本文整理汇总了PHP中checkbrute函数的典型用法代码示例。如果您正苦于以下问题:PHP checkbrute函数的具体用法?PHP checkbrute怎么用?PHP checkbrute使用的例子?那么, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了checkbrute函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的PHP代码示例。
示例1: login
function login($email, $password, $mysqli)
{
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n FROM members\n WHERE email = ?\n LIMIT 1")) {
$stmt->bind_param('s', $email);
// Bind "$email" to parameter.
$stmt->execute();
// Execute the prepared query.
$stmt->store_result();
$stmt->bind_result($user_id, $username, $db_password);
$stmt->fetch();
// hash the password with the unique salt.
//$password = hash('sha512', $password);
if ($stmt->num_rows == 1) {
if (checkbrute($user_id, $mysqli) == true) {
return false;
} else {
if ($db_password == $password) {
return true;
} else {
// Password is not correct
// Log attempts
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')");
return false;
}
}
} else {
return false;
}
}
}
示例2: login
function login($email, $password, $mysqli)
{
if ($stmt = $mysqli->prepare("SELECT idusuario, usuario, contra, salt, tipo FROM usuarios_tb WHERE correo = ? OR usuario = ?")) {
$stmt->bind_param('ss', $email, $email);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($user_id, $username, $db_password, $salt, $tipo);
$stmt->fetch();
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
if (checkbrute($user_id, $mysqli) == true) {
return false;
} else {
if ($db_password == $password) {
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['tipo'] = $tipo;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
// Login successful.
return true;
} else {
$now = time();
$mysqli->query("INSERT INTO intentos(idusuario, hora)\n VALUES ('{$user_id}', '{$now}')");
return false;
}
}
} else {
return false;
}
}
}
示例3: login
function login($password, $mysqli)
{
if (!($queryRes = $mysqli->query('SELECT * FROM password;'))) {
exit;
}
$row = $queryRes->fetch_assoc();
// Fetch the next row in an associative array where the keys are column names
$hash = $row['hash'];
if (checkbrute($mysqli)) {
// Account is locked and login is forbidden
return array('success' => false, 'isLocked' => true);
} else {
if (password_verify($password, $hash)) {
// Password is correct
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['login_string'] = hash('sha512', $user_browser);
return array('success' => true, 'isLocked' => false);
} else {
// Password is not correct
$now = time();
$mysqli->query('INSERT INTO login_attempts(time)
VALUES (' . $now . ');');
return array('success' => false, 'isLocked' => false);
}
}
}
示例4: login
function login($username, $password, $mysqli)
{
if ($stmt = $mysqli->prepare("SELECT userID, username, password FROM users WHERE username = ? LIMIT 1")) {
$stmt->bind_param('s', $username);
//bind $username as string(s)
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($userID, $username, $correct);
$stmt->fetch();
//retrieve bound variables and assign to bind
$password = password_hash($password, PASSWORD_DEFAULT);
if ($stmt->num_rows == 1) {
if (checkbrute($userID, $mysqli) == false) {
if (password_verify($password, $hash)) {
//XSS protection - hide id, hash login_string
$userID = preg_replace("/[^0-9]+/", "", $userID);
$_SESSION['userID'] = $userID;
$username = preg_replace("/[a-zA-Z0-9_\\-]+/", "", $username);
$_SESSION['username'] = $username;
return true;
}
//wrong password
} else {
//record failed attempt
$now = time();
$mysqli->query("INSERT INTO logins(userFK, time) VALUES ('{$userID}', '{$now}')");
}
}
//user doesn't exist
}
//syntactical error
return false;
}
示例5: login
function login($email, $password, $mysqli)
{
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n FROM members\n WHERE email = ?\n LIMIT 1")) {
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
if (checkbrute($user_id, $mysqli) == true) {
return false;
} else {
if ($db_password == $password) {
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
return true;
} else {
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')");
return false;
}
}
} else {
return false;
}
}
}
示例6: login
function login($email, $password, $mysqli)
{
//echo "l2333333";
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, firstname, lastname, username,role, password, salt \n FROM `members`\n WHERE `email` = ?\n LIMIT 1")) {
$stmt->bind_param('s', $email);
// Bind "$email" to parameter.
$stmt->execute();
// Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $firstname, $lastname, $username, $role, $db_password, $salt);
$stmt->fetch();
//echo $role;
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
//var_dump($password);
//var_dump($db_password);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['firstname'] = $firstname;
$_SESSION['lastname'] = $lastname;
$_SESSION['role'] = $role;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')");
return false;
}
}
} else {
// No user exists.
