2022-08-13 12:04:17 +00:00
< ? php
2022-09-06 18:15:59 +00:00
// Include server connection
2022-09-13 16:07:01 +00:00
include dirname ( __DIR__ ) . " /server/conn.php " ;
2022-09-14 14:08:50 +00:00
include dirname ( __DIR__ ) . " /app.php " ;
use App\Account ;
$user_info = new Account ();
$user_ip = $user_info -> get_ip ();
2022-09-06 18:15:59 +00:00
2022-08-13 12:04:17 +00:00
/*
|-------------------------------------------------------------
2022-09-06 18:15:59 +00:00
| Login
2022-08-13 12:04:17 +00:00
|-------------------------------------------------------------
2022-09-06 18:15:59 +00:00
| This is annoying because I want to keep the website secure
| but I have no clue how to keep things secure with HTML , PHP
| or JS . So I hope seperating the scripts and putting all this
| into a PHP file is a good secutiry mesure
2022-08-13 12:04:17 +00:00
|-------------------------------------------------------------
*/
2022-09-06 18:15:59 +00:00
if ( isset ( $_POST [ 'submit_login' ])) {
$error = 0 ;
2022-09-15 17:13:36 +00:00
$ban_query = mysqli_query ( $conn , " SELECT * FROM bans WHERE ipaddress = ' $user_ip ' ORDER BY id DESC LIMIT 1 " );
2022-09-06 18:15:59 +00:00
2022-09-15 17:13:36 +00:00
while ( $ban_check = mysqli_fetch_assoc ( $ban_query )) {
2022-09-15 15:40:12 +00:00
$ban_time = $ban_check [ 'time' ];
$ban_perm = $ban_check [ 'permanent' ];
}
$ban_diff = time () - strtotime ( $ban_time );
if ( $ban_perm ) {
2022-09-06 18:15:59 +00:00
?>
2022-09-15 15:40:12 +00:00
< script >
sniffleAdd ( 'Bye bye!' , 'You have been banned, contact the owner if you feel that this was a mistake' , 'var(--red)' , 'assets/icons/warning.svg' );
</ script >
2022-09-06 18:15:59 +00:00
< ? php
2022-09-15 17:13:36 +00:00
2022-09-15 15:40:12 +00:00
$error += 1 ;
} elseif (( $ban_diff / 60 ) <= 60 ) {
2022-09-06 18:15:59 +00:00
?>
2022-09-15 15:40:12 +00:00
< script >
2022-09-15 17:13:36 +00:00
sniffleAdd ( 'Slow down!' , 'You have attempted to login/signup too many times in 10 minutes. Come back in <?php echo round(60-($ban_diff/60)); ?> minutes' , 'var(--red)' , 'assets/icons/warning.svg' );
2022-09-15 15:40:12 +00:00
</ script >
2022-09-06 18:15:59 +00:00
< ? php
2022-09-15 17:13:36 +00:00
2022-09-15 15:40:12 +00:00
$error += 1 ;
2022-09-06 18:15:59 +00:00
} else {
2022-09-15 15:40:12 +00:00
$attemps = 0 ;
2022-09-15 17:13:36 +00:00
$log_query = mysqli_query ( $conn , " SELECT * FROM logs WHERE ipaddress = ' $user_ip ' ORDER BY id DESC LIMIT 5 " );
while ( $log_array = mysqli_fetch_assoc ( $log_query )) {
2022-09-15 15:40:12 +00:00
$log_diff = time () - strtotime ( $log_array [ 'time' ]);
2022-09-15 17:13:36 +00:00
if ( $log_array [ 'action' ] == 'Failed to enter correct Password' && ( $log_diff / 60 ) <= 10 ) {
$attemps += 1 ;
} elseif ( $log_array [ 'action' ] == 'Failed to enter correct Invite Code' && ( $log_diff / 60 ) <= 10 ) {
2022-09-15 15:40:12 +00:00
$attemps += 1 ;
}
}
2022-09-15 17:13:36 +00:00
2022-09-15 15:40:12 +00:00
if ( $attemps >= 5 ) {
mysqli_query ( $conn , " INSERT INTO bans (ipaddress, reason, length, permanent) VALUES(' $user_ip ','Attempted password too many times', '60', '0') " );
}
2022-09-06 18:15:59 +00:00
}
2022-09-15 17:13:36 +00:00
if ( $error <= 0 ) {
// Checking if Username is empty
if ( empty ( trim ( $_POST [ " username " ]))) {
?>
< script >
