login_check() - Code Metrics - atari-legend/legacy - Measure and Improve Code Quality continuously with Scrutinizer

login_check() B
last analyzed 2024-03-07 17:20 UTC

↳ Parent: Project

Complexity

Conditions	11
Paths	11

Size

Total Lines	85
Code Lines	48

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	11
eloc	48
nc	11
nop	1
dl	0
loc	85
rs	7.3166
c	0
b	0
f	0

How to fix Long Method Complexity

<?php
/*******************************************************************************
 *                                user_functions.php
 *                            -----------------------
 *   begin                : 2015-04-28
 *   copyright            : (C) 2015 Atari Legend
 *   email                : [email protected]
 *
 *   Id: user_functions.php,v 0.10 2015-04-28
 *
 ********************************************************************************

 *********************************************************************************
 * User management functions
 *********************************************************************************/

function sec_session_start() {
    $session_name = 'sec_session_id'; // Set a custom session name
    $secure       = true;
    // This stops JavaScript being able to access the session id.
    $httponly     = true;
    // Forces sessions to only use cookies.
    if (ini_set('session.use_only_cookies', 1) === false) {
        header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
        exit();
    }
    // Gets current cookies params.
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params(
        $cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly
    );
    // Sets the session name to the one set above.
    session_name($session_name);
    session_start(); // Start the PHP session
    session_regenerate_id(true); // regenerated the session, delete the old one.
}

function md5_test($userid, $md5_password, $password, $mysqli) {
    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT user_id, userid, password
        FROM users
       WHERE userid = ? AND sha512_password IS NULL AND password IS NOT NULL
        LIMIT 1")) {
        $stmt->bind_param('s', $userid); // Bind "$userid" to parameter.
        $stmt->execute(); // Execute the prepared query.
        $stmt->store_result();

        // get variables from result.
        $stmt->bind_result($user_id, $userid, $db_md5_password);

        $stmt->fetch();

        if ($stmt->num_rows == 1) {
            // If the user exists we check if the account is locked
            // from too many login attempts

            if (checkbrute($user_id, $mysqli) == true) {
                // Account is locked
                // Send an email to user saying their account is locked
                return false;
            } else {
                // Check if the password in the database matches
                // the password the user submitted.
                if ($db_md5_password == $md5_password) {
                    // Password is correct!
                    // Insert the new user into the database
                    // Create a random salt
                    $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));

                    // Create salted password
                    $update_password = hash('sha512', $password . $random_salt);

                    if ($update_stmt = $mysqli->prepare("UPDATE users
                        SET password=NULL, sha512_password=?, salt=?WHERE user_id=?")) {
                        $update_stmt->bind_param('sss', $update_password, $random_salt, $user_id);
                        // Execute the prepared query.
                        if (!$update_stmt->execute()) {
                            header('Location: ../error.php?err=md5 failure: UPDATE');
                        }
                    }
                    // Login successful.
                    return true;
                } else {
                    // Password is not correct
                    // We record this attempt in the database
                    $now = time();
                    $mysqli->query("INSERT INTO users_login_attempts(user_id, time)
                                    VALUES ('$user_id', '$now')");
                    return false;
                }
            }
        } else {
            // No user exists.
            return false;
        }
    }
}

function login($userid, $password, $mysqli) {
    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT user_id, userid, sha512_password, salt, permission, avatar_ext, inactive
        FROM users
       WHERE userid = ?
        LIMIT 1")) {
        $stmt->bind_param('s', $userid); // Bind "$userid" to parameter.
        $stmt->execute(); // Execute the prepared query.
        $stmt->store_result();

        // get variables from result.
        $stmt->bind_result($user_id, $userid, $db_password, $salt, $permission, $avatar_ext, $inactive);

