0 || strpos($_SERVER['HTTP_REFERER'], "logout")>0 ||strpos($_SERVER['HTTP_REFERER'], "members")>0 || strpos($_SERVER['HTTP_REFERER'], "activate")>0 || strpos($_SERVER['HTTP_REFERER'], "reset")>0){ $a="members.html"; } else{ $a=$_SERVER['HTTP_REFERER']; } } else { $a="members.html"; } return $a; } ////////////////////////////// // Start processing login // ////////////////////////////// $meta_insert = 'Free Software Applications from experienced programmers '; //closes
".$pass."
".$keeplogged; } //Check to see if we've got credentials if (isset($user, $pass)) { $user2 = mysqli_real_escape_string($dbi, $user); $stmt = $dbi->prepare("SELECT * FROM `members` where `user_name`=? or `email` = ?"); $stmt->bind_param('ss', $user2,$user2); $stmt->execute(); $result = $stmt->get_result(); //if the user doesn't exist if($result->num_rows === 0) { //exit('No rows'); sleep(2); //sentence ends in a period versus an exclamation point (wrong password) $content .= "
The information you've entered is not correct, please try again.
".$body_login_form; //skip everything else and go to the end because we can't rate limit without a valid username //someday this should probably trigger IP monitoring to see if the user is trying common usernames goto Output; } $obj = $result->fetch_object(); $hashed_password = $obj->password; $active = $obj->active; $user_name = $obj->user_name; $user_id = strtolower($obj->user_id); $first_failed_login = $obj->first_failed_login; $failed_login_count = $obj->failed_login_count; $failed_login_ip = $obj->failed_login_ip; $stmt->close(); //if you have more than 9 bad login attempts from the same ip, block further attempts for 30 minutes if( ($failed_login_count >= $bad_login_limit) && (time() - $first_failed_login < $lockout_time) && (strpos($failed_login_ip, $ip) !== false)) { $content .= "

You are currently locked out of the system for attempting to login too many times without a correct username and password. Please wait 10 minutes, and you may attempt logging in again.

"; } ////////////////////////////////////////// //added php failed login count and time // ////////////////////////////////////////// else if(password_verify($pass, $hashed_password) && $user_id) { // If the password inputs matched the hashed password in the database //Set session variables //recheck all variables before saving the session $user_obj = new User($dbi, $user_id); $user_obj->update_activity("login.html", $ip, $now); $user_obj->failed_login_count = 0; $user_obj->failed_login_ip = ""; $user_obj->lockout_code = ""; array_push($user_obj->login_history,"$ip($today)"); //check to make sure the account is active if ($user_obj->active==1){ $logindate = $today; $logged = 1; //Login confirmation message $content .= "

Thank you for logging in to your account $user_name.

You currently have an active account based out of the Austin market.

If you would like to edit your account details, please visit your member account area."; //load session functions and save all variables save_session($user_obj); //load session database variables and cookies save_db_cookies($keeplogged); //return user to current page $header_location = getHeaders(); } else { $content .= "

Inactive Account:

Please confirm your personal information to activate your account.

You should have received an email with a link to verify your contact information. This email may have been filtered into a spam folder.

If you did not receive an email or text message, please contact us

"; } $user_obj->save_user(); } else{ if( time() - $first_failed_login > $lockout_time ) { // first unsuccessful login since $lockout_time on the last one expired $first_failed_login = time(); // commit to DB $failed_login_count = 1; // commit to db } else { $failed_login_count++; // commit to db. } $ip2 = "$ip($today)(FAILED),"; $ip = "[$ip]"; $stmt = $dbi->prepare("UPDATE `members` SET `failed_login_count` = ?, `failed_login_ip` = CONCAT_WS ('', `failed_login_ip`, ?), `first_failed_login` = ?, `login_history` = CONCAT_WS ('', `login_history`, ?) WHERE `user_name` = ?"); $stmt->bind_param('isiss', $failed_login_count, $ip, $first_failed_login, $ip2, $user_name); $stmt->execute(); //echo $dbi->error; //echo $stmt->error; $stmt->close(); //$query = "UPDATE `users` SET `failed_login_count` = '$failed_login_count', `failed_login_ip` = CONCAT (`failed_login_ip`, '[$ip]'), `first_failed_login` = '$first_failed_login', `login_history` = CONCAT (`login_history`, '$ip($today)(FAILED),') WHERE `user_name` = '$user'"; //echo $query; //$dbi->query($query); if ($failed_login_count < 5){sleep(1);} else if ($failed_login_count >5){sleep(3);} $content .= "
The information you've entered is not correct, please try again!
".$body_login_form; } } //else, show login code and destroy session else { log_out(); $content .= $body_login_form; } ///////////////////////////////////////////// /// Logic is over, output results here /// ///////////////////////////////////////////// Output: $content .= "
"; $_POST = array(); //if header exists go ahead and forward user if ($header_location){ //header("Location: $header_location"); //echo "We got here!"; header("Location: $header_location"); exit(); //the page was hanging without this exit } $header = get_header(); $footer = get_footer(); $mainpage = $header.$content.$message_div.$footer.$scripts; echo $mainpage; ?>