php - how to create prepared mysqli statements and add password_hash -
i tried migrating way errors came out went crazy instant.
how can create mysqli prepared statements , add password_hash create secure access system.
to system have added show captcha first failed attempt registered in database.
this not enough improve safety.
my code:
<?php session_start(); $message=""; $captcha = true; $con = @new mysqli('localhost', 'root', '', 'system'); if(count($_post)>0 && isset($_post["vcode"]) && $_post["vcode"]!=$_session["vcode"]) { $captcha = false; $message = "written characters not match verification word. try again."; } $ip = $_server['remote_addr']; //we block ip 1 day $result = mysqli_query($con,"select * failed_login ip='$ip' , date between date_sub( now() , interval 1 day ) , now()"); $row = mysqli_fetch_assoc($result); //we data buy attempts , reset attempts last date. $failed_login_attempt = mysqli_real_escape_string($con,$row['attempts']); mysqli_free_result($result); if(count($_post)>0 && $captcha == true) { $username = mysqli_real_escape_string($con, $_post["username"]); $password = mysqli_real_escape_string($con, $_post["password"]); $username = htmlentities($username); $password = htmlentities($password); $save_passw = sha1($password); $sql = "select * users username='$username' , password='$save_passw' , active='1' "; $query = mysqli_query($con, $sql); $rowu = mysqli_fetch_assoc($query); $usernamadb = mysqli_real_escape_string($con, $rowu["username"]); $passworddb = mysqli_real_escape_string($con, $rowu["password"]); if($failed_login_attempt <1) { //if first failed attempt, include first record in bd $con->query("insert failed_login (ip,attempts,date) values ('$ip', 1, now())"); } else { if($failed_login_attempt <2){ //in case of being in db, extracted value , added +1 $contador = $row['attempts'] + 1; $con->query("update failed_login set attempts='$contador', date=now() ip = '$ip'"); } } if (empty($_post) === false) { $username = $_post['username']; $password = $_post['password']; if (empty($username) === true || empty($password) === true) { $message = "you need enter username , password"; } elseif ($username != $usernamadb) { $message = "the 'user' entered not match. "; } elseif ($save_passw != $passworddb) { $message = "your 'password' entered not match. "; } elseif($save_passw == $passworddb && $username == $usernamadb) { $_session["id_user"] = 1; //$con->query("delete login_attempts ip = '$ip'"); } } } if(isset($_session["id_user"])) { header("location:http://localhost/index.php"); } ?> <?php include 'themes/template/header.php'; ?> <div id="login" class="center"> <div class="container"> <div class="access"> <h2>enter here.</h2> <h1><?php if($message!="") { echo $message; } ?></h1> <form name="frmuser" action="#" method="post"> <input class="form-one" type="text" name="username" placeholder="username"> <input class="form-one" type="password" name="password" placeholder="password"> <?php if (isset($failed_login_attempt) && $failed_login_attempt >= 1) { ?> <br><img src="image.php" id="phoca-captcha"/> <input name="vcode" type="text" placeholder="codigo captcha"> <?php } ?> <ul class="recovery"> <li> <input class="checkbox-one" type="checkbox" id="brand1" value=""> <label for="brand1"><span></span>recordarme</label> <a href="#" class="transitioneffects">¿olvidó su contraseña?</a> </li> </ul> <div class="wrapper"> <input class="btnaccess" type="submit" id="button-login" value="log in"> <p class="matopforty letter-spacing-one">register new account<span>→</span> <a class="registeraa" href="#"> ¡free registration!</a></p> <div class="clear"></div> </div> </form> </div> </div> </div>
Comments
Post a Comment