sniffleAdd ( 'Who dis?' , 'You must enter a username to login!' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
< ? php
$error += 1 ;
} else {
$username = trim ( $_POST [ " username " ]);
}
// Check if Password is empty
if ( empty ( trim ( $_POST [ " password " ]))) {
?>
< script >
sniffleAdd ( 'Whats the magic word?' , 'Pls enter the super duper secrete word(s) to login!' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
< ? php
$error += 1 ;
} else {
$password = trim ( $_POST [ " password " ]);
}
}
2022-09-15 15:40:12 +00:00
2022-09-06 18:15:59 +00:00
if ( $error <= 0 ) {
// Prepare so SQL doesnt get spooked
$sql = " SELECT id, username, password FROM users WHERE username = ? " ;
2022-08-13 12:04:17 +00:00
2022-09-06 18:15:59 +00:00
if ( $stmt = mysqli_prepare ( $conn , $sql )) {
// Bind dis shit
mysqli_stmt_bind_param ( $stmt , " s " , $param_username );
// Set parameters
$param_username = $username ;
// Attempt to execute the prepared statement
if ( mysqli_stmt_execute ( $stmt )) {
// Store result
mysqli_stmt_store_result ( $stmt );
// Check if username exists, if yes then verify password
if ( mysqli_stmt_num_rows ( $stmt ) == 1 ) {
// Bind result variables
mysqli_stmt_bind_result ( $stmt , $id , $username , $hashed_password );
if ( mysqli_stmt_fetch ( $stmt )) {
if ( password_verify ( $password , $hashed_password )) {
// Password is correct, so start a new session
session_start ();
// Store data in session variables
$_SESSION [ " loggedin " ] = true ;
$_SESSION [ " id " ] = $id ;
$_SESSION [ " username " ] = $username ;
// let the user know
?>
2022-09-15 15:40:12 +00:00
< script >
sniffleAdd ( 'O hi <?php echo $_SESSION["username"]; ?>' , 'You are now logged in! You will be redirected in a few seconds' , 'var(--green)' , 'assets/icons/hand-waving.svg' );
setTimeout ( function (){ window . location . href = " index.php " ;}, 2000 );
//window.location.href = "../index.php?login=success";
</ script >
2022-09-06 18:15:59 +00:00
< ? php
2022-09-14 14:08:50 +00:00
mysqli_query ( $conn , " INSERT INTO logs (ipaddress, action) VALUES(' $user_ip ','New loggin to " . $_SESSION [ 'username' ] . " ') " );
2022-09-06 18:15:59 +00:00
} else {
?>
2022-09-15 15:40:12 +00:00
< script >
sniffleAdd ( 'Sus' , 'Username or Password WRONG, please try again :3' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
2022-09-06 18:15:59 +00:00
< ? php
2022-09-14 14:08:50 +00:00
mysqli_query ( $conn , " INSERT INTO logs (ipaddress, action) VALUES(' $user_ip ','Failed to enter correct Password') " );
2022-09-06 18:15:59 +00:00
}
}
} else {
?>
2022-09-15 15:40:12 +00:00
< script >
sniffleAdd ( 'Sus' , 'Username or Password WRONG, please try again :3' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
2022-09-06 18:15:59 +00:00
< ? php
2022-09-14 14:08:50 +00:00
mysqli_query ( $conn , " INSERT INTO logs (ipaddress, action) VALUES(' $user_ip ','Failed to enter correct Username') " );
2022-09-06 18:15:59 +00:00
}
} else {
?>
2022-09-15 15:40:12 +00:00
< script >
sniffleAdd ( 'woops...' , 'Sowwy, something went wrong on our end :c' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
2022-09-06 18:15:59 +00:00
< ? php
}
// Close statement
mysqli_stmt_close ( $stmt );
}
}
}
/*
|-------------------------------------------------------------
| Signup
|-------------------------------------------------------------
| The dreaded signup . Please save me ...
