Posted by Steve on 03/24/07 21:49

now here's the most important one...

======== security.inc.php

<?
header('pragma: public' );
header('expires: 0' );
header('cache-control: private', false );
header('cache-control: must-revalidate, post-check=0, pre-check=0' );
if (!isset($pageTitle)){ $pageTitle = 'Authorization Required'; }
$logIn = isset($_POST['logIn']);
$logOut = isset($_REQUEST['logOut']);
$refresh = isset($_POST['refresh']);
$_SESSION['securityAttempts'] = $_SESSION['securityAttempts'] == '' ? 0 :
$_SESSION['securityAttempts'];
$securityCode = isset($_POST['securityCode']) ?
$_POST['securityCode'] : '';
$userPassword = isset($_POST['userPassword']) ?
$_POST['userPassword'] : $_SESSION['userPassword'];
$userName = isset($_POST['userName']) ?
$_POST['userName'] : $_SESSION['userName'];
$userVerified = false;
$_SESSION['userId'] = 0;
$sql = "
SELECT Id ,
CONCAT(
FirstName ,
' ' ,
LastName
)
Description
FROM people
WHERE LOWER(UserName) = LOWER('"
.. $userName . "')
AND LOWER(Password) = LOWER('"
.. $userPassword . "')
";
$records = $db->execute($sql);
$userFullName = $records[0]['DESCRIPTION'];
$chancesLeft = 2 - $_SESSION['securityAttempts'];
$securityCode = strtoupper($securityCode);
$logInMessage = 'Please Log In';
$isSecure = count($records) && ($logIn ? $securityCode
== $site->lastSecurityCode : !$logOut);
if (!$isSecure)
{
setcookie('userFullName' , '');
setcookie('userName' , '');
setcookie('userPassword' , '');
setcookie('userVerified' , '');
unset($userFullName);
unset($userName);
unset($userPassword);
echo $sessionHeader;
if ($chancesLeft < 1)
{
require_once $site->classDirectory . 'isp.class.php';
$isp = new isp();
$userFullName = '';
$userName = '';
$userPassword = '';
?>
<hr>
<br>
<br>
<font style="color:#990000; font-weight:bold;">Unauthorized Access Not
Permitted</font>
<br>
<br>
Your IP address and all related internet traffic is being monitored and
logged. If this is a mistake, please
notify the <a href="mailto:<?= $site->adminEmail ?>" title="Web
Administrator">Web Administrator</a> of your
need of assistance. Continued attempts from your IP address to login will be
seen as an effort to compromise
this site's security - which we simply will not tolerate.
<br>
<br>
<hr>
<br>
<table>
<tr>
<td style="font-weight:bold">Your IP</td>
<td><?= $isp->clientIp ?></td>
</tr>
<tr>
<td style="font-weight:bold">Your ISP</td>
<td><?= $isp->name ?></td>
</tr>
<tr>
<td style="font-weight:bold">Address</td>
<td><?= $isp->address ?></td>
</tr>
<tr>
<td style="font-weight:bold">City</td>
<td><?= $isp->city ?></td>
</tr>
<tr>
<td style="font-weight:bold">State / Province</td>
<td><?= $isp->state ?></td>
</tr>
<tr>
<td style="font-weight:bold">Postal Code</td>
<td><?= $isp->zip ?></td>
</tr>
<tr>
<td style="font-weight:bold">Country</td>
<td><?= $isp->country ?></td>
</tr>
<tr>
<td style="font-weight:bold">Phone</td>
<td><?= $isp->phone ?></td>
</tr>
<tr>
<td style="font-weight:bold">Email</td>
<td><?= $isp->email ?></td>
</tr>
</table>
<br>
<hr>
<br>
<?
echo $sessionFooter;
exit;
}
if ($logIn)
{
$_SESSION['securityAttempts']++;
$logInMessage = '<font style="color:#990000;">';
$logInMessage .= $securityCode == $site->lastSecurityCode ? ' Invalid
User Name/Password' : ' Invalid Security Code';
$logInMessage .= ' - You have ' . $chancesLeft . ' chance' .
($chancesLeft == 1 ? '' : 's') . ' left';
$logInMessage .= '</font>';
}
if ($refresh || $logIn || !$isSecure)
{
?>
<br>
<hr>
<br>
<span style="color:'#990000'; font-size:'<?= $sessionFonts["LARGEST"] ?>';
font-weight:bold;">
<i><?= $logInMessage ?></i>
</span>
<hr>
<br>
Please enter your User Name (i.e. jdoe, alincoln)
<br>
<br>
<br>
<form method="post" name="logIn" action="<?= $_SERVER['PHP_SELF'] ?>">
<table>
<tr>
<td style="width:150px;"><span class="label">User Name</span></td>
<td>
<input class="value" name="userName" type="text" autocomplete="off">
</td>
</tr>
<tr>
<td style="width:150px;"><span class="label">Password</span></td>
<td>
<input class="value" name="userPassword" type="password"
autocomplete="off">
</td>
</tr>
<tr>
<td style="width:150px;"><span class="label">Security Code</span></td>
<td>
<input class="value" name="securityCode"
style="text-transform:uppercase;" type="text" autocomplete="off">
</td>
</tr>
<tr><td colspan="2">&nbsp;</td></tr>
<tr>
<td colspan="2"><img alt="Loading security code ..." title="Security
Code" src="<?= $site->uri ?>get.security.image.php"></td>
</tr>
</table>
<br>
<br>
<input type="submit" name="logIn" style="cursor:'hand';"
value="Continue&nbsp;&nbsp;&#9655;">
<input type="submit" name="refresh" style="cursor:'hand';"
value="Refresh&nbsp;&nbsp;&#9655;">
</form>
<hr>
<a href="<?= $site->uri ?>maint/my.account.php?add=1">I don't have an
account yet</a>
<br>
<br>
<a href="<?= $site->uri ?>maint/forgot.account.php">I forgot my login
information</a>
<br>
<hr>
<br>
<script language="javascript">
logIn.userName.focus();
logIn.userName.select();
</script>
<?
echo $sessionFooter;
exit;
}
}
$userVerified = true;
$_SESSION['securityAttempts'] = 0;
$_SESSION['userFullName'] = $userFullName;
$_SESSION['userId'] = $records[0]['ID'];
$_SESSION['userName'] = $userName;
$_SESSION['userPassword'] = $userPassword;
$_SESSION['userVerified'] = $userVerified;
?>

• Next in forum: Re: Need a simple database for name and email only
• Prev in forum: Re: Need a simple database for name and email only
• Thread view: Re: Need a simple database for name and email only

[Reply to this message]