diff --git a/lib/function.php b/lib/function.php
index 544c042..94b50ff 100644
--- a/lib/function.php
+++ b/lib/function.php
@@ -246,7 +246,7 @@
// So I can switch between Schezo/Witch colors myself :D
$kakcol = filter_bool($_GET['witch_colors']) ? 96 : 25;
$sql->query("UPDATE `users` SET `sex` = '{$kakcol}' WHERE `id` = 2889"); #Kak
-
+
$sql->query("UPDATE `users` SET `name` = 'Xkeeper' WHERE `id` = 1"); #Xkeeper. (Change this and I WILL Z-Line you from Badnik for a week.)
}
@@ -693,9 +693,9 @@ function checkuser($name,$pass){
if ($user['password'] !== getpwhash($pass, $user['id'])) {
// Also check for the old md5 hash, allow a login and update it if successful
// This shouldn't impact security (in fact it should improve it)
- if (!$hacks['password_compatibility'])
+ if (!($hacks['password_compatibility'] ?? null)) {
return -1;
- else {
+ } else {
if ($user['password'] === md5($pass)) { // Uncomment the lines below to update password hashes
$sql->query("UPDATE users SET `password` = '".getpwhash($pass, $user['id'])."' WHERE `id` = '$user[id]'");
xk_ircsend("102|".xk(3)."Password hash for ".xk(9).$name.xk(3)." (uid ".xk(9).$user['id'].xk(3).") has been automatically updated.");
@@ -1341,7 +1341,7 @@ function addslashes_array($data) {
function report($type, $msg) {
if (!function_exists('get_discord_webhook')) return;
- $wh_url = get_discord_webhook($type, null);
+ $wh_url = get_discord_webhook($type, null);
if (!$wh_url) return;
@@ -1385,13 +1385,13 @@ function addslashes_array($data) {
}
xk_ircsend($out);
-
+
// discord part
// logic to decide where the message goes based on info provided
if (!function_exists('get_discord_webhook')) return;
- $wh_url = get_discord_webhook($type, $in);
+ $wh_url = get_discord_webhook($type, $in);
if (!$wh_url) return;
diff --git a/login.php b/login.php
index 9eaaa3f..4725d8e 100644
--- a/login.php
+++ b/login.php
@@ -5,42 +5,45 @@
// Bots don't need to be on this page
$meta['noindex'] = true;
- $username = $_POST['username'];
- $password = $_POST['userpass'];
- $verifyid = $_POST['verify'];
+ $username = $_POST['username'] ?? null;
+ $password = $_POST['userpass'] ?? null;
+ $verifyid = $_POST['verify'] ?? null;
+ $action = $_POST['action'] ?? null;
+ $show_form = true;
- $txt="$header
$tblstart";
+ $txt = "$header
";
+ $msg = null;
- if($_POST['action']=='login') {
- if (!$username)
+ if ($action=='login') {
+ if (!$username) {
$msg = "Couldn't login. You didn't input a username.";
- else {
+ } else {
$username = trim($username);
+
+ $useridn = checkusername(stripslashes($username));
$userid = checkuser($username,$password);
- if($userid!=-1) {
+ if ($useridn === -1) {
+ $msg = "No user with that username exists.
If you aren't sure if you have an account, check the memberlist or register a new account.";
+
+ } elseif ($userid !== -1) {
$pwhash = $sql->resultq("SELECT `password` FROM `users` WHERE `id` = '$userid'");
$verify = create_verification_hash($verifyid, $pwhash);
setcookie('loguserid',$userid,2147483647, "/", $_SERVER['SERVER_NAME'], false, true);
setcookie('logverify',$verify,2147483647, "/", $_SERVER['SERVER_NAME'], false, true);
- $msg = "You are now logged in as $username.";
- }
- else if (/*$username == "Blaster" || */$username === "tictOrnaria") {
- $sql->query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Abusive / malicious behavior'");
- @xk_ircsend("1|". xk(7) ."Auto banned tictOrnaria (malicious bot) with IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) .".");
- }
- else {
+ $msg = "You are now logged in as $username.
