Here is the code I’ve tested.
<?php
// Checking if the URL perimeters is HTTP or HTTPS
$pv_sslport = "";
$pv_URIprotocol = isset($_SERVER["HTTPS"]) ? (($_SERVER["HTTPS"]==="on" || $_SERVER["HTTPS"]===1 || $_SERVER["SERVER_PORT"]===$pv_sslport) ? "https://" : "http://") : (($_SERVER["SERVER_PORT"]===$pv_sslport) ? "https://" : "http://");
// Database configuration
define("MYSQLI_HOST", "localhost");
define("MYSQLI_USERNAME", "username");
define("MYSQLI_PASSWORD", "password");
define("MYSQLI_DATABASE", "database");
// Website configuration
define("LINK", $pv_URIprotocol . "localhost/");
// Check user level to see if they are admin, if they are. Show them this.
if(isset($_SESSION['username']) AND ($_SESSION['level'] == "99" OR $_SESSION['level'] == "20")) {
// Connect to database
$mysqli = new mysqli("". MYSQLI_HOST ."", "". MYSQLI_USERNAME ."", "". MYSQLI_PASSWORD ."", "". MYSQLI_DATABASE ."");
if($mysqli->connect_errno) {
echo "Error, failed to connect to MySQL database. Please fix.";
}
// Escaping your current IP Address
$rip = $mysqli->real_escape_string($_SERVER['REMOTE_ADDR']);
// Escape your current username that you are logged in with
$username = $mysqli->real_escape_string($_SESSION['username']);
// Start the prepared statement
$verify_stmt = $mysqli->prepare("SELECT id, username, ip, code, timestamp FROM admin_accounts WHERE username = '$username' AND ip = '$rip'");
// Execute statement
$verify_stmt->execute();
// Check store_result
$verify_stmt->store_result();
// Check to see if exist in database.
if($verify_stmt->num_rows) {
// Your IP Address and username already exists in the database. Don't show anything.
} else {
// Checking to see if URL equals to the verify page.
if($pv_URIprotocol . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] == LINK . "?verify") {
} else {
// Redirect to verify page since it doesn't equal the verify page.
// Plus, you haven't verified the code yet.
header("Location: " . LINK . "?verify");
}
}
}
// Yes, this perimeter equals the actual verify page.
// Like this http://localhost/?verify
// Now let's start doing something.
if($pv_URIprotocol . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] == LINK . "?verify") {
// Let's check the user level again just to make sure they are admin.
if(isset($_SESSION['username']) AND ($_SESSION['level'] == "99" OR $_SESSION['level'] == "20")) {
// Connect to database
$mysqli = new mysqli("". MYSQLI_HOST ."", "". MYSQLI_USERNAME ."", "". MYSQLI_PASSWORD ."", "". MYSQLI_DATABASE ."");
if($mysqli->connect_errno) {
echo "Error, failed to connect to MySQL database. Please fix.";
}
// Escaping your current IP Address
$rip = $mysqli->real_escape_string($_SERVER['REMOTE_ADDR']);
// Escape your current username that you are logged in with
$username = $mysqli->real_escape_string($_SESSION['username']);
// Start the prepared statement
$verify2_stmt = $mysqli->prepare("SELECT id, username, ip, code, timestamp FROM admin_accounts WHERE username = '$username' AND ip = '$rip'");
// Execute statement
$verify2_stmt->execute();
// Check store_result
$verify2_stmt->store_result();
// Check to see if exist in database.
if($verify2_stmt->num_rows) {
// Since already exists, let's redirect.
// Keep in mind, this is for users who's already at http://localhost/?verify
// And their credentials already exist in the database
header("Location: " . LINK );
} else {
}
// Check to see if user has submitted anything
if($_SERVER['REQUEST_METHOD'] == "POST") {
// Check to see if the text field is emptied.
if($_POST['fmzls'] == "") {
// Output error since they clicked the submit button, but didn't type anything in the field.
