Issues in Security.class.php - Fixed Issues - Inspection of "Better field label names" - pH7Software/pH7-Social-Dating-CMS - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Branch — master (078ac8)

by Pierre-Henry

created 2017-03-11 17:04 UTC

_protected/framework/Mvc/Model/Security.class.php (1 issue)

Labels

Coding Style 1

Severity

Informational 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * @title            Security Model Class
 *
 * @author           Pierre-Henry Soria <[email protected]>
 * @copyright        (c) 2012-2017, Pierre-Henry Soria. All Rights Reserved.
 * @license          GNU General Public License; See PH7.LICENSE.txt and PH7.COPYRIGHT.txt in the root directory.
 * @package          PH7 / Framework / Mvc / Model
 * @version          1.3
 */

namespace PH7\Framework\Mvc\Model;
defined('PH7') or exit('Restricted access');

use

PH7\Framework\Mvc\Model\Engine\Db,
PH7\Framework\Ip\Ip,
PH7\Framework\Mvc\Model\Engine\Util\Various;

class Security
{

    private $_sIp, $_sCurrentTime;

    public function __construct()
    {
        $this->_sIp = Ip::get();
        $this->_sCurrentTime = (new \PH7\Framework\Date\CDateTime)->get()->dateTime('Y-m-d H:i:s');
    }

    /**
     * Block user IP
     *
     * @param string $sIp IP address.
     * @param integer $iExpir Expiration in seconds. Default 86400
     * @return boolean Returns TRUE if no IP has been found (and the new IP has been added to the block list), otherwise FALSE.
     */
    public function blockIp($sIp, $iExpir = 86400)
    {
        $iExpir = time() + (int) $iExpir;
        $rStmt = Db::getInstance()->prepare('SELECT ip FROM' . Db::prefix('BlockIp') . 'WHERE ip = :ip LIMIT 1');
        $rStmt->bindValue(':ip', $sIp, \PDO::PARAM_STR);
        $rStmt->execute();

        if ($rStmt->rowCount() == 0) // Not Found IP
        {
            $rStmt = Db::getInstance()->prepare('INSERT INTO'.Db::prefix('BlockIp'). 'VALUES (:ip, :expiration)');
            $rStmt->bindValue(':ip', $sIp, \PDO::PARAM_STR);
            $rStmt->bindValue(':expiration', $iExpir, \PDO::PARAM_INT);
            $rStmt->execute();
            return true;
        }
        return false;
    }

    /**
     * Add Login Log.
     *
     * @param string $sEmail
     * @param string $sUsername
     * @param string $sPassword
     * @param integer $sStatus
     * @param string $sTable Default 'Members'
     * @return void
     */
    public function addLoginLog($sEmail, $sUsername, $sPassword, $sStatus, $sTable = 'Members')
    {
        Various::checkModelTable($sTable);

        $rStmt = Db::getInstance()->prepare('INSERT INTO' . Db::prefix($sTable.'LogLogin') . '(email, username, password, status, ip)
        VALUES (:email, :username, :password, :status, :ip)');
        $rStmt->bindValue(':email', $sEmail, \PDO::PARAM_STR);
        $rStmt->bindValue(':username', $sUsername, \PDO::PARAM_STR);
        $rStmt->bindValue(':password', $sPassword, \PDO::PARAM_STR);
        $rStmt->bindValue(':status', $sStatus, \PDO::PARAM_STR);
        $rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
        $rStmt->execute();
        Db::free($rStmt);
    }

    /**
     * Blocking access to the login page after exceeded login attempts.
     *
     * @param integer $iMaxAttempts
     * @param integer $iAttemptTime
     * @param string $sEmail Email address of member.
     * @param object \PH7\Framework\Layout\Tpl\Engine\PH7Tpl\PH7Tpl $oView
     * @param string $sTable Default 'Members'
     * @return boolean Returns TRUE if attempts are allowed, FALSE otherwise.
     */
    public function checkLoginAttempt($iMaxAttempts, $iAttemptTime, $sEmail, \PH7\Framework\Layout\Tpl\Engine\PH7Tpl\PH7Tpl $oView, $sTable = 'Members')
    {
        Various::checkModelTable($sTable);