|-------------------------------------------------------------
*/
if ( isset ( $_POST [ 'submit_signup' ])) {
2022-08-13 12:04:17 +00:00
$error = 0 ;
2022-09-15 17:13:36 +00:00
$ban_query = mysqli_query ( $conn , " SELECT * FROM bans WHERE ipaddress = ' $user_ip ' ORDER BY id DESC LIMIT 1 " );
while ( $ban_check = mysqli_fetch_assoc ( $ban_query )) {
$ban_time = $ban_check [ 'time' ];
$ban_perm = $ban_check [ 'permanent' ];
}
2022-08-13 12:04:17 +00:00
2022-09-15 17:13:36 +00:00
$ban_diff = time () - strtotime ( $ban_time );
if ( $ban_perm ) {
2022-08-13 12:04:17 +00:00
?>
2022-09-15 15:40:12 +00:00
< script >
2022-09-15 17:13:36 +00:00
sniffleAdd ( 'Bye bye!' , 'You have been banned, contact the owner if you feel that this was a mistake' , 'var(--red)' , 'assets/icons/warning.svg' );
2022-09-15 15:40:12 +00:00
</ script >
2022-08-13 12:04:17 +00:00
< ? php
2022-09-15 17:13:36 +00:00
$error += 1 ;
} elseif (( $ban_diff / 60 ) <= 60 ) {
2022-08-13 12:04:17 +00:00
?>
2022-09-15 15:40:12 +00:00
< script >
2022-09-15 17:13:36 +00:00
sniffleAdd ( 'Slow down!' , 'You have attempted to login/signup too many times in 10 minutes. Come back in <?php echo round(60-($ban_diff/60)); ?> minutes' , 'var(--red)' , 'assets/icons/warning.svg' );
2022-09-15 15:40:12 +00:00
</ script >
2022-08-13 12:04:17 +00:00
< ? php
2022-09-15 17:13:36 +00:00
$error += 1 ;
2022-08-13 12:04:17 +00:00
} else {
2022-09-15 17:13:36 +00:00
$attemps = 0 ;
$log_query = mysqli_query ( $conn , " SELECT * FROM logs WHERE ipaddress = ' $user_ip ' ORDER BY id DESC LIMIT 5 " );
2022-08-13 12:04:17 +00:00
2022-09-15 17:13:36 +00:00
while ( $log_array = mysqli_fetch_assoc ( $log_query )) {
$log_diff = time () - strtotime ( $log_array [ 'time' ]);
if ( $log_array [ 'action' ] == 'Failed to enter correct Password' && ( $log_diff / 60 ) <= 10 ) {
$attemps += 1 ;
} elseif ( $log_array [ 'action' ] == 'Failed to enter correct Invite Code' && ( $log_diff / 60 ) <= 10 ) {
$attemps += 1 ;
2022-08-13 12:04:17 +00:00
}
}
2022-09-15 17:13:36 +00:00
if ( $attemps >= 5 ) {
mysqli_query ( $conn , " INSERT INTO bans (ipaddress, reason, length, permanent) VALUES(' $user_ip ','Attempted password too many times', '60', '0') " );
}
2022-08-13 12:04:17 +00:00
}
2022-09-15 17:13:36 +00:00
if ( $error <= 0 ) {
if ( empty ( trim ( $_POST [ " username " ]))) {
// Username not entered
2022-08-13 12:04:17 +00:00
?>
2022-09-15 15:40:12 +00:00
< script >
2022-09-15 17:13:36 +00:00
sniffleAdd ( 'Hmmm' , 'You must enter a username!' , 'var(--red)' , 'assets/icons/cross.svg' );
2022-09-15 15:40:12 +00:00
</ script >
2022-08-13 12:04:17 +00:00
< ? php
$error = $error + 1 ;
2022-09-15 17:13:36 +00:00
} elseif ( ! preg_match ( '/^[a-zA-Z0-9_]+$/' , trim ( $_POST [ " username " ]))) {
