exec("set names utf8"); if ($w == 'username') { $account = $db->select("SELECT * FROM " . GAME_DB_ACCOUNT . " where username = :u", [ 'u' => $data ]); if (count($account) <= 0 || count($account) > 1) return -1; $account = $account[0]; $_SESSION['login_username'] = $data; $_SESSION['login_id'] = $account['id']; $_SESSION['login_tv_admin'] = $account['rank'] >= 3; $_SESSION['login_sha_pass_hash'] = strtoupper($account['sha_pass_hash']); return 0; } } function get_ip() { //Just get the headers if we can or else use the SERVER global. if (function_exists('apache_request_headers')) { $headers = apache_request_headers(); } else { $headers = $_SERVER; } //Get the forwarded IP if it exists. if (array_key_exists('X-Forwarded-For', $headers) && filter_var($headers['X-Forwarded-For'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) { $the_ip = $headers['X-Forwarded-For']; } elseif (array_key_exists('HTTP_X_FORWARDED_FOR', $headers) && filter_var($headers['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) { $the_ip = $headers['HTTP_X_FORWARDED_FOR']; } else { $the_ip = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4); } // Might be useful $regex_ip = "^(([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}.([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"; // Ensure we got a valid IP, else simply set 1.1.1.1 if (!filter_var($the_ip, FILTER_VALIDATE_IP)) { $the_ip = "1.1.1.1"; } return $the_ip; } $ip = get_ip(); $message = ''; $step = 1; $err = 0; if (isset($_SESSION[$ip . '_attempts'])) { $data = json_decode($_SESSION[$ip . '_attempts'], 1); if ($data['locked']) { $diff = ($data['end'] - strtotime('now')) / 60; if ($diff <= 0) { // unlock unset($_SESSION[$ip . '_attempts']); $data = []; $data['first_attempt'] = date('Y-m-d H:i:s'); $data['attempts'] = 1; $data['locked'] = false; $_SESSION[$ip . '_attempts'] = json_encode($data); } else { $step = 0; // locked $message = "Too many attempts. Please try again in " . ceil($diff) . " minute(s)."; } } else { $data = json_decode($_SESSION[$ip . '_attempts'], 1); $data['attempts']++; $data['last_attempt'] = date('Y-m-d H:i:s'); if ($data['attempts'] >= MAX_LOGIN_ATTEMPTS) { if (round((strtotime('now') - strtotime($data['first_attempt'])) / 60, 2) <= MAX_MINUTES_ATTEMPTS) { $data['locked'] = true; $data['end'] = strtotime('+' . MAX_MINUTES_ATTEMPTS . ' minutes', strtotime('now')); $_SESSION[$ip . '_attempts'] = json_encode($data); $step = 0; $message = "Too many attempts. Please try again in " . TIMEOUT_MINUTES . " minutes."; } else { $data['first_attempt'] = date('Y-m-d H:i:s'); $data['attempts'] = 1; } } $_SESSION[$ip . '_attempts'] = json_encode($data); } } else { $data = []; $data['first_attempt'] = date('Y-m-d H:i:s'); $data['attempts'] = 1; $data['locked'] = false; $_SESSION[$ip . '_attempts'] = json_encode($data); } if ($step !== 0) { if (isset($_REQUEST['username'])) { if (isset($_SESSION[$_REQUEST['username'] . '_attempts'])) { $data = json_decode($_SESSION[$_REQUEST['username'] . '_attempts'], 1); if ($data['locked']) { $diff = ($data['end'] - strtotime('now')) / 60; if ($diff <= 0) { unset($_SESSION[$_REQUEST['username'] . '_attempts']); } else { $step = 0; // locked $message = "Too many attempts. Please try again in " . ceil($diff) . " minute(s)."; } } else { $data = json_decode($_SESSION[$_REQUEST['username'] . '_attempts'], 1); $data['attempts']++; $data['last_attempt'] = date('Y-m-d H:i:s'); if ($data['attempts'] >= MAX_LOGIN_ATTEMPTS) { if (round((strtotime('now') - strtotime($data['first_attempt'])) / 60, 2) <= MAX_MINUTES_ATTEMPTS) { $data['locked'] = true; $data['end'] = strtotime('+' . MAX_MINUTES_ATTEMPTS . ' minutes', strtotime('now')); $_SESSION[$_REQUEST['username'] . '_attempts'] = json_encode($data); $step = 0; $message = "Too many attempts. Please try again in " . TIMEOUT_MINUTES . " minutes."; } else { $data['first_attempt'] = date('Y-m-d H:i:s'); $data['attempts'] = 1; } } } } else { $data = []; $data['first_attempt'] = date('Y-m-d H:i:s'); $data['attempts'] = 1; $data['locked'] = false; } $_SESSION[$_REQUEST['username'] . '_attempts'] = json_encode($data); } } if ($step !== 0) { if (isset($_REQUEST['username'])) { $err = check('username', $_REQUEST['username']); if ($err == 0) { $step = 2; } } if (isset($_REQUEST['password'])) { $step = 2; if ($_SESSION['login_sha_pass_hash'] == strtoupper(sha1(strtoupper($_SESSION['login_username']) . ":" . strtoupper($_REQUEST['password'])))) { // password correct $_SESSION['user'] = $_SESSION['login_username']; $_SESSION['account'] = $_SESSION['login_id']; // for deleting tw watch comments $_SESSION['tv_administrator'] = $_SESSION['login_tv_admin']; unset($_SESSION['login_username']); unset($_SESSION['login_id']); unset($_SESSION['login_tv_admin']); unset($_SESSION['login_sha_pass_hash']); unset($_SESSION[$ip . '_attempts']); unset($_SESSION[$_SESSION['user'] . '_attempts']); // redirect to index if (isset($_REQUEST['redirect'])) header('Location: ../#' . $_REQUEST['redirect']); else header('Location: ../'); die(); } else { $err = -1; } } } $settings = [ 'site_title' => 'Turtle WoW — Password Reset', 'site_description' => 'Turtle WoW — Mysteries of Azeroth', 'site_keywords' => 'World of Warcraft, WoW, WoW Classic, WoW Vanilla, Vanilla+, Vanilla Plus, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, Mysteries of Azeroth, Custom WoW Expansion, Turtle WoW, Custom Vanilla, Extended Vanilla, Continued Vanilla, High Elves, Goblins, Vanilla Expanded, New Raids, New Bosses, Mirage Raceway, Survival, New Items, New Skills, New Quests, Private WoW Server, Play WoW Free' ]; ?> <?= $settings['site_title'] ?>