Small improvements

This commit is contained in:
Phyks 2013-08-26 09:52:04 +02:00
parent 2e2233eb81
commit 109aae4cbe
7 changed files with 68 additions and 9 deletions

View File

@ -1,11 +1,22 @@
<?php
// Ban system from sebsauvage
// Usage :
// * Use ban_canLogin() to check wether the user CAN login or not
// * If true, test wether password is correct or not
// * If true, call ban_loginOk()
// * Else, call ban_loginFailed()
// * Else, reject auth
define('DATA_DIR', 'data'); // Data subdirectory
define('IPBANS_FILENAME', DATA_DIR.'/ipbans.php'); // File storage for failures and bans.
define('BAN_AFTER', 5); // Ban IP after this many failures.
define('BAN_DURATION', 1800); // Ban duration for IP address after login failures (in seconds) (1800 sec. = 30 minutes)
if (!is_dir(DATA_DIR)) { mkdir(DATA_DIR,0705); chmod(DATA_DIR,0705); }
if (!is_file(DATA_DIR.'/.htaccess')) { file_put_contents(DATA_DIR.'/.htaccess',"Allow from none\nDeny from all\n"); } // Protect data files.
// Logging function
// ================
function logm($message)
{
$t = strval(date('Y/m/d_H:i:s')).' - '.$_SERVER["REMOTE_ADDR"].' - '.strval($message)."\n";
@ -18,7 +29,9 @@
// Several consecutive failed logins will ban the IP address for 30 minutes.
if (!is_file(IPBANS_FILENAME)) file_put_contents(IPBANS_FILENAME, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(),'BANS'=>array()),true).";\n?>");
include IPBANS_FILENAME;
// Signal a failed login. Will ban the IP if too many failures:
// ============================================================
function ban_loginFailed()
{
$ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@ -34,6 +47,7 @@
}
// Signals a successful login. Resets failed login counter.
// ========================================================
function ban_loginOk()
{
$ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@ -44,6 +58,7 @@
}
// Checks if the user CAN login. If 'true', the user can try to login.
// ===================================================================
function ban_canLogin()
{
$ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@ -63,6 +78,7 @@
}
// Returns user IP
// ===============
function user_ip()
{
$ip = $_SERVER["REMOTE_ADDR"];

View File

@ -1,21 +1,31 @@
<?php
// Generates a token against CSRF
// ==============================
function generate_token($name = '')
{
if(session_id() == '') session_start();
if(session_id() == '')
session_start();
$token = uniqid(rand(), true);
$_SESSION[$name.'_token'] = $token;
$_SESSION[$name.'_token_time'] = time();
return $token;
}
// Checks that the anti-CSRF token is correct
// ==========================================
function check_token($time, $name = '')
{
if(session_id() == '') session_start();
if(isset($_SESSION[$name.'_token']) && isset($_SESSION[$name.'_token_time']) && isset($_POST['token']))
if($_SESSION[$name.'_token'] == $_POST['token'])
if($_SESSION[$name.'_token_time'] >= (time() - $time))
if(session_id() == '')
session_start();
if(isset($_SESSION[$name.'_token']) && isset($_SESSION[$name.'_token_time']) && isset($_POST['token'])) {
if($_SESSION[$name.'_token'] == $_POST['token']) {
if($_SESSION[$name.'_token_time'] >= (time() - (int) $time))
return true;
}
}
return false;
}

View File

@ -1,4 +1,5 @@
<?php
// TODO : Users in
require_once('data/config.php');
require_once('Storage.class.php');
@ -14,6 +15,8 @@
'what'=>'text'
);
// Getters
// =======
public function getId() {
return $this->id;
}
@ -38,6 +41,8 @@
return $this->what;
}
// Setters
// =======
public function setId($id) {
$this->id = (int) $id;
}
@ -65,7 +70,8 @@
$this->what = $what;
}
// Load overload => TODO
// =============
public function load_invoices($fields = NULL) {
$return = array();
$invoices = $this->load($fields);

