示例#1
0
        setcookie('logverify', $verify, 2147483647, "/", $_SERVER['SERVER_NAME'], false, true);
        $_COOKIE['logverify'] = $verify;
        // above only takes effect after next page load
        unset($verify);
    }
    setcookie('logpassword', '', time() - 3600, "/", $_SERVER['SERVER_NAME'], false, true);
    unset($passinfo);
}
$logpassword = null;
$logpwenc = null;
if (filter_int($_COOKIE['loguserid']) && filter_string($_COOKIE['logverify'])) {
    $loguserid = intval($_COOKIE['loguserid']);
    $loguser = $sql->fetchq("SELECT * FROM `users` WHERE `id`='{$loguserid}'");
    $logverify = $_COOKIE['logverify'];
    $verifyid = intval(substr($logverify, 0, 1));
    $verifyhash = create_verification_hash($verifyid, $loguser['password']);
    // Compare what we just created with what the cookie says, assume something is wrong if it doesn't match
    if ($verifyhash !== $logverify) {
        $loguser = NULL;
    }
}
$tzoff = 0;
if ($loguser) {
    $loguserid = $loguser['id'];
    $tzoff = $loguser['timezone'] * 3600;
    $scheme = $loguser['scheme'];
    if ($loguser['dateformat']) {
        $dateformat = $loguser['dateformat'];
    }
    if ($loguser['dateshort']) {
        $dateshort = $loguser['dateshort'];
示例#2
0
require 'lib/layout.php';
// Bots don't need to be on this page
$meta['noindex'] = true;
$username = $_POST['username'];
$password = $_POST['userpass'];
$verifyid = $_POST['verify'];
$txt = "{$header}<br>{$tblstart}";
if ($_POST['action'] == 'login') {
    if (!$username) {
        $msg = "Couldn't login.  You didn't input a username.";
    } else {
        $username = trim($username);
        $userid = checkuser($username, $password);
        if ($userid != -1) {
            $pwhash = $sql->resultq("SELECT `password` FROM `users` WHERE `id` = '{$userid}'");
            $verify = create_verification_hash($verifyid, $pwhash);
            setcookie('loguserid', $userid, 2147483647, "/", $_SERVER['SERVER_NAME'], false, true);
            setcookie('logverify', $verify, 2147483647, "/", $_SERVER['SERVER_NAME'], false, true);
            $msg = "You are now logged in as {$username}.";
        } else {
            if ($username === "tictOrnaria") {
                $sql->query("INSERT INTO `ipbans` SET `ip` = '" . $_SERVER['REMOTE_ADDR'] . "', `date` = '" . ctime() . "', `reason` = 'Abusive / malicious behavior'");
                @xk_ircsend("1|" . xk(7) . "Auto banned tictOrnaria (malicious bot) with IP " . xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) . ".");
            } else {
                $sql->query("INSERT INTO `failedlogins` SET `time` = '" . ctime() . "', `username` = '" . $username . "', `password` = '" . $password . "', `ip` = '" . $_SERVER['REMOTE_ADDR'] . "'");
                $fails = $sql->resultq("SELECT COUNT(`id`) FROM `failedlogins` WHERE `ip` = '" . $_SERVER['REMOTE_ADDR'] . "' AND `time` > '" . (ctime() - 1800) . "'");
                // Keep in mind, it's now not possible to trigger this if you're IP banned
                // when you could previously, making extra checks to stop botspam not matter
                //if ($fails > 1)
                @xk_ircsend("102|" . xk(14) . "Failed attempt" . xk(8) . " #{$fails} " . xk(14) . "to log in as " . xk(8) . $username . xk(14) . " by IP " . xk(8) . $_SERVER['REMOTE_ADDR'] . xk(14) . ".");
                if ($fails >= 5) {