        $stmt->fetch();
        // hash the password with the unique salt.
        $password = hash('sha512', $password . $salt);
        if ($stmt->num_rows == 1) {
            // If the user exists we check if the account is locked
            // from too many login attempts
            //if (checkbrute($user_id, $mysqli) == true) {
            //    // Account is locked
            //    $_SESSION['edit_message'] = "Your account is locked because of too many failed attempts";
            //    header("Location: ../../main/front/front.php");
            //} else {
            // Check if the password in the database matches
            // the password the user submitted.
            if ($db_password == $password and $inactive == 0) {
                // Password is correct!
                // Get the user-agent string of the user.
                $user_browser             = $_SERVER['HTTP_USER_AGENT'];
                // XSS protection as we might print this value
                $user_id                  = preg_replace("/[^0-9]+/", "", $user_id);
                $_SESSION['user_id']      = $user_id;
                // XSS protection as we might print this value
                $userid                   = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $userid);
                $_SESSION['userid']       = $userid;
                $_SESSION['permission']   = $permission;
                $_SESSION['login_string'] = hash('sha512', $password . $user_browser);
                $_SESSION['image']        = $avatar_ext;
                // Login successful.
                return true;
            } else {
                // Password is not correct
                // We record this attempt in the database
                $now = time();
                $mysqli->query("INSERT INTO users_login_attempts(user_id, time)
                                    VALUES ('$user_id', '$now')");
                return false;
            }
            // }
        } else {
            // No user exists.
            return false;
        }
    }
}

function checkbrute($user_id, $mysqli) {
    // Get timestamp of current time
    $now = time();

    // All login attempts are counted from the past 2 hours.
    $valid_attempts = $now - (2 * 60 * 60);

    if ($stmt = $mysqli->prepare("SELECT time
                             FROM users_login_attempts
                             WHERE user_id = ?
                            AND time > '$valid_attempts'")) {
        $stmt->bind_param('i', $user_id);

        // Execute the prepared query.
        $stmt->execute();
        $stmt->store_result();

        // If there have been more than 5 failed logins
        if ($stmt->num_rows > 5) {
            return true;
        } else {
            return false;
        }
    }
}

function login_check($mysqli) {

    //check for cookie
    //I can't do the extra pwd check sadly enough as I don't seem to have the know how.
    if (isset($_COOKIE['cooksession'])) {
        $session_id = $_COOKIE['cooksession'];

        //get the username and password
        $query_user = $mysqli->query("SELECT * FROM users WHERE session = '$session_id'");

        $v_rows = $query_user->num_rows;

        if ($v_rows > 0) {
            $user = $query_user->fetch_array(MYSQLI_BOTH);

            $_SESSION['userid'] = $user['userid'];
            $_SESSION['user_id'] = $user['user_id'];
            $_SESSION['permission'] = $user['permission'];
            $_SESSION['image'] = $user['avatar_ext'];

            // update last visit
            $now = time();
            if ($update_stmt = $mysqli->prepare("UPDATE users SET last_visit=? WHERE user_id=?")) {
                $update_stmt->bind_param('ss', $now, $_SESSION['user_id']);
                // Execute the prepared query.
                if (!$update_stmt->execute()) {
                    header('Location: ../error.php?err=time failure: UPDATE');
                }
            }
            return true;
        } else {
            return false;
        }
    } else {
        // Check if all session variables are set
        if (isset($_SESSION['user_id'], $_SESSION['userid'], $_SESSION['login_string'], $_SESSION['permission'])) {
            $user_id      = $_SESSION['user_id'];
            $login_string = $_SESSION['login_string'];
            $userid       = $_SESSION['userid'];

            $permission   = $_SESSION['permission'];


            // Get the user-agent string of the user.
            $user_browser = $_SERVER['HTTP_USER_AGENT'];

            if ($stmt = $mysqli->prepare("SELECT sha512_password
                                          FROM users
                                          WHERE user_id = ? LIMIT 1")) {
                // Bind "$user_id" to parameter.
                $stmt->bind_param('i', $user_id);
                $stmt->execute(); // Execute the prepared query.
                $stmt->store_result();

                if ($stmt->num_rows == 1) {
                    // If the user exists get variables from result.
                    $stmt->bind_result($password);

                    $stmt->fetch();
                    $login_check = hash('sha512', $password . $user_browser);

                    if ($login_check == $login_string) {
                        // Logged In!!!!
                        // update last visit
                        $now = time();
                        if ($update_stmt = $mysqli->prepare("UPDATE users SET last_visit=? WHERE user_id=?")) {
                            $update_stmt->bind_param('ss', $now, $user_id);
                            // Execute the prepared query.
                            if (!$update_stmt->execute()) {
                                header('Location: ../error.php?err=time failure: UPDATE');
                            }
                        }
                        return true;
                    } else {
                        // Not logged in
                        return false;
                    }
                } else {
                    // Not logged in
                    return false;
                }
            } else {
                // Not logged in
                return false;
            }
        } else {
            // Not logged in
            return false;
        }
    }
}

function esc_url($url) {
    if ('' == $url) {
        return $url;
    }

    $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);