        $rStmt = Db::getInstance()->prepare('SELECT * FROM' . Db::prefix($sTable.'AttemptsLogin') . 'WHERE ip = :ip LIMIT 1');
        $rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
        $rStmt->execute();

        if ($rStmt->rowCount() == 1)
        {
            $oRow = $rStmt->fetch(\PDO::FETCH_OBJ);

            if ($oRow->attempts >= $iMaxAttempts)
            {
                $sLockoutTime = (new \DateTime($oRow->lastLogin))->add(\DateInterval::createFromDateString("$iAttemptTime minutes"))->format('Y-m-d H:i:s');

                if ($sLockoutTime > $this->_sCurrentTime)
                {
                    /**
                     * Send email to prevent that someone tries to hack their member account.
                     * We test that the number of attempts equals the number of maximim tantatives to avoid duplication of sending emails.
                     */
                    if ($oRow->attempts == $iMaxAttempts)
                        (new \PH7\Security)->sendAlertLoginAttemptsExceeded($iMaxAttempts, $iAttemptTime, $this->_sIp, $sEmail, $oView, $sTable);
                }
                else
                {
                    // Clear Login Attempts
                    $this->clearLoginAttempts($sTable);
                    return true; // Authorized
                }
                return false; // Banned
            }
        }
        return true; // Authorized
    }

    /**
     * Add Loging Attempt.
     *
     * @param string $sTable Default 'Members'
     * @return void
     */
    public function addLoginAttempt($sTable = 'Members')
    {
        Various::checkModelTable($sTable);

        $rStmt = Db::getInstance()->prepare('SELECT * FROM' . Db::prefix($sTable.'AttemptsLogin') . 'WHERE ip = :ip LIMIT 1');
        $rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
        $rStmt->execute();

        if ($rStmt->rowCount() == 1)
        {
            $oRow = $rStmt->fetch(\PDO::FETCH_OBJ);
            $iAttempts = $oRow->attempts+1;
            $rStmt = Db::getInstance()->prepare('UPDATE' . Db::prefix($sTable.'AttemptsLogin') . 'SET attempts = :attempts, lastLogin = :currentTime WHERE ip = :ip');
            $rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
            $rStmt->bindValue(':attempts', $iAttempts, \PDO::PARAM_INT);
            $rStmt->bindValue(':currentTime', $this->_sCurrentTime, \PDO::PARAM_STR);
            $rStmt->execute();
        }
        else
        {
            $rStmt = Db::getInstance()->prepare('INSERT INTO' . Db::prefix($sTable.'AttemptsLogin') . '(ip, attempts, lastLogin) VALUES (:ip, 1, :lastLogin)');
            $rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
            $rStmt->bindValue(':lastLogin', $this->_sCurrentTime, \PDO::PARAM_STR);
            $rStmt->execute();
        }

        Db::free($rStmt);
    }

    /**
     * Clear Login Attempts.
     *
     * @param string $sTable Default 'Members'
     * @return void
     */
    public function clearLoginAttempts($sTable = 'Members')
    {
        Various::checkModelTable($sTable);

        $rStmt = Db::getInstance()->prepare('DELETE FROM' . Db::prefix($sTable.'AttemptsLogin') . 'WHERE ip = :ip');
        $rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
        $rStmt->execute();
        Db::free($rStmt);
    }

