Rutherford Investments

0, 'first' => time()]; if (is_file($__rl_file)) { $__rl_raw = @file_get_contents($__rl_file); $__rl_tmp = @json_decode($__rl_raw, true); if (is_array($__rl_tmp) && isset($__rl_tmp['count'], $__rl_tmp['first'])) { $__rl_record = $__rl_tmp; } } // Reset window if expired if (time() - $__rl_record['first'] > $__rl_win) { $__rl_record = ['count' => 0, 'first' => time()]; } if ($_SERVER['REQUEST_METHOD'] == 'POST') { // If currently locked out, reject without DB hit. if ($__rl_record['count'] >= $__rl_max) { // Refresh window if expired if (time() - $__rl_record['first'] <= $__rl_win) { session_destroy(); header('Location: /investor-login.php?msg=invalid'); exit; } } // echo "post
"; // echo $_POST['username'] . "
"; // echo $_POST['password'] . "
" . "
"; $username = $db->real_escape_string($_POST['username']); $raw_password = isset($_POST['password']) ? $_POST['password'] : ''; $password = sha1($db->real_escape_string($raw_password)); // legacy SHA1 fallback // echo "SELECT * FROM investor WHERE username = '$username' AND password = '$password'
"; // Prepared statement lookup by username only; verify hash in PHP. $user = null; if ($stmt = $db->prepare('SELECT * FROM investor WHERE username = ? LIMIT 1')) { $_uname_raw = isset($_POST['username']) ? $_POST['username'] : ''; $stmt->bind_param('s', $_uname_raw); $stmt->execute(); $res = $stmt->get_result(); $candidate = $res ? $res->fetch_assoc() : null; $stmt->close(); if ($candidate && isset($candidate['password'])) { $stored = $candidate['password']; $ok = false; // bcrypt / modern hash path if (is_string($stored) && strlen($stored) >= 60 && (strpos($stored, '$2y$') === 0 || strpos($stored, '$2a$') === 0 || strpos($stored, '$2b$') === 0)) { $ok = password_verify($raw_password, $stored); } else { // Legacy SHA1 path — try both (a) raw plaintext and (b) real_escape_string-then-sha1 // because the original storage scheme used real_escape_string before sha1. $sha1_raw = sha1($raw_password); $sha1_escaped = sha1($db->real_escape_string($raw_password)); if (hash_equals((string)$stored, $sha1_raw) || hash_equals((string)$stored, $sha1_escaped)) { $ok = true; // Rehash to bcrypt now that we know the plaintext is valid. $new_hash = password_hash($raw_password, PASSWORD_BCRYPT); if ($new_hash && $rh = $db->prepare('UPDATE investor SET password = ? WHERE investor_id = ?')) { $rh->bind_param('si', $new_hash, $candidate['investor_id']); $rh->execute(); $rh->close(); } } } if ($ok) { $user = $candidate; } } } // file_put_contents("user-query.log", serialize($user).",".$dt.",".$dayhour."\n", FILE_APPEND); // echo $user; $t = time(); $dt = date("Y-m-d-H-i-s", $t); $dayhour = date("d-H", $t); //$userlog = implode(",",$user); $userlog = serialize($user); //file_put_contents("post.log", $userlog.",".$dt.",".$dayhour."/n", FILE_APPEND); if ($user != null) { // Successful login: clear rate-limit counter. @unlink($__rl_file); $_SESSION['investor_id'] = $user['investor_id']; $_SESSION['username'] = $user['username']; $_SESSION['first_name'] = $user['first_name']; $_SESSION['last_name'] = $user['last_name']; $_SESSION['email'] = $user['email']; $_SESSION['admin'] = $user['admin']; $_SESSION['user_agent'] = sha1($_SERVER['HTTP_USER_AGENT']); // echo "user null"; // update last_login for user $db->query('UPDATE investor SET last_login = UTC_TIMESTAMP() WHERE investor_id = ' . $user['investor_id']); // file_put_contents("login-session.log", serialize($_SESSION).",".$dt.",".$dayhour."\n", FILE_APPEND); header('Location: index.php?msg=invaid'); exit; } else { // Failed login: increment counter. $__rl_record['count']++; @file_put_contents($__rl_file, json_encode($__rl_record), LOCK_EX); session_destroy(); header('Location: /investor-login.php?msg=invalid'); exit; } } ?> Rutherford Investments