+- LCKB (https://lckb.dev/forum)
+-- Forum: ** OLD LCKB DATABASE ** (https://lckb.dev/forum/forumdisplay.php?fid=109)
+--- Forum: Programmers Gateway (https://lckb.dev/forum/forumdisplay.php?fid=196)
+---- Forum: Coders Talk (https://lckb.dev/forum/forumdisplay.php?fid=192)
+---- Thread: [PHP] Simple/secured website (/showthread.php?tid=3010)
- Karmel - 06-02-2015
Hello everyone, just wanna to revive this forum. This is simple and secured(probably) php website code by me.
Additionally I wanna to ask for some suggestions about this, what i can improve or enhance.
ps. idk if all is correct here cuz I change this from my admin panel on quickly (ex. k_users -> bg_users)
index.php
<?php
session_start(); // Code created by Karmel, Copyright 2015 Karmel Inc.
include_once "include/config.php"; // ------- Not for commercial use
try{$db = new PDO("mysql:host=".$server_ip, $user, $password);}
catch(PDOException $e){die('Error connecting to the database');}
function login_check($db, $db0){ // Code sourced for admin panel
if(isset($_SESSION['user_code'], $_SESSION['user_id'], $_SESSION['user_salt'])){
$dbh = $db->prepare("SELECT user_code, a_salt FROM $db0.bg_users WHERE user_id = :user_id");
$dbh->bindParam(':user_id', $_SESSION['user_id'], PDO:
ARAM_STR, 20);$dbh->execute();$dbh = $dbh->fetch();
if($_SESSION['user_salt'] == $dbh['a_salt']){ //&& $_SESSION['user_time'] > date("Y-m-d H:i
",time()-1200)){ // 20min session$dbh = $db->prepare("UPDATE $db0.bg_users SET a_activetime = '".date("Y-m-d H:i
")."' WHERE a_index = '".$dbh['a_index']."'");$dbh->execute();return true;
}else{return false;}
// for admin panel you should use there ip compare, $_SERVER['REMOTE_ADDR'] & bg_users latest a_activetime
}
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="description" content="whatever">
<meta name="author" content="Karmel">
<link rel="shortcut icon" href="images/favicon.png">
<title>Karmel</title>
<!-- Fonts -->
<!-- Styles - bootstrap etc. etc. -->
<!-- Custom styles for this template -->
</head>
<body>
<!-- Header -->
<?php
if(login_check($db, $db0)){
$dbh = $db->prepare("SELECT * FROM $db0.bg_users WHERE a_index = :user_id");
$dbh->bindParam(':user_id', $_SESSION['user_id'], PDO:
ARAM_STR, 20);$dbh->execute();$dbh = $dbh->fetch();
//$dbh1 = $db->prepare("SELECT * FROM $db0.karmel_loginattempts WHERE a_user_index = :user_id AND a_success = 1 ORDER BY a_index DESC LIMIT 1,1");
//$dbh1->bindParam(':user_id', $_SESSION['user_id'], PDO:
ARAM_STR, 20);//$dbh1->execute();$dbh1 = $dbh1->fetch(); // Last Activity for admin panel
?>
<!-- Logged in -->
<?php }else{ ?>
<form action="include/login-exec.php" method="post">
<input type="text" placeholder="Username" name="username">
<input type="password" placeholder="Password" name="password">
<button type="submit">Log me in</button>
</form>
<?php } ?>
<!-- Main Content -->
<?php
if(!isset($_GET['page'])){$_GET['page']='index';}
$page=preg_replace("/[^a-zA-Z0-9._]/" , "" , $_GET['page']); // idk if its required :p
$inc = include "page/".$page.".php";//$inc;
if(!$inc)echo '<center><h2>Error 404 - Page not found</h2></center>';
?>
<!-- Main Content -->
<!-- Footer(probably) -->
</body>
</html>
include/config.php
<?php
// database access
$server_ip = '127.0.0.1';
$user = 'root';
$password = '';
$db0 = 'karmel_site'; // site
$db1 = 'karmel_auth'; // char
$db2 = 'karmel_db'; // auth
$db3 = 'karmel_data'; // data
error_reporting(-1); // 0 for release
date_default_timezone_set('Europe/Berlin');
?>
include/login-exec.php
<?php
include_once "config.php";
$conf['db']['dsn'] = sprintf("mysql:host=%s", $server_ip);
try{$db = new PDO($conf['db']['dsn'], $user, $password);}
catch(PDOException $e){die('Error connecting to the database');}
$dbh = $db->prepare("SELECT * FROM $db0.bg_users WHERE user_id = :user");
$username = preg_replace("/[^a-zA-Z0-9]+/", "", $_POST['username']); // idk if its required, just more security
$dbh->bindParam(':user', $_POST['username'], PDO:
ARAM_STR, 20);$dbh->execute();
if($dbh->rowCount() == 1){
$dbh = $dbh->fetch();
// $pass = hash('sha256',strtolower($_POST['username']).$salt.$_POST['password']);
$pass = md5($_POST['password']);
if($dbh['a_passwd'] == $pass){ // && $dbh['a_admin'] > 0){ // admin panel
session_start();
session_regenerate_id();
$_SESSION['user_code'] = $dbh['user_code'];
$_SESSION['user_id'] = $dbh['user_id'];
$_SESSION['user_salt'] = $dbh['a_salt'];
// $_SESSION['user_time'] = date("Y-m-d H:i
");session_write_close();
$dbh1 = $db->prepare("UPDATE $db0.bg_users SET active_time = '".date("Y-m-d H:i
")."' WHERE a_index = '".$dbh['a_index']."'");$dbh1->execute();
$dbh1 = $db->prepare("INSERT INTO $db0.karmel_loginattempts (a_index, a_success, a_user_index, a_date, a_ip) VALUES(NULL, '1', '".$dbh['a_index']."', '".date("Y-m-d H:i
")."','".$_SERVER['REMOTE_ADDR']."')");$dbh1->execute();
$login = '';
}else{
$dbh1 = $db->prepare("INSERT INTO $db0.karmel_loginattempts (a_index, a_success, a_user_index, a_date, a_ip) VALUES(NULL, '0', '".$dbh['a_index']."', '".date("Y-m-d H:i
")."','".$_SERVER['REMOTE_ADDR']."')");$dbh1->execute();
$login = 'loginfailed';
}
}else{$login = 'loginfailed';}
$db = null;
header("location: ../".$login);
?>
include/logout-exec.php
<?php
session_start();
$_SESSION = array();
session_destroy();
header("location: ./");
?>
.htaccess
ErrorDocument 404 "Error 404 - Page not found"
RewriteEngine on
RewriteRule ^login$ include/login-exec.php
RewriteRule ^logout$ include/logout-exec.php
RewriteRule ^([a-zA-Z0-9]+)$ ?page=$1
- Wizatek - 06-02-2015
Looks decent.
Only thing i can add to that is maybe its easier to use ctype_alnum() instead of preg_replace("/[^a-zA-Z0-9]+/").
Although 1 is to evaluate and the other to replace
- Agility - 06-04-2015
better if in SESSION are salt than password like in LC_CMS, it looks really decent bro