}


1			<?php
2			/**
3			* @title Security Model Class
4			*
5			* @author Pierre-Henry Soria <[email protected]>
6			* @copyright (c) 2012-2017, Pierre-Henry Soria. All Rights Reserved.
7			* @license GNU General Public License; See PH7.LICENSE.txt and PH7.COPYRIGHT.txt in the root directory.
8			* @package PH7 / Framework / Mvc / Model
9			* @version 1.3
10			*/
11
12			namespace PH7\Framework\Mvc\Model;
13			defined('PH7') or exit('Restricted access');
14
15			use
			0 ignored issues – show Coding Style introduced 2015-12-19 18:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this There must be a single space after the USE keyword Loading history...
16			PH7\Framework\Mvc\Model\Engine\Db,
17			PH7\Framework\Ip\Ip,
18			PH7\Framework\Mvc\Model\Engine\Util\Various;
19
20			class Security
21			{
22
23			private $_sIp, $_sCurrentTime;
24
25			public function __construct()
26			{
27			$this->_sIp = Ip::get();
28			$this->_sCurrentTime = (new \PH7\Framework\Date\CDateTime)->get()->dateTime('Y-m-d H:i:s');
29			}
30
31			/**
32			* Block user IP
33			*
34			* @param string $sIp IP address.
35			* @param integer $iExpir Expiration in seconds. Default 86400
36			* @return boolean Returns TRUE if no IP has been found (and the new IP has been added to the block list), otherwise FALSE.
37			*/
38			public function blockIp($sIp, $iExpir = 86400)
39			{
40			$iExpir = time() + (int) $iExpir;
41			$rStmt = Db::getInstance()->prepare('SELECT ip FROM' . Db::prefix('BlockIp') . 'WHERE ip = :ip LIMIT 1');
42			$rStmt->bindValue(':ip', $sIp, \PDO::PARAM_STR);
43			$rStmt->execute();
44
45			if ($rStmt->rowCount() == 0) // Not Found IP
46			{
47			$rStmt = Db::getInstance()->prepare('INSERT INTO'.Db::prefix('BlockIp'). 'VALUES (:ip, :expiration)');
48			$rStmt->bindValue(':ip', $sIp, \PDO::PARAM_STR);
49			$rStmt->bindValue(':expiration', $iExpir, \PDO::PARAM_INT);
50			$rStmt->execute();
51			return true;
52			}
53			return false;
54			}
55
56			/**
57			* Add Login Log.
58			*
59			* @param string $sEmail
60			* @param string $sUsername
61			* @param string $sPassword
62			* @param integer $sStatus
63			* @param string $sTable Default 'Members'
64			* @return void
65			*/
66			public function addLoginLog($sEmail, $sUsername, $sPassword, $sStatus, $sTable = 'Members')
67			{
68			Various::checkModelTable($sTable);
69
70			$rStmt = Db::getInstance()->prepare('INSERT INTO' . Db::prefix($sTable.'LogLogin') . '(email, username, password, status, ip)
71			VALUES (:email, :username, :password, :status, :ip)');
72			$rStmt->bindValue(':email', $sEmail, \PDO::PARAM_STR);
73			$rStmt->bindValue(':username', $sUsername, \PDO::PARAM_STR);
74			$rStmt->bindValue(':password', $sPassword, \PDO::PARAM_STR);
75			$rStmt->bindValue(':status', $sStatus, \PDO::PARAM_STR);
76			$rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
77			$rStmt->execute();
78			Db::free($rStmt);
79			}
80
81			/**
82			* Blocking access to the login page after exceeded login attempts.
83			*
84			* @param integer $iMaxAttempts
85			* @param integer $iAttemptTime
86			* @param string $sEmail Email address of member.
87			* @param object \PH7\Framework\Layout\Tpl\Engine\PH7Tpl\PH7Tpl $oView
88			* @param string $sTable Default 'Members'
89			* @return boolean Returns TRUE if attempts are allowed, FALSE otherwise.
90			*/
