login successful.
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts (userid, time) VALUES ('{$user_id}', '{$now}')");
                    return false;
                }
            }
        } else {
            // No user exists.
            return false;
        }
    }
}
コード例 #30
0
function login($email, $password, $mysqli)
{
    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT members.userid, members.username, members.fname, members_password.password, members_password.salt\n\t\t\t\t\t\t\t\t\tfrom members\n\t\t\t\t\t\t\t\t\tINNER JOIN members_password\n\t\t\t\t\t\t\t\t\tON members.email = members_password.email\n       \t\t\t\t\t\t\t\tWHERE members.email = ?\n       \t\t\t\t\t\t\t\tLIMIT 1\n\t\t")) {
        $stmt->bind_param('s', $email);
        // Bind "$email" to parameter.
        $stmt->execute();
        // Execute the prepared query.
        $stmt->store_result();
        // get variables from result.
        $stmt->bind_result($user_id, $username, $fname, $db_password, $salt);
        $stmt->fetch();
        //Assign userID to from Username in DB.
        //$user_id = $username;
        // hash the password with the unique salt.
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // If the user exists we check if the account is locked
            // from too many login attempts
            if (checkbrute($email, $mysqli) == true) {
                // Account is locked
                // Send an email to user saying their account is locked
                return false;
            } else {
                // Check if the password in the database matches
                // the password the user submitted.
                if ($db_password == $password) {
                    // Password is correct!
                    // Get the user-agent string of the user.
                    $user_browser = $_SERVER['HTTP_USER_AGENT'];
                    // XSS protection as we might print this value
                    $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                    $_SESSION['user_id'] = $user_id;
                    // XSS protection as we might print this value
                    $username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
                    $_SESSION['username'] = $username;
                    $_SESSION['fname'] = $fname;
                    /*$_SESSION['lname'] = $lname;
                    		$_SESSION['hnumber'] = $hnumber;
                    		$_SESSION['hname'] = $hname;
                    		$_SESSION['hcity'] = $hcity;
                    		$_SESSION['hstate'] = $hstate;
                    		$_SESSION['hcode'] = $hcode;*/
                    //$_SESSION['sClass'] = $sClass;
                    $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                    // Login successful.
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    $mysqli->query("INSERT INTO login_attempts(email, time)\n                                    VALUES ('{$email}', '{$now}')");
                    return false;
                }
            }
        } else {
            // No user exists.
            return false;
        }
    }
}