login_page();
$referer = $_GET['referer'] ? $_GET['referer'] : 'index.php';
if (strpos($referer, "http") !== false) {
$referer = "index.php";
}
$login_failed = '';
$cookie_warning = '';
if (isset($_POST['submitted'])) {
if ( $USER_DATA = $cpg_udb->login( addslashes($_POST['username']), addslashes($_POST['password']), isset($_POST['remember_me']) ) ) {
$referer=preg_replace("'&'","&",$referer);
pageheader($lang_login_php['login'], "");
msg_box($lang_login_php['login'], sprintf($lang_login_php['welcome'], $USER_DATA['user_name']), $lang_continue, $referer);
pagefooter();
exit;
} else {
log_write("Failed login attempt with Username: {$_POST['username']} from IP {$_SERVER['REMOTE_ADDR']} on " . localised_date(-1,$log_date_fmt),CPG_SECURITY_LOG);
$login_failed = <<
{$lang_login_php['err_login']}
EOT;
// get IP address of the person who tried to log in, look it up on the banning table and increase the brute force counter. If the brute force counter has reached a critical limit, set a regular banning record
$result = cpg_db_query("SELECT * FROM {$CONFIG['TABLE_BANNED']} WHERE ip_addr='$raw_ip' OR ip_addr='$hdr_ip'");
$failed_logon_counter = mysql_fetch_array($result);
mysql_free_result($result);
$expiry_date = date("Y-m-d H:i:s", mktime(date('H'), date('i')+$CONFIG['login_expiry'], date('s'), date('m'), date('d'),date('Y')));
if ($failed_logon_counter['brute_force']) {
$failed_logon_counter['brute_force'] = $failed_logon_counter['brute_force'] - 1;
$query_string = "UPDATE {$CONFIG['TABLE_BANNED']} SET brute_force='".$failed_logon_counter['brute_force']."', expiry='".$expiry_date."' WHERE ban_id=".$failed_logon_counter['ban_id'];
}else{
$failed_logon_counter['brute_force'] = $CONFIG['login_threshold'];
$query_string = "INSERT INTO {$CONFIG['TABLE_BANNED']} (ip_addr, expiry, brute_force) VALUES ('$raw_ip', '$expiry_date','".$failed_logon_counter['brute_force']."')";
}
//write the logon counter to the database
cpg_db_query($query_string);
}
}
if (!isset($_COOKIE[$CONFIG['cookie_name'] . '_data'])) {
$cookie_warning = <<