91			public function checkLoginAttempt($iMaxAttempts, $iAttemptTime, $sEmail, \PH7\Framework\Layout\Tpl\Engine\PH7Tpl\PH7Tpl $oView, $sTable = 'Members')
92			{
93			Various::checkModelTable($sTable);
94
95			$rStmt = Db::getInstance()->prepare('SELECT * FROM' . Db::prefix($sTable.'AttemptsLogin') . 'WHERE ip = :ip LIMIT 1');
96			$rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
97			$rStmt->execute();
98
99			if ($rStmt->rowCount() == 1)
100			{
101			$oRow = $rStmt->fetch(\PDO::FETCH_OBJ);
102
103			if ($oRow->attempts >= $iMaxAttempts)
104			{
105			$sLockoutTime = (new \DateTime($oRow->lastLogin))->add(\DateInterval::createFromDateString("$iAttemptTime minutes"))->format('Y-m-d H:i:s');
106
107			if ($sLockoutTime > $this->_sCurrentTime)
108			{
109			/**
110			* Send email to prevent that someone tries to hack their member account.
111			* We test that the number of attempts equals the number of maximim tantatives to avoid duplication of sending emails.
112			*/
113			if ($oRow->attempts == $iMaxAttempts)
114			(new \PH7\Security)->sendAlertLoginAttemptsExceeded($iMaxAttempts, $iAttemptTime, $this->_sIp, $sEmail, $oView, $sTable);
115			}
116			else
117			{
118			// Clear Login Attempts
119			$this->clearLoginAttempts($sTable);
120			return true; // Authorized
121			}
122			return false; // Banned
123			}
124			}
125			return true; // Authorized
126			}
127
128			/**
129			* Add Loging Attempt.
130			*
131			* @param string $sTable Default 'Members'
132			* @return void
133			*/
134			public function addLoginAttempt($sTable = 'Members')
135			{
136			Various::checkModelTable($sTable);
137
138			$rStmt = Db::getInstance()->prepare('SELECT * FROM' . Db::prefix($sTable.'AttemptsLogin') . 'WHERE ip = :ip LIMIT 1');
139			$rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
140			$rStmt->execute();
141
142			if ($rStmt->rowCount() == 1)
143			{
144			$oRow = $rStmt->fetch(\PDO::FETCH_OBJ);
145			$iAttempts = $oRow->attempts+1;
146			$rStmt = Db::getInstance()->prepare('UPDATE' . Db::prefix($sTable.'AttemptsLogin') . 'SET attempts = :attempts, lastLogin = :currentTime WHERE ip = :ip');
147			$rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
148			$rStmt->bindValue(':attempts', $iAttempts, \PDO::PARAM_INT);
149			$rStmt->bindValue(':currentTime', $this->_sCurrentTime, \PDO::PARAM_STR);
150			$rStmt->execute();
151			}
152			else
153			{
154			$rStmt = Db::getInstance()->prepare('INSERT INTO' . Db::prefix($sTable.'AttemptsLogin') . '(ip, attempts, lastLogin) VALUES (:ip, 1, :lastLogin)');
155			$rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
156			$rStmt->bindValue(':lastLogin', $this->_sCurrentTime, \PDO::PARAM_STR);
157			$rStmt->execute();
158			}
159
160			Db::free($rStmt);
161			}
162
163			/**
164			* Clear Login Attempts.
165			*
166			* @param string $sTable Default 'Members'
167			* @return void
168			*/
169			public function clearLoginAttempts($sTable = 'Members')
170			{
171			Various::checkModelTable($sTable);
172
173			$rStmt = Db::getInstance()->prepare('DELETE FROM' . Db::prefix($sTable.'AttemptsLogin') . 'WHERE ip = :ip');
174			$rStmt->bindValue(':ip', $this->_sIp, \PDO::PARAM_STR);
175			$rStmt->execute();
176			Db::free($rStmt);
177			}
178
179			}
180

pH7Software / pH7-Social-Dating-CMS

Branch — master (078ac8)

_protected/framework/Mvc/Model/Security.class.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like