    $strip = array(
        '%0d',
        '%0a',
        '%0D',
        '%0A'
    );
    $url   = (string) $url;

    $count = 1;
    while ($count) {
        $url = str_replace($strip, '', $url, $count);
    }

    $url = str_replace(';//', '://', $url);

    $url = htmlentities($url);

    $url = str_replace('&amp;', '&#038;', $url);
    $url = str_replace("'", '&#039;', $url);

    if ($url[0] !== '/') {
        // We're only interested in relative links from $_SERVER['PHP_SELF']
        return '';
    } else {
        return $url;
    }
}


1			<?php
2			/*******************************************************************************
3			* user_functions.php
4			* -----------------------
5			* begin : 2015-04-28
6			* copyright : (C) 2015 Atari Legend
7			* email : [email protected]
8			*
9			* Id: user_functions.php,v 0.10 2015-04-28
10			*
11			********************************************************************************
12
13			*********************************************************************************
14			* User management functions
15			*********************************************************************************/
16
17			function sec_session_start() {
18			$session_name = 'sec_session_id'; // Set a custom session name
19			$secure = true;
20			// This stops JavaScript being able to access the session id.
21			$httponly = true;
22			// Forces sessions to only use cookies.
23			if (ini_set('session.use_only_cookies', 1) === false) {
24			header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
25			exit();
26			}
27			// Gets current cookies params.
28			$cookieParams = session_get_cookie_params();
29			session_set_cookie_params(
30			$cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly
31			);
32			// Sets the session name to the one set above.
33			session_name($session_name);
34			session_start(); // Start the PHP session
35			session_regenerate_id(true); // regenerated the session, delete the old one.
36			}
37
38			function md5_test($userid, $md5_password, $password, $mysqli) {
39			// Using prepared statements means that SQL injection is not possible.
40			if ($stmt = $mysqli->prepare("SELECT user_id, userid, password
41			FROM users
42			WHERE userid = ? AND sha512_password IS NULL AND password IS NOT NULL
43			LIMIT 1")) {
44			$stmt->bind_param('s', $userid); // Bind "$userid" to parameter.
45			$stmt->execute(); // Execute the prepared query.
46			$stmt->store_result();
47
48			// get variables from result.
49			$stmt->bind_result($user_id, $userid, $db_md5_password);
			0 ignored issues – show Comprehensibility Best Practice introduced 2020-12-06 16:57 UTC by Report Bug Copy Issue Report The variable `$user_id` does not exist. Did you maybe mean `$userid`? Loading history... Comprehensibility Best Practice introduced 2020-12-06 16:57 UTC by Report Bug Copy Issue Report The variable `$db_md5_password` does not exist. Did you maybe mean `$md5_password`? Loading history...
50			$stmt->fetch();
51
52			if ($stmt->num_rows == 1) {
53			// If the user exists we check if the account is locked
54			// from too many login attempts
55
56			if (checkbrute($user_id, $mysqli) == true) {
57			// Account is locked
58			// Send an email to user saying their account is locked
59			return false;
60			} else {
61			// Check if the password in the database matches
62			// the password the user submitted.
63			if ($db_md5_password == $md5_password) {
64			// Password is correct!
65			// Insert the new user into the database
66			// Create a random salt
67			$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
68
69			// Create salted password
70			$update_password = hash('sha512', $password . $random_salt);
71
72			if ($update_stmt = $mysqli->prepare("UPDATE users
73			SET password=NULL, sha512_password=?, salt=?WHERE user_id=?")) {
74			$update_stmt->bind_param('sss', $update_password, $random_salt, $user_id);
75			// Execute the prepared query.
76			if (!$update_stmt->execute()) {
77			header('Location: ../error.php?err=md5 failure: UPDATE');
78			}
79			}
80			// Login successful.
81			return true;
82			} else {
83			// Password is not correct
84			// We record this attempt in the database
85			$now = time();
