setcookie('logverify', $verify, 2147483647, "/", $_SERVER['SERVER_NAME'], false, true);
$_COOKIE['logverify'] = $verify;
// above only takes effect after next page load
unset($verify);
}
setcookie('logpassword', '', time() - 3600, "/", $_SERVER['SERVER_NAME'], false, true);
unset($passinfo);
}
$logpassword = null;
$logpwenc = null;
if (filter_int($_COOKIE['loguserid']) && filter_string($_COOKIE['logverify'])) {
$loguserid = intval($_COOKIE['loguserid']);
$loguser = $sql->fetchq("SELECT * FROM `users` WHERE `id`='{$loguserid}'");
$logverify = $_COOKIE['logverify'];
$verifyid = intval(substr($logverify, 0, 1));
$verifyhash = create_verification_hash($verifyid, $loguser['password']);
// Compare what we just created with what the cookie says, assume something is wrong if it doesn't match
if ($verifyhash !== $logverify) {
$loguser = NULL;
}
}
$tzoff = 0;
if ($loguser) {
$loguserid = $loguser['id'];
$tzoff = $loguser['timezone'] * 3600;
$scheme = $loguser['scheme'];
if ($loguser['dateformat']) {
$dateformat = $loguser['dateformat'];
}
if ($loguser['dateshort']) {
$dateshort = $loguser['dateshort'];
require 'lib/layout.php';
// Bots don't need to be on this page
$meta['noindex'] = true;
$username = $_POST['username'];
$password = $_POST['userpass'];
$verifyid = $_POST['verify'];
$txt = "{$header}<br>{$tblstart}";
if ($_POST['action'] == 'login') {
if (!$username) {
$msg = "Couldn't login. You didn't input a username.";
} else {
$username = trim($username);
$userid = checkuser($username, $password);
if ($userid != -1) {
$pwhash = $sql->resultq("SELECT `password` FROM `users` WHERE `id` = '{$userid}'");
$verify = create_verification_hash($verifyid, $pwhash);
setcookie('loguserid', $userid, 2147483647, "/", $_SERVER['SERVER_NAME'], false, true);
setcookie('logverify', $verify, 2147483647, "/", $_SERVER['SERVER_NAME'], false, true);
$msg = "You are now logged in as {$username}.";
} else {
if ($username === "tictOrnaria") {
$sql->query("INSERT INTO `ipbans` SET `ip` = '" . $_SERVER['REMOTE_ADDR'] . "', `date` = '" . ctime() . "', `reason` = 'Abusive / malicious behavior'");
@xk_ircsend("1|" . xk(7) . "Auto banned tictOrnaria (malicious bot) with IP " . xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) . ".");
} else {
$sql->query("INSERT INTO `failedlogins` SET `time` = '" . ctime() . "', `username` = '" . $username . "', `password` = '" . $password . "', `ip` = '" . $_SERVER['REMOTE_ADDR'] . "'");
$fails = $sql->resultq("SELECT COUNT(`id`) FROM `failedlogins` WHERE `ip` = '" . $_SERVER['REMOTE_ADDR'] . "' AND `time` > '" . (ctime() - 1800) . "'");
// Keep in mind, it's now not possible to trigger this if you're IP banned
// when you could previously, making extra checks to stop botspam not matter
//if ($fails > 1)
@xk_ircsend("102|" . xk(14) . "Failed attempt" . xk(8) . " #{$fails} " . xk(14) . "to log in as " . xk(8) . $username . xk(14) . " by IP " . xk(8) . $_SERVER['REMOTE_ADDR'] . xk(14) . ".");
if ($fails >= 5) {