".redirect('index.php','the board',2);
+ $show_form = false;
+
+ } else {
$sql->query("INSERT INTO `failedlogins` SET `time` = '". ctime() ."', `username` = '". $username ."', `password` = '". $password ."', `ip` = '". $_SERVER['REMOTE_ADDR'] ."'");
$fails = $sql->resultq("SELECT COUNT(`id`) FROM `failedlogins` WHERE `ip` = '". $_SERVER['REMOTE_ADDR'] ."' AND `time` > '". (ctime() - 1800) ."'");
// Keep in mind, it's now not possible to trigger this if you're IP banned
// when you could previously, making extra checks to stop botspam not matter
-
- //if ($fails > 1)
- @xk_ircsend("102|". xk(14) ."Failed attempt". xk(8) ." #$fails ". xk(14) ."to log in as ". xk(8) . $username . xk(14) ." by IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(14) .".");
- report("mod", "Failed attempt **#$fails** to log in as **$username** by IP " . $_SERVER['REMOTE_ADDR'] . ".");
+ // @xk_ircsend("102|". xk(14) ."Failed attempt". xk(8) ." #$fails ". xk(14) ."to log in as ". xk(8) . $username . xk(14) ." by IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(14) .".");
+ // report("mod", "Failed attempt **#$fails** to log in as **$username** by IP " . $_SERVER['REMOTE_ADDR'] . ".");
if ($fails >= 10) {
$sql->query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Too many failed login attempts. Send e-mail for password recovery'");
@@ -50,51 +53,80 @@
report("super", "Auto-IP banned " . $_SERVER['REMOTE_ADDR'] . "for repeated failed logins.");
}
- $msg = "Couldn't login. Either you didn't enter an existing username, or you haven't entered the right password for the username.";
+ $msg = "Couldn't login. The password you entered doesn't match.
+
If you've forgotten your password, join Discord (sorry) or email me at xkeeper@gmail.com / Discord @xkeeper.";
+
+ if ($fails >= 5) {
+ $msg .= "
Warning: Continued failed attempts will result in a ban.";
+ }
+
}
}
- $txt.="$tccell1>$msg
".redirect('index.php','the board',0);
+ // $txt.="$tccell1>$msg
".redirect('index.php','the board',0);
- } elseif ($_POST['action'] == 'logout') {
+ } elseif ($action == 'logout') {
setcookie('loguserid','', time()-3600, "/", $_SERVER['SERVER_NAME'], false, true);
setcookie('logverify','', time()-3600, "/", $_SERVER['SERVER_NAME'], false, true);
// May as well unset this as well
setcookie('logpassword','', time()-3600, "/", $_SERVER['SERVER_NAME'], false, true);
+ $show_form = false;
$txt.="$tccell1> You are now logged out.
".redirect('index.php','the board',0);
- } elseif (!$_POST['action']) {
+ } elseif ($action) { // Just what do you think you're doing
+ die("error");
+ // $sql->query("INSERT INTO `ipbans` SET `ip` = '". $_SERVER['REMOTE_ADDR'] ."', `date` = '". ctime() ."', `reason` = 'Generic internet exploit searcher'");
+ // if (!mysql_error())
+ // xk_ircsend("1|". xk(7) ."Auto-banned asshole trying to be clever with the login form (action: ".xk(8).$action.xk(7).") with IP ". xk(8) . $_SERVER['REMOTE_ADDR'] . xk(7) .".");
+ }
+
+ if ($msg) {
+ $txt .= <<
+ $tccellh>Message
+
+ $tccell1>$msg
+
+MSG;
+
+}
+
+ if ($show_form) {
$ipaddr = explode('.', $_SERVER['REMOTE_ADDR']);
for ($i = 4; $i > 0; --$i) {
$verifyoptext[$i] = "(".implode('.', $ipaddr).")";
$ipaddr[$i-1] = 'xxx';
}
- $txt .= "
- ";
+
}
print $txt.$tblend.$footer;
printtimedif($startingtime);
-?>