86			$mysqli->query("INSERT INTO users_login_attempts(user_id, time)
87			VALUES ('$user_id', '$now')");
88			return false;
89			}
90			}
91			} else {
92			// No user exists.
93			return false;
94			}
95			}
96			}
97
98			function login($userid, $password, $mysqli) {
99			// Using prepared statements means that SQL injection is not possible.
100			if ($stmt = $mysqli->prepare("SELECT user_id, userid, sha512_password, salt, permission, avatar_ext, inactive
101			FROM users
102			WHERE userid = ?
103			LIMIT 1")) {
104			$stmt->bind_param('s', $userid); // Bind "$userid" to parameter.
105			$stmt->execute(); // Execute the prepared query.
106			$stmt->store_result();
107
108			// get variables from result.
109			$stmt->bind_result($user_id, $userid, $db_password, $salt, $permission, $avatar_ext, $inactive);
			0 ignored issues – show Comprehensibility Best Practice introduced 2020-12-06 16:57 UTC by Report Bug Copy Issue Report The variable `$salt` seems to be never defined. Loading history... Comprehensibility Best Practice introduced 2020-12-06 16:57 UTC by Report Bug Copy Issue Report The variable `$avatar_ext` seems to be never defined. Loading history... Comprehensibility Best Practice introduced 2020-12-06 16:57 UTC by Report Bug Copy Issue Report The variable `$permission` seems to be never defined. Loading history... Comprehensibility Best Practice introduced 2020-12-06 16:57 UTC by Report Bug Copy Issue Report The variable `$user_id` seems to be never defined. Loading history... Comprehensibility Best Practice introduced 2020-12-06 16:57 UTC by Report Bug Copy Issue Report The variable `$inactive` seems to be never defined. Loading history... Comprehensibility Best Practice introduced 2020-12-06 16:57 UTC by Report Bug Copy Issue Report The variable `$db_password` does not exist. Did you maybe mean `$password`? Loading history...
110			$stmt->fetch();
111			// hash the password with the unique salt.
112			$password = hash('sha512', $password . $salt);
113			if ($stmt->num_rows == 1) {
114			// If the user exists we check if the account is locked
115			// from too many login attempts
116			//if (checkbrute($user_id, $mysqli) == true) {
117			// // Account is locked
118			// $_SESSION['edit_message'] = "Your account is locked because of too many failed attempts";
119			// header("Location: ../../main/front/front.php");
120			//} else {
121			// Check if the password in the database matches
122			// the password the user submitted.
123			if ($db_password == $password and $inactive == 0) {
124			// Password is correct!
125			// Get the user-agent string of the user.
126			$user_browser = $_SERVER['HTTP_USER_AGENT'];
127			// XSS protection as we might print this value
128			$user_id = preg_replace("/[^0-9]+/", "", $user_id);
129			$_SESSION['user_id'] = $user_id;
130			// XSS protection as we might print this value
131			$userid = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $userid);
132			$_SESSION['userid'] = $userid;
133			$_SESSION['permission'] = $permission;
134			$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
135			$_SESSION['image'] = $avatar_ext;
136			// Login successful.
137			return true;
138			} else {
139			// Password is not correct
140			// We record this attempt in the database
141			$now = time();
142			$mysqli->query("INSERT INTO users_login_attempts(user_id, time)
143			VALUES ('$user_id', '$now')");
144			return false;
145			}
146			// }
147			} else {
148			// No user exists.
149			return false;
150			}
151			}
152			}
153
154			function checkbrute($user_id, $mysqli) {
155			// Get timestamp of current time
156			$now = time();
157
158			// All login attempts are counted from the past 2 hours.
159			$valid_attempts = $now - (2 * 60 * 60);
160
161			if ($stmt = $mysqli->prepare("SELECT time
162			FROM users_login_attempts
163			WHERE user_id = ?
164			AND time > '$valid_attempts'")) {
165			$stmt->bind_param('i', $user_id);
166
167			// Execute the prepared query.
168			$stmt->execute();
169			$stmt->store_result();
170
171			// If there have been more than 5 failed logins
172			if ($stmt->num_rows > 5) {
173			return true;
174			} else {
175			return false;
176			}
177			}
178			}
179
180			function login_check($mysqli) {
181
