ahh security

2025-07-27 15:36:11 +00:00 · 2025-06-16 01:50:13 +03:00 · 2025-06-16 01:50:13 +03:00 · a4f57efde7
commit a4f57efde7
parent 16e16c5490
2 changed files with 23 additions and 10 deletions
--- a/main/db.sql
+++ b/main/db.sql
@ -24,8 +24,22 @@ CREATE TABLE users (

 CREATE TABLE registrations (
    id INT AUTO_INCREMENT PRIMARY KEY,
-    ip VARCHAR(45) NOT NULL,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-    INDEX idx_ip_created (ip, created_at),
    INDEX idx_created_at (created_at)
-); 
+);
+
+DELIMITER //
+CREATE PROCEDURE migrate_if_needed()
+BEGIN
+    IF EXISTS (
+        SELECT * FROM information_schema.columns 
+        WHERE table_name = 'registrations' AND column_name = 'ip'
+    ) THEN
+        DROP INDEX IF EXISTS idx_ip_created ON registrations;
+        ALTER TABLE registrations DROP COLUMN ip;
+    END IF;
+END //
+DELIMITER ;
+
+CALL migrate_if_needed();
+DROP PROCEDURE migrate_if_needed(); 
--- a/main/register.php
+++ b/main/register.php
@ -23,7 +23,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
    $password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);
    $pgp_key = filter_input(INPUT_POST, 'pgp_key', FILTER_SANITIZE_STRING);
-    $ip = $_SERVER['REMOTE_ADDR'];

    if ($username && $password) {
        if (strlen($username) > 50 || strlen($password) < 8 || !preg_match('/^[a-zA-Z0-9_]+$/', $username)) {
@ -31,12 +30,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        } else if (strlen($pgp_key) > 4096) {
            $error = 'PGP key is too long';
        } else {
-            $stmt = $db->prepare('SELECT COUNT(*) FROM registrations WHERE ip = ? AND created_at > DATE_SUB(NOW(), INTERVAL 1 HOUR)');
-            $stmt->execute([$ip]);
+            $stmt = $db->prepare('SELECT COUNT(*) FROM registrations WHERE created_at > DATE_SUB(NOW(), INTERVAL 1 HOUR)');
+            $stmt->execute();
            $count = $stmt->fetchColumn();

-            if ($count >= 5) {
-                $error = 'Registration limit exceeded for your IP';
+            if ($count >= 20) {
+                $error = 'Registration limit exceeded';
            } else {
                try {
                    $stmt = $db->prepare('INSERT INTO users (username, password, pgp_key, login_attempts, last_attempt) VALUES (?, ?, ?, 0, NOW())');
@ -46,8 +45,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
                        $pgp_key
                    ]);
                    
-                    $stmt = $db->prepare('INSERT INTO registrations (ip) VALUES (?)');
-                    $stmt->execute([$ip]);
+                    $stmt = $db->prepare('INSERT INTO registrations () VALUES ()');
+                    $stmt->execute();
                    
                    $success = 'Registration successful';
                } catch (PDOException $e) {