//echo "<script type='text/javascript'>alert(1111111);</script>";
return false;
}
}
}
示例7: login
function login($email, $password, $mysqli)
{
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt \n\t\t\t\t FROM members \n WHERE email = ? LIMIT 1")) {
$stmt->bind_param('s', $email);
// Bind "$email" to parameter.
$stmt->execute();
// Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
if (!$mysqli->query("INSERT INTO login_attempts(user_id, time) \n VALUES ('{$user_id}', '{$now}')")) {
header("Location: error.php?err=Database error: login_attempts");
exit;
}
return false;
}
}
} else {
// No user exists.
return false;
}
} else {
// Could not create a prepared statement
header("Location: error.php?err=Database error: cannot prepare statement");
exit;
}
}
示例8: login
function login($user, $password)
{
$mysqli = conectabd(BD_PRINCIPAL);
// Usando definições pré-estabelecidas significa que a injeção de SQL (um tipo de ataque) não é possível.
if ($stmt = $mysqli->prepare("SELECT codigo, uid, senha, salt, status FROM usuario WHERE uid = ? LIMIT 1")) {
$stmt->bind_param('s', $user);
// Relaciona "$email" ao parâmetro.
$stmt->execute();
// Executa a tarefa estabelecida.
$stmt->store_result();
// obtém variáveis a partir dos resultados.
$stmt->bind_result($user_id, $username, $db_password, $salt, $status);
$stmt->fetch();
// faz o hash da senha com um salt excusivo.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// Caso o usuário exista, conferimos se a conta está bloqueada
// devido ao limite de tentativas de login ter sido ultrapassado
if (checkbrute($user_id) == true) {
// A conta está bloqueada
// Envia um email ao usuário informando que a conta está bloqueada
$_SESSION['login-error'] = 'A conta deste usuário está bloqueada temporáriamente';
return false;
} else {
// Verifica se a senha confere com o que consta no banco de dados
// a senha do usuário é enviada.
if ($db_password == $password && $status === 'ativo') {
// A senha está correta!
// Obtém o string usuário-agente do usuário.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// proteção XSS conforme imprimimos este valor
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// proteção XSS conforme imprimimos este valor
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
// Login concluído com sucesso.
return true;
} else {
// A senha não está correta
// Registramos essa tentativa no banco de dados
$_SESSION['login-error'] = 'Senha inválida ou usuário está inativo!';
$now = time();
$ip = $_SERVER['REMOTE_ADDR'];
$mysqli->query("INSERT INTO login_tentativa(user_id, time, ip) VALUES ('{$user_id}', '{$now}', '{$ip}')");
return false;
}
}
} else {
// Tal usuário não existe.
$_SESSION['login-error'] = 'Usuário inválido!';
return false;
}
}
}
示例9: login
function login($email, $user_password, $conn)
{
// define local variables
$success = TRUE;
// query db using email
$sql = "SELECT id, username, password, salt FROM Users WHERE email = '" . $email . "' LIMIT 1";
$result = $conn->query($sql);
// check to see if user info was found in the db
if ($result->num_rows > 0) {
// get user info
$row = $result->fetch_assoc();
// define and assign local variables to store data from db
$userId = $row['id'];
$username = $row['username'];
$dbPassword = $row['password'];
$salt = $row['salt'];
// hash the password with the unique salt.
$password = hash('sha512', $user_password . $salt);
// a user was found, so now check to see if the user
// has tried to login too many times
if (checkbrute($userId, $conn) == true) {
// user tried to login too many times ergo the account is locked
// send an email to user saying their account is locked
$GLOBALS['errorMsg'] .= '<p class="error">Too many login attempts.</p>';
$success = FALSE;
} else {
// check if the password in the database matches
// the password the user submitted.
if ($dbPassword == $password) {
// password is correct!
// get the user-agent string of the user.