// Username entered contains illegal characters
2022-08-13 12:04:17 +00:00
?>
2022-09-15 15:40:12 +00:00
< script >
2022-09-15 17:13:36 +00:00
sniffleAdd ( 'Sussy Wussy' , 'Very sus. Username can only contain letters, numbers, and underscores' , 'var(--red)' , 'assets/icons/cross.svg' );
2022-09-15 15:40:12 +00:00
</ script >
2022-08-13 12:04:17 +00:00
< ? php
$error = $error + 1 ;
} else {
// Prepare sql for sus
2022-09-15 17:13:36 +00:00
$sql = " SELECT id FROM users WHERE username = ? " ;
2022-08-13 12:04:17 +00:00
if ( $stmt = mysqli_prepare ( $conn , $sql )) {
2022-09-15 17:13:36 +00:00
mysqli_stmt_bind_param ( $stmt , " s " , $username_request );
2022-08-13 12:04:17 +00:00
2022-09-15 17:13:36 +00:00
$username_request = trim ( $_POST [ " username " ]);
2022-08-13 12:04:17 +00:00
if ( mysqli_stmt_execute ( $stmt )) {
2022-09-15 17:13:36 +00:00
// Ask sql nicely if other usernames exist and store info
2022-08-13 12:04:17 +00:00
mysqli_stmt_store_result ( $stmt );
2022-09-15 17:13:36 +00:00
2022-08-13 12:04:17 +00:00
if ( mysqli_stmt_num_rows ( $stmt ) == 1 ) {
2022-09-15 17:13:36 +00:00
// Username taken
2022-08-13 12:04:17 +00:00
?>
2022-09-15 15:40:12 +00:00
< script >
2022-09-15 17:13:36 +00:00
sniffleAdd ( 'A clone?' , 'Sorry, but username was already taken by someone else' , 'var(--red)' , 'assets/icons/cross.svg' );
2022-09-15 15:40:12 +00:00
</ script >
2022-08-13 12:04:17 +00:00
< ? php
$error = $error + 1 ;
2022-09-15 17:13:36 +00:00
} else {
$username = trim ( $_POST [ " username " ]);
2022-08-13 12:04:17 +00:00
}
} else {
?>
2022-09-15 15:40:12 +00:00
< script >
2022-09-15 17:13:36 +00:00
sniffleAdd ( 'Reee' , 'We had a problem on our end, sowwy' , 'var(--red)' , 'assets/icons/cross.svg' );
2022-09-15 15:40:12 +00:00
</ script >
2022-08-13 12:04:17 +00:00
< ? php
$error = $error + 1 ;
}
// Outa here with this
mysqli_stmt_close ( $stmt );
}
}
2022-09-15 17:13:36 +00:00
// Validate sussness of Password
if ( empty ( trim ( $_POST [ " password " ]))) {
// No password entered
?>
< script >
sniffleAdd ( 'What' , 'You must enter a password, dont want just anyone seeing your stuff uwu' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
< ? php
$error = $error + 1 ;
} elseif ( strlen ( trim ( $_POST [ " password " ])) < 6 ){
// Password not long enough 👀
?>
< script >
sniffleAdd ( '👀' , 'Nice (Password) but its not long enough 👀' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
< ? php
$error = $error + 1 ;
} else {
$password = trim ( $_POST [ " password " ]);
}
// Validate sussiness of the other Password
if ( empty ( trim ( $_POST [ " confirm_password " ]))) {
// Did not confirm passowrd
?>
< script >