182			//check for cookie
183			//I can't do the extra pwd check sadly enough as I don't seem to have the know how.
184			if (isset($_COOKIE['cooksession'])) {
185			$session_id = $_COOKIE['cooksession'];
186
187			//get the username and password
188			$query_user = $mysqli->query("SELECT * FROM users WHERE session = '$session_id'");
189
190			$v_rows = $query_user->num_rows;
191
192			if ($v_rows > 0) {
193			$user = $query_user->fetch_array(MYSQLI_BOTH);
194
195			$_SESSION['userid'] = $user['userid'];
196			$_SESSION['user_id'] = $user['user_id'];
197			$_SESSION['permission'] = $user['permission'];
198			$_SESSION['image'] = $user['avatar_ext'];
199
200			// update last visit
201			$now = time();
202			if ($update_stmt = $mysqli->prepare("UPDATE users SET last_visit=? WHERE user_id=?")) {
203			$update_stmt->bind_param('ss', $now, $_SESSION['user_id']);
204			// Execute the prepared query.
205			if (!$update_stmt->execute()) {
206			header('Location: ../error.php?err=time failure: UPDATE');
207			}
208			}
209			return true;
210			} else {
211			return false;
212			}
213			} else {
214			// Check if all session variables are set
215			if (isset($_SESSION['user_id'], $_SESSION['userid'], $_SESSION['login_string'], $_SESSION['permission'])) {
216			$user_id = $_SESSION['user_id'];
217			$login_string = $_SESSION['login_string'];
218			$userid = $_SESSION['userid'];
			0 ignored issues – show Unused Code introduced 2020-12-06 16:57 UTC by Report Bug Copy Issue Report The assignment to `$userid` is dead and can be removed. Loading history...
219			$permission = $_SESSION['permission'];
			0 ignored issues – show Unused Code introduced 2020-12-06 16:57 UTC by Report Bug Copy Issue Report The assignment to `$permission` is dead and can be removed. Loading history...
220
221			// Get the user-agent string of the user.
222			$user_browser = $_SERVER['HTTP_USER_AGENT'];
223
224			if ($stmt = $mysqli->prepare("SELECT sha512_password
225			FROM users
226			WHERE user_id = ? LIMIT 1")) {
227			// Bind "$user_id" to parameter.
228			$stmt->bind_param('i', $user_id);
229			$stmt->execute(); // Execute the prepared query.
230			$stmt->store_result();
231
232			if ($stmt->num_rows == 1) {
233			// If the user exists get variables from result.
234			$stmt->bind_result($password);
			0 ignored issues – show Comprehensibility Best Practice introduced 2020-12-06 16:57 UTC by Report Bug Copy Issue Report The variable `$password` seems to be never defined. Loading history...
235			$stmt->fetch();
236			$login_check = hash('sha512', $password . $user_browser);
237
238			if ($login_check == $login_string) {
239			// Logged In!!!!
240			// update last visit
241			$now = time();
242			if ($update_stmt = $mysqli->prepare("UPDATE users SET last_visit=? WHERE user_id=?")) {
243			$update_stmt->bind_param('ss', $now, $user_id);
244			// Execute the prepared query.
245			if (!$update_stmt->execute()) {
246			header('Location: ../error.php?err=time failure: UPDATE');
247			}
248			}
249			return true;
250			} else {
251			// Not logged in
252			return false;
253			}
254			} else {
255			// Not logged in
256			return false;
257			}
258			} else {
259			// Not logged in
260			return false;
261			}
262			} else {
263			// Not logged in
264			return false;
265			}
266			}
267			}
268
269			function esc_url($url) {
270			if ('' == $url) {
271			return $url;
272			}
273
274			$url = preg_replace('\|[^a-z0-9-~+_.?#=!&;,/:%@$\\|*\'()\\x80-\\xff]\|i', '', $url);
275
276			$strip = array(
277			'%0d',
278			'%0a',
279			'%0D',
280			'%0A'
281			);
282			$url = (string) $url;
283
284			$count = 1;
285			while ($count) {
286			$url = str_replace($strip, '', $url, $count);
287			}
288
289			$url = str_replace(';//', '://', $url);
290
291			$url = htmlentities($url);
292
293			$url = str_replace('&', '&', $url);
294			$url = str_replace("'", ''', $url);
295
296			if ($url[0] !== '/') {
297			// We're only interested in relative links from $_SERVER['PHP_SELF']
298			return '';
299			} else {
300			return $url;
301			}
302			}
303

atari-legend / legacy

login_check() B last analyzed 2024-03-07 17:20 UTC

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like

login_check() B
last analyzed 2024-03-07 17:20 UTC