0 || strpos($_SERVER['HTTP_REFERER'], "logout")>0 ||strpos($_SERVER['HTTP_REFERER'], "members")>0 || strpos($_SERVER['HTTP_REFERER'], "activate")>0 || strpos($_SERVER['HTTP_REFERER'], "reset")>0){
$a="members.html";
}
else{
$a=$_SERVER['HTTP_REFERER'];
}
}
else {
$a="members.html";
}
return $a;
}
//////////////////////////////
// Start processing login //
//////////////////////////////
$meta_insert = '
';
/*Get form results*/
if ( !empty($_POST) ){
$user = $_POST["email"];
$pass = $_POST["pass"];
$keeplogged = (isset($_POST["stayin"]) ? $_POST["stayin"] : '');
//$ref = $_POST["ref"];
//echo $user."
".$pass."
".$keeplogged;
}
//Check to see if we've got credentials
if (isset($user, $pass)) {
$user2 = mysqli_real_escape_string($dbi, $user);
$stmt = $dbi->prepare("SELECT * FROM `members` where `user_name`=? or `email` = ?");
$stmt->bind_param('ss', $user2,$user2);
$stmt->execute();
$result = $stmt->get_result();
//if the user doesn't exist
if($result->num_rows === 0) {
//exit('No rows');
sleep(2);
//sentence ends in a period versus an exclamation point (wrong password)
$content .= "
The information you've entered is not correct, please try again.".$body_login_form;
//skip everything else and go to the end because we can't rate limit without a valid username
//someday this should probably trigger IP monitoring to see if the user is trying common usernames
goto Output;
}
$obj = $result->fetch_object();
$hashed_password = $obj->password;
$active = $obj->active;
$user_name = $obj->user_name;
$user_id = strtolower($obj->user_id);
$first_failed_login = $obj->first_failed_login;
$failed_login_count = $obj->failed_login_count;
$failed_login_ip = $obj->failed_login_ip;
$stmt->close();
//if you have more than 9 bad login attempts from the same ip, block further attempts for 30 minutes
if( ($failed_login_count >= $bad_login_limit) && (time() - $first_failed_login < $lockout_time) && (strpos($failed_login_ip, $ip) !== false)) {
$content .= "
You are currently locked out of the system for attempting to login too many times without a correct username and password. Please wait 10 minutes, and you may attempt logging in again.
";
}
//////////////////////////////////////////
//added php failed login count and time //
//////////////////////////////////////////
else if(password_verify($pass, $hashed_password) && $user_id) {
// If the password inputs matched the hashed password in the database
//Set session variables
//recheck all variables before saving the session
$user_obj = new User($dbi, $user_id);
$user_obj->update_activity("login.html", $ip, $now);
$user_obj->failed_login_count = 0;
$user_obj->failed_login_ip = "";
$user_obj->lockout_code = "";
array_push($user_obj->login_history,"$ip($today)");
//check to make sure the account is active
if ($user_obj->active==1){
$logindate = $today;
$logged = 1;
//Login confirmation message
$content .= "
Thank you for logging in to your account $user_name.
You currently have an active account based out of the Austin market.
If you would like to edit your account details, please
visit your member account area.";
//load session functions and save all variables
save_session($user_obj);
//load session database variables and cookies
save_db_cookies($keeplogged);
//return user to current page
$header_location = getHeaders();
}
else {
$content .= "
Inactive Account:
Please confirm your personal information to activate your account.
You should have received an email with a link to verify your contact information. This email may have been filtered into a spam folder.
If you did not receive an email or text message, please contact us
";
}
$user_obj->save_user();
}
else{
if( time() - $first_failed_login > $lockout_time ) {
// first unsuccessful login since $lockout_time on the last one expired
$first_failed_login = time(); // commit to DB
$failed_login_count = 1; // commit to db
}
else {
$failed_login_count++; // commit to db.
}
$ip2 = "$ip($today)(FAILED),";
$ip = "[$ip]";
$stmt = $dbi->prepare("UPDATE `members` SET `failed_login_count` = ?, `failed_login_ip` = CONCAT_WS ('', `failed_login_ip`, ?), `first_failed_login` = ?, `login_history` = CONCAT_WS ('', `login_history`, ?) WHERE `user_name` = ?");
$stmt->bind_param('isiss', $failed_login_count, $ip, $first_failed_login, $ip2, $user_name);
$stmt->execute();
//echo $dbi->error;
//echo $stmt->error;
$stmt->close();
//$query = "UPDATE `users` SET `failed_login_count` = '$failed_login_count', `failed_login_ip` = CONCAT (`failed_login_ip`, '[$ip]'), `first_failed_login` = '$first_failed_login', `login_history` = CONCAT (`login_history`, '$ip($today)(FAILED),') WHERE `user_name` = '$user'";
//echo $query;
//$dbi->query($query);
if ($failed_login_count < 5){sleep(1);}
else if ($failed_login_count >5){sleep(3);}
$content .= "
The information you've entered is not correct, please try again!".$body_login_form;
}
}
//else, show login code and destroy session
else {
log_out();
$content .= $body_login_form;
}
/////////////////////////////////////////////
/// Logic is over, output results here ///
/////////////////////////////////////////////
Output:
$content .= "
";
$_POST = array();
//if header exists go ahead and forward user
if ($header_location){
//header("Location: $header_location");
//echo "We got here!";
header("Location: $header_location");
exit(); //the page was hanging without this exit
}
$header = get_header();
$footer = get_footer();
$mainpage = $header.$content.$message_div.$footer.$scripts;
echo $mainpage;
?>