echo "Please type in something.";
} else {
// Connect to database
$mysqli = new mysqli("". MYSQLI_HOST ."", "". MYSQLI_USERNAME ."", "". MYSQLI_PASSWORD ."", "". MYSQLI_DATABASE ."");
if($mysqli->connect_errno) {
echo "Error, failed to connect to MySQL database. Please fix.";
}
// Escaping your current IP Address
$rip = $mysqli->real_escape_string($_SERVER['REMOTE_ADDR']);
// Escape your current username that you are logged in with
$username = $mysqli->real_escape_string($_SESSION['username']);
// Start the prepared statement
$verify2_stmt = $mysqli->prepare("SELECT id, username, ip, code, timestamp FROM admin_accounts WHERE username = '$username' AND ip = '$rip'");
// Execute statement
$verify2_stmt->execute();
// Check store_result
$verify2_stmt->store_result();
// Check to see if exist in database.
if($verify2_stmt->num_rows) {
// Again, checking to see if exist. Since already exist, redirect again.
header("Location: " . LINK );
} else {
// Connect to database
$mysqli = new mysqli("". MYSQLI_HOST ."", "". MYSQLI_USERNAME ."", "". MYSQLI_PASSWORD ."", "". MYSQLI_DATABASE ."");
if($mysqli->connect_errno) {
echo "Error, failed to connect to MySQL database. Please fix.";
}
// These are the correct array codes that will allow admin accounts to bypass this restriction
$array = array('8ball', 'facebook', 'google');
// Escape the user input in case they are trying to inject something or they are using single quotes or double quotes.
$user_post = $mysqli->real_escape_string($_POST['fmzls']);
// Checking input to see if the code exists in the array above.
if(preg_grep("/" . $user_post . "/i" , $array)) {
// Connect to database
$mysqli = new mysqli("". MYSQLI_HOST ."", "". MYSQLI_USERNAME ."", "". MYSQLI_PASSWORD ."", "". MYSQLI_DATABASE ."");
if($mysqli->connect_errno) {
echo "Error, failed to connect to MySQL database. Please fix.";
}
// Escaping your current IP Address
$rip = $mysqli->real_escape_string($_SERVER['REMOTE_ADDR']);
// Escape current timestamp
$timestamp = $mysqli->real_escape_string(time());
// Escape your current username that you are logged in with
$usm = $mysqli->real_escape_string($_SESSION['username']);
// Start the prepared statement
$INSERT_VERIFIED = $mysqli->prepare("INSERT INTO admin_accounts (username, ip, code, timestamp) VALUES ('$usm', '$rip', '$p', '$timestamp');");
// Execute statement
$INSERT_VERIFIED->execute();
// Yes!!! Finally we have correctly typed in the right code.
// Now redirecting to home page and the verify page will never show up again.
header("Location: " . LINK );
} else {
// Sorry, but you typed in the incorrect code.
// This indicates a security breach. Time to log you out.
// If you truly are an admin. You should of known the code.
// Connect to database
$mysqli = new mysqli("". MYSQLI_HOST ."", "". MYSQLI_USERNAME ."", "". MYSQLI_PASSWORD ."", "". MYSQLI_DATABASE ."");
if($mysqli->connect_errno) {
echo "Error, failed to connect to MySQL database. Please fix.";
}
// Escaping your current IP Address
$rip = $mysqli->real_escape_string($_SERVER['REMOTE_ADDR']);
// Start the prepared statement
// Update failed attempt based on IP Address.
// The current IP Address will be locked for about 30 minutes
// 5 indicates a bad response either due to too much login attempts
// or in this case, a failed attempt to login with an admin account
$UPDATE_IP = $mysqli->prepare("UPDATE failed_attempt SET number_of_attempts = '5' WHERE ip = '$rip'");
// Execute statement
$UPDATE_IP->execute();
// Redirecting to logout page
header("Location: " . LINK . "logout.php");
}
}
}
}
}
}
?>
It works great. I just want to know if it’ll soften the blow from brute force attacks. I mean all I’m really doing here is checking if the user level is indeed an admin user level. If it is, then check to see if it exists in the database, if it does. Then redirect back to the index page if the user is already on the verify page. If not and is on index page. Then don’t do anything. And then upon the verify page, if the user fails to input the correct code, they are then logged out and their IP Address is locked for 30 minutes. (*NOTE: The 30 minutes lock isn’t in this code, but it does exist. I just wanted to add this in because it too will stop users from multi-logging in and it will soften the amount of too many login requests.)
As you can see. There are a lot of redirecting involved, but I think it’s necessary to ensure each step of the code is properly working.
I’d like to get inputs on if this is a safe approach or if this is a bad one.