View File

@ -12,7 +12,8 @@ class Storage {
$this->disconnect();
}
//Connect / Disconnect functions
// Connection functions
// ====================
public function connect() {
$this->connection = new PDO('mysql:host='.MYSQL_HOST.';dbname='.MYSQL_DB, MYSQL_LOGIN, MYSQL_PASSWORD);
$this->connection->query('SET NAMES utf8');
@ -22,7 +23,8 @@ class Storage {
$this->connection = null;
}
//Function to get and set vars
// Getters
// =======
public function getHost() {
return $this->host;
}
@ -39,6 +41,8 @@ class Storage {
return $this->db;
}
// Setters
// =======
public function setHost($host) {
$this->host = host;
}
@ -55,6 +59,8 @@ class Storage {
$this->db = $db;
}
// Translates types in class to SQL types
// ======================================
public function typeToSQL($type) {
$return = false;
switch($type) {
@ -86,6 +92,8 @@ class Storage {
}
}
// Load function
// =============
public function load($fields = NULL) {
$query = 'SELECT ';
$i = false;
@ -118,6 +126,8 @@ class Storage {
return $query->fetchAll();
}
// Storing function
// ================
public function save() {
if(!empty($this->id)) {
$query = 'UPDATE '.MYSQL_PREFIX.$this->TABLE_NAME.' SET ';
@ -172,6 +182,8 @@ class Storage {
$this->id = (!isset($this->id) ? $this->connection->lastInsertId() : $this->id);
}
// Delete function
// ===============
public function delete() {
$query = 'DELETE FROM '.MYSQL_PREFIX.$this->TABLE_NAME.' WHERE ';

View File

@ -17,6 +17,8 @@ class User extends Storage {
parent::__construct();
}
// Getters
// =======
public function getLogin() {
return $this->login;
}
@ -33,6 +35,8 @@ class User extends Storage {
return $this->admin;
}
// Setters
// =======
public function setId($id) {
$this->id = (int) $id;
}
@ -53,6 +57,8 @@ class User extends Storage {
$this->admin = (bool) $admin;
}
// Password functions
// ==================
public function encrypt($text) {
return crypt($text, SALT);
}
@ -61,6 +67,8 @@ class User extends Storage {
return User::encrypt($password) == $this->password;
}
// Check if a user exists by login and load it
// ===========================================
public function exists() {
$user_data = $this->load(array('login'=>$this->login));
if(count($user_data) == 1) {
@ -76,6 +84,8 @@ class User extends Storage {
}
}
// Session storage
// ===============
public function sessionStore() {
return serialize(array('id'=>$this->id, 'login'=>$this->login, 'display_name'=>$this->display_name, 'password'=>$this->password, 'admin'=>$this->admin));
}
@ -93,6 +103,8 @@ class User extends Storage {
$this->setAdmin($user_data['admin']);
}
// Load overload => TODO
// =============
public function load_users($fields = NULL) {
$return = array();
$users = $this->load($fields);
@ -121,6 +133,9 @@ class User extends Storage {
}
}
// Check wether a user already exists or not
// (a user = aunique login and display_name)
// =========================================
public function isUnique() {
if(count($this->load_users(array('login'=>$this->login))) == 0 && count($this->load_users(array('display_name'=>$this->display_name)))) {
return true;

View File

@ -1,7 +1,7 @@
<?php
require_once('inc/CSRF.inc.php');
if(file_exists('data/config.php')) exit("Your Bouffe@Ulm instance is already configured. You should either delete data/config.php to access this page or delete the install.php for security reasons if you are ok with the configuration.");
if(file_exists('data/config.php')) exit('<p>Your Bouffe@Ulm instance is already configured. You should either delete data/config.php to access this page or delete the install.php for security reasons if you are ok with the configuration.<br/><a href="index.php">Go to your instance</a>.</p>');
if(!function_exists("file_get_contents") && !function_exists("file_put_contents")) {
$error = "Functions <em>file_get_contents</em> and <em>file_put_contents</em> seems to not be available on your PHP installation. You should enable them first.";