$userBrowser = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT');
// XSS protection as we might print this value
$userId = preg_replace("/[^0-9]+/", "", $userId);
// set the session user_id based on the userId from the database
$_SESSION['user_id'] = $userId;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
// set the session username
$_SESSION['username'] = $username;
// set the session login_string for the given user
$_SESSION['login_string'] = hash('sha512', $password . $userBrowser);
} else {
// password is not correct
// record this attempt in the database
$conn->query("INSERT INTO LoginAttempts(userId) VALUES ('{$userId}')");
$GLOBALS['errorMsg'] .= '<p class="error">Incorrect Username/Password combination.</p>';
$success = FALSE;
}
}
} else {
// No user info exists in the database
$success = FALSE;
}
return $success;
}
示例10: login
function login($usuario, $password, $conexion)
{
// Usar consultas preparadas previene de los ataques SQL injection.
if ($stmt = $conexion->prepare("SELECT id, usuario, password\n FROM clientes\nWHERE usuario = ?\nLIMIT 1")) {
$stmt->bind_param('s', $usuario);
$stmt->execute();
$stmt->store_result();
// recogemos el resultado de la consulta
$stmt->bind_result($id, $usuario, $db_password);
//password de la bd
$stmt->fetch();
// calculamos el sha512 del password
if ($stmt->num_rows == 1) {
// Si el usuario existe comprobamos que la cuenta no esté bloqueada
// por haber hecho demasiados intentos.
if (checkbrute($id, $conexion) == true) {
//la veremos luego
// La cuenta está bloqueada. Aquí escribir las acciones de aviso al usuario pertinentes:
// enviar un correo
$error = "Cuenta Bloqueada";
echo $error;
return false;
} else {
// Comprobar si el password de la bd coincide con la enviada por el usuario
if ($db_password == $password) {
//las dos en sha512
// Password es correcto: Tomamos user-agent string del navegador del usuario
// por ejemplo Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// Esto es una protección contra ataques XSS
//elimina los caracteres que no son digitos
$user_id = preg_replace("/[^0-9]+/", "", $id);
$_SESSION['id'] = $id;
// Esto es una protección contra ataques XSS
//elimina los caracteres que no son digitos, ni letras, ni _,\,-
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $usuario);
$_SESSION['usuario'] = $username;
//para que nadie se haga pasar por nosotros, podía ser la IP del cliente.
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
// Éxito en la validación.
return true;
} else {
// Password no es correcto. Registramos el intento
$now = time();
$conexion->query("INSERT INTO login_attempts(id, time)\nVALUES ('{$id}', '{$now}')");
return false;
}
}
} else {
// No existe el usuario
return false;
}
}
}
示例11: login
function login($email, $password, $db)
{
// Using prepared Statements means that SQL injection is not possible.
if ($stmt = $db->prepare("SELECT id, user, passwordHash, salt FROM login WHERE email = ? LIMIT 1")) {
$stmt->bind_param('s', $email);
// Bind "$email" to parameter.
$stmt->execute();
// Execute the prepared query.
$stmt->store_result();
$stmt->bind_result($user_id, $username, $db_password, $salt);
// get variables from result.
$stmt->fetch();
$password = hash('sha512', $password . $salt);
// hash the password with the unique salt.
//$_SESSION['currentHash'] = $password;
if ($stmt->num_rows == 1) {
// If the user exists
// We check if the account is locked from too many login attempts
if (checkbrute($user_id, $db) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
if ($db_password == $password) {
// Check if the password in the database matches the password the user submitted.
// Password is correct!
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// Get the user-agent string of the user.
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
// XSS protection as we might print this value
$_SESSION['user_id'] = $user_id;
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
// XSS protection as we might print this value
$_SESSION['username'] = $username;
$_SESSION['admin'] = 1;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
// Login successful.
$now = time();
$db->query("INSERT INTO userevents (userId, eventType, date, modifiedUser) VALUES ('{$user_id}', 'logged in', '{$now}', '{$user_id}')");
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$db->query("INSERT INTO userevents (userId, eventType, date, modifiedUser) VALUES ('{$user_id}', 'password incorrect', '{$now}', '{$user_id}')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
示例12: login
function login($email, $password, $mysqli)
{
$errorr = "vacio";
// Usar declaraciones preparadas significa que la inyección de SQL no será posible.
if ($stmt = $mysqli->prepare("select user_id,user_name,user_password,salt from user where user_email= ?")) {
$stmt->bind_param('s', $email);
// Une “$email” al parámetro.
$stmt->execute();
// Ejecuta la consulta preparada.
$stmt->store_result();
// Obtiene las variables del resultado.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// Hace el hash de la contraseña con una sal única.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// Si el usuario existe, revisa si la cuenta está bloqueada
// por muchos intentos de conexión.
if (checkbrute($user_id, $mysqli) == true) {
// La cuenta está bloqueada.
// Envía un correo electrónico al usuario que le informa que su cuenta está bloqueada.
return false;
} else {
// Revisa que la contraseña en la base de datos coincida
// con la contraseña que el usuario envió.
if ($db_password == $password) {
// ¡La contraseña es correcta!