sniffleAdd ( 'Eh?' , 'Confirm the password pls, its very important you remember what it issss' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
< ? php
$error = $error + 1 ;
} else {
$confirm_password = trim ( $_POST [ " confirm_password " ]);
if ( empty ( $error ) && $confirm_password != $password ) {
// Password and re-entered Password does not match
?>
< script >
sniffleAdd ( 'Try again' , 'Passwords need to be the same, smelly smelly' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
< ? php
$error = $error + 1 ;
}
}
// Check for invite code
if ( isset ( $_POST [ 'token' ])) {
// Check if invite code is empty
if ( empty ( $_POST [ 'token' ])) {
?>
< script >
sniffleAdd ( 'smelly' , 'Enter Invite Code ;3' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
< ? php
mysqli_query ( $conn , " INSERT INTO logs (ipaddress, action) VALUES(' $user_ip ','Failed to enter correct Invite Code') " );
$error = $error + 1 ;
} else {
// Prepare sql for sus
$sql = " SELECT id FROM tokens WHERE code = ? AND used = 0 " ;
if ( $stmt = mysqli_prepare ( $conn , $sql )) {
mysqli_stmt_bind_param ( $stmt , " s " , $param_code );
$param_code = $_POST [ 'token' ];
// Ask sql nicely if other usernames exist and store info
if ( mysqli_stmt_execute ( $stmt )) {
mysqli_stmt_store_result ( $stmt );
if ( mysqli_stmt_num_rows ( $stmt ) == 1 ) {
$token = trim ( $_POST [ " token " ]);
} else {
?>
< script >
sniffleAdd ( 'Argh' , 'Your invite code/token did not check out, woopsie!' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
< ? php
$error = $error + 1 ;
}
} else {
?>
< script >
sniffleAdd ( 'Woops' , 'The server or website died inside and could not process your information, sowwy!' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
< ? php
$error = $error + 1 ;
}
// Outa here with this
mysqli_stmt_close ( $stmt );
}
}
}
2022-08-13 12:04:17 +00:00
}
// Checking for errors
if ( $error <= 0 ) {
$sql = " INSERT INTO users (username, password) VALUES (?, ?) " ;
if ( $stmt = mysqli_prepare ( $conn , $sql )) {
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param ( $stmt , " ss " , $param_username , $param_password );
// Set parameters
$param_username = $username ;
$param_password = password_hash ( $password , PASSWORD_DEFAULT );
// Attempt to execute the prepared statement
if ( mysqli_stmt_execute ( $stmt )) {
// Prepare sql
$sql = " UPDATE tokens SET used = True WHERE code = ? " ;
$stmt = mysqli_prepare ( $conn , $sql );
mysqli_stmt_bind_param ( $stmt , " s " , $param_token );
$param_token = $_POST [ 'token' ];
if ( mysqli_stmt_execute ( $stmt )) {
//
// Hey fluffy why didn't you do this
// Hey fluffy, thats not how you do this
// Thats wrong! Do this instead!!!!!!
//
// I DON'T KNOW HOW TO DO THIS, BUT IT WORKS
// SO LEAVE ME ALONEEEEEEEEEE
// anyway....
