lain/text0Nly
1
0
Fork 0
mirror of https://git.sr.ht/~iwakuralain/text0Nly synced 2025-07-27 15:36:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

ahh security

Browse Source
This commit is contained in:
Lain Iwakura 2025-06-16 01:50:13 +03:00
parent 16e16c5490
commit a4f57efde7
No known key found for this signature in database
GPG Key ID: C7C18257F2ADC6F8
2 changed files with 23 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
main/db.sql
View File

@ -24,8 +24,22 @@ CREATE TABLE users (
CREATE TABLE registrations ( CREATE TABLE registrations (
id INT AUTO_INCREMENT PRIMARY KEY, id INT AUTO_INCREMENT PRIMARY KEY,
ip VARCHAR(45) NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
INDEX idx_ip_created (ip, created_at),
INDEX idx_created_at (created_at) INDEX idx_created_at (created_at)
); );
DELIMITER //
CREATE PROCEDURE migrate_if_needed()
BEGIN
IF EXISTS (
SELECT * FROM information_schema.columns
WHERE table_name = 'registrations' AND column_name = 'ip'
) THEN
DROP INDEX IF EXISTS idx_ip_created ON registrations;
ALTER TABLE registrations DROP COLUMN ip;
END IF;
END //
DELIMITER ;
CALL migrate_if_needed();
DROP PROCEDURE migrate_if_needed();

13
main/register.php
View File

@ -23,7 +23,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING); $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
$password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING); $password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);
$pgp_key = filter_input(INPUT_POST, 'pgp_key', FILTER_SANITIZE_STRING); $pgp_key = filter_input(INPUT_POST, 'pgp_key', FILTER_SANITIZE_STRING);
$ip = $_SERVER['REMOTE_ADDR'];
if ($username && $password) { if ($username && $password) {
if (strlen($username) > 50 || strlen($password) < 8 || !preg_match('/^[a-zA-Z0-9_]+$/', $username)) { if (strlen($username) > 50 || strlen($password) < 8 || !preg_match('/^[a-zA-Z0-9_]+$/', $username)) {
@ -31,12 +30,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
} else if (strlen($pgp_key) > 4096) { } else if (strlen($pgp_key) > 4096) {
$error = 'PGP key is too long'; $error = 'PGP key is too long';
} else { } else {
$stmt = $db->prepare('SELECT COUNT(*) FROM registrations WHERE ip = ? AND created_at > DATE_SUB(NOW(), INTERVAL 1 HOUR)'); $stmt = $db->prepare('SELECT COUNT(*) FROM registrations WHERE created_at > DATE_SUB(NOW(), INTERVAL 1 HOUR)');
$stmt->execute([$ip]); $stmt->execute();
$count = $stmt->fetchColumn(); $count = $stmt->fetchColumn();
if ($count >= 5) { if ($count >= 20) {
$error = 'Registration limit exceeded for your IP'; $error = 'Registration limit exceeded';
} else { } else {
try { try {
$stmt = $db->prepare('INSERT INTO users (username, password, pgp_key, login_attempts, last_attempt) VALUES (?, ?, ?, 0, NOW())'); $stmt = $db->prepare('INSERT INTO users (username, password, pgp_key, login_attempts, last_attempt) VALUES (?, ?, ?, 0, NOW())');
@ -46,8 +45,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$pgp_key $pgp_key
]); ]);
$stmt = $db->prepare('INSERT INTO registrations (ip) VALUES (?)'); $stmt = $db->prepare('INSERT INTO registrations () VALUES ()');
$stmt->execute([$ip]); $stmt->execute();
$success = 'Registration successful'; $success = 'Registration successful';
} catch (PDOException $e) { } catch (PDOException $e) {