// Obtén el agente de usuario del usuario.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// Protección XSS ya que podríamos imprimir este valor.
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// Protección XSS ya que podríamos imprimir este valor.
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
// Inicio de sesión exitoso
actualizacionexion($mysqli, $user_id);
return true;
} else {
// La contraseña no es correcta.
// Se graba este intento en la base de datos.
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')");
return false;
}
}
} else {
// El usuario no existe.
return false;
}
}
}
示例13: login
function login($username, $password, $mysqli)
{
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT UserId, UserMail, UserPassword, UserSalt FROM ha_users WHERE UserName = ? LIMIT 1")) {
$stmt->bind_param('s', $username);
// Bind "$email" to parameter.
$stmt->execute();
// Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $mail, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
header('HTTP/1.1 500 Account is locked!');
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
setcookie("user_id", $user_id, time() + 10 * 365 * 24 * 60 * 60, "/");
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
setcookie("username", $username, time() + 10 * 365 * 24 * 60 * 60, "/");
setcookie("login_string", hash('sha512', $password . $user_browser), time() + 10 * 365 * 24 * 60 * 60, "/");
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO ha_user_login(UserId, Date) VALUES ('" . $user_id . "', NOW())");
header('HTTP/1.1 500 Username/Password is not correct!');
return false;
}
}
} else {
// No user exists.
header('HTTP/1.1 500 Username/Password is not correct!');
return false;
}
}
}
示例14: performLogin
function performLogin($user, $password)
{
if (!isset($user) || !isset($password)) {
return "bad input";
}
$mysqli = new mysqli(DB_SERVER, DB_READER_USER, DB_READER_PASSWORD, SEC_DB_NAME);
if ($mysqli->connect_errno) {
echo $mysqli->connect_error;
return "inteneral server error";
}
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt FROM members WHERE username = ? LIMIT 1")) {
$stmt->bind_param('s', $user);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($user_id, $username, $stored_password, $salt);
$stmt->fetch();
$password = hash('sha512', $password . $salt);
//if not one result, some error occured
if ($stmt->num_rows == 1) {
//check to see for brute force attacks
if (checkbrute($user_id, $mysqli)) {
//account has been locked
//notify of locked
$mysqli_close($mysqli);
return "Brute force, try again in 2 hours";
} else {
if ($stored_password === $password) {
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
$username = preg_replace("/[^a-zA-Z0-9_\\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
$mysqli->close();
return NULL;
} else {
$mysqli->close();
$mysqli = new mysqli(DB_SERVER, DB_WRITER_USER, DB_WRITER_PASSWORD, SEC_DB_NAME);
if ($mysqli->connect_errno) {
echo $mysqli->connect_error;
return "inteneral server error";
}
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)\n VALUES ('{$user_id}', '{$now}')");
return "bad login";
}
}
}
}
$mysqli->close();
//no such user
return "no such user";
}
示例15: login
function login($username, $password, $db)
{
// Using prepared Statements means that SQL injection is not possible.
if ($stmt = $db->prepare("SELECT id, password, salt FROM users WHERE username = ? LIMIT 1")) {
$stmt->bind_param('s', $username);
// Bind "$username" to parameter.
$stmt->execute();
// Execute the prepared query.
$stmt->store_result();
$stmt->bind_result($user_id, $db_password, $salt);
// get variables from result.
$stmt->fetch();
$password = hash('sha512', $password . $salt);
// hash the password with the unique salt.
if ($stmt->num_rows == 1) {
// If the user exists
// We check if the account is locked from too many login attempts
if (checkbrute($user_id, $db) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
$ip_address = $_SERVER['REMOTE_ADDR'];
// Get the IP address of the user.
$user_agent = $_SERVER['HTTP_USER_AGENT'];
// Get the user-agent string of the user.
if ($db_password == $password) {
// Check if the password in the database matches the password the user submitted.
// Password is correct!
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
// XSS protection as we might print this value
$_SESSION['user_id'] = $user_id;
$username = preg_replace("/[^a-zA-Z0-9@._\\-]+/", "", $username);
// XSS protection as we might print this value
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password . $ip_address . $user_agent);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$result = $db->query("INSERT INTO login_attempts (user_id, when, ip, user_agent) VALUES ('" . $user_id . "', '" . $now . "', '" . ip2long($ip_address) . "', '" . $user_agent . "')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}