// Generate Token
$token_array = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz' ;
$new_token = substr ( str_shuffle ( $token_array ), 0 , 15 );
// Prepare sql
$sql = " INSERT INTO tokens (code, used) VALUES(?, False) " ;
$stmt = mysqli_prepare ( $conn , $sql );
mysqli_stmt_bind_param ( $stmt , " s " , $param_new_token );
$param_new_token = $new_token ;
mysqli_stmt_execute ( $stmt );
}
// Yupeee! Account was made
?>
2022-09-15 15:40:12 +00:00
< script >
sniffleAdd ( 'Success!' , 'You account made for <?php echo $username; ?>!!!!! You must now login' , 'var(--green)' , 'assets/icons/hand-waving.svg' );
//setTimeout(function(){window.location.href = "../account/login.php";}, 2000);
loginShow ();
</ script >
2022-08-13 12:04:17 +00:00
< ? php
2022-09-14 14:08:50 +00:00
mysqli_query ( $conn , " INSERT INTO logs (ipaddress, action) VALUES(' $user_ip ','New account ( " . $username . " ) has been made') " );
2022-08-13 12:04:17 +00:00
} else {
?>
2022-09-15 15:40:12 +00:00
< script >
sniffleAdd ( 'Bruh' , 'Something went fuckywucky, please try later' , 'var(--red)' , 'assets/icons/cross.svg' );
</ script >
2022-08-13 12:04:17 +00:00
< ? php
}
}
}
2022-09-06 18:15:59 +00:00
}
2022-09-16 16:39:13 +00:00
/*
|-------------------------------------------------------------
| Toggle Admin
|-------------------------------------------------------------
| Please save me
|-------------------------------------------------------------
*/
if ( isset ( $_POST [ 'toggle_admin' ])) {
2022-09-17 19:59:58 +00:00
if ( $user_info -> is_admin ( $conn , $_SESSION [ 'id' ])) {
2022-09-16 22:24:51 +00:00
$is_admin = mysqli_query ( $conn , " SELECT * FROM users WHERE id = " . $_POST [ 'id' ] . " ORDER BY id DESC LIMIT 1 " );
2022-09-16 16:39:13 +00:00
2022-09-16 22:24:51 +00:00
while ( $user_info = mysqli_fetch_assoc ( $is_admin )) {
$admin_status = $user_info [ 'admin' ];
$username = $user_info [ 'username' ];
}
2022-09-16 16:39:13 +00:00
2022-09-16 22:24:51 +00:00
$sql = " UPDATE users SET admin = ? WHERE id = ? " ;
2022-09-16 16:39:13 +00:00
2022-09-16 22:24:51 +00:00
if ( $stmt = mysqli_prepare ( $conn , $sql )) {
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param ( $stmt , " ii " , $param_admin_status , $param_user_id );
2022-09-16 16:39:13 +00:00
2022-09-16 22:24:51 +00:00
// Set parameters
if ( $admin_status ) {
$param_admin_status = 0 ;
$admin_update_message = " removed from the admins list " ;
} elseif ( ! $admin_status ) {
$param_admin_status = 1 ;
$admin_update_message = " added to the admins list " ;
}
$param_user_id = $_POST [ 'id' ];
2022-09-16 16:39:13 +00:00
2022-09-16 22:24:51 +00:00
// Attempt to execute the prepared statement
if ( mysqli_stmt_execute ( $stmt )) {
?>
< script >
sniffleAdd ( 'Bap!' , '<?php echo $username; ?> has been <?php echo $admin_update_message; ?>!' , 'var(--green)' , 'assets/icons/check.svg' );
flyoutClose ();
</ script >
< ? php
mysqli_query ( $conn , " INSERT INTO logs (ipaddress, action) VALUES(' $user_ip ',' $username has been $admin_update_message ') " );
} else {
?>
< script >
sniffleAdd ( 'Bruh' , 'Something went fuckywucky, please try later' , 'var(--red)' , 'assets/icons/cross.svg' );
flyoutClose ();
</ script >
< ? php
}
2022-09-16 16:39:13 +00:00
} else {
?>
< script >
sniffleAdd ( 'Bruh' , 'Something went fuckywucky, please try later' , 'var(--red)' , 'assets/icons/cross.svg' );
flyoutClose ();
</ script >
2022-09-16 22:24:51 +00:00
< ? php
2022-09-16 16:39:13 +00:00
}
} else {
?>
< script >
2022-09-16 22:24:51 +00:00
sniffleAdd ( 'Bruh' , 'You\'re not an admin, you cannot!!!!' , 'var(--red)' , 'assets/icons/cross.svg' );
2022-09-16 16:39:13 +00:00
flyoutClose ();
</ script >
< ? php
}
}
