PK
<?php
ob_start();
error_reporting(E_ALL ^ E_NOTICE);
@session_start();
ini_set('allow_url_include',1);
date_default_timezone_set("Asia/Kolkata");
set_time_limit(600);
ini_set('max_execution_time',600);
include 'includes/settings/constant.php';
require_once 'includes/settings/PDODB.php';
include 'includes/modules/functions.php';
$function = new FUNCTIONS();
if(!empty($_SESSION['adminId'])){
header("Location: dashboard/index.php");
exit();
}
if (isset($_POST['btnLogin'])) {
// Basic input validation
$username = trim($_POST['username'] ?? '');
$password = $_POST['password'] ?? '';
if (empty($username) || empty($password)) {
$error_msg = "Please enter both username and password.";
} else {
// Implement login attempt throttling
if (!isset($_SESSION['login_attempts'])) {
$_SESSION['login_attempts'] = 0;
$_SESSION['last_login_attempt'] = time();
}
// Throttle after 5 failed attempts (wait 5 minutes)
if ($_SESSION['login_attempts'] >= 5 && (time() - $_SESSION['last_login_attempt'] < 300)) {
$error_msg = "Too many login attempts. Please try again later.";
} else {
try {
$pdodb = PDODB::getInstance();
// Use prepared statement to prevent SQL injection
$loginQuery = "SELECT * FROM `admin` WHERE (email='$username' OR username='$username') AND isactive='1'";
//echo "v"; exit;
$result = $pdodb->query($loginQuery);
//print_r($result[0]['password']); exit;
//echo "v"; exit;
//PDODB::closeInstance();
if ($result) {
// Debug output (remove in production)
//error_log("Stored hash: " . $result[0]['password']);
//error_log("Verification result: " . (password_verify($password, $result[0]['password']) ? 'true' : 'false'));
if (password_verify($password, $result[0]['password'])) {
// Successful login - reset attempts
$_SESSION['login_attempts'] = 0;
$_SESSION['adminId'] = $result[0]['id'];
$_SESSION['admin_role_id'] = $result[0]['admin_role_id'];
// Regenerate session ID to prevent session fixation
session_regenerate_id(true);
header("Location: dashboard/index.php");
exit();
} else {
// Failed attempt
$_SESSION['login_attempts']++;
$_SESSION['last_login_attempt'] = time();
$error_msg = "Invalid username or password.";
}
} else {
// No user found
$_SESSION['login_attempts']++;
$_SESSION['last_login_attempt'] = time();
$error_msg = "Invalid username or password.";
}
} catch (PDOException $e) {
error_log("Login error: " . $e->getMessage());
$error_msg = "A system error occurred. Please try again later.";
}
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>INSPINIA | Login</title>
<link href="css/bootstrap.min.css" rel="stylesheet">
<link href="font-awesome/css/font-awesome.css" rel="stylesheet">
<link href="css/animate.css" rel="stylesheet">
<link href="css/style.css" rel="stylesheet">
</head>
<body class="gray-bg">
<div class="middle-box text-center loginscreen animated fadeInDown">
<div>
<div>
<p style="color:red; text-align: center;"><?=(!empty($error_msg))?$error_msg:'';?></p>
<h1 class="logo-name"><img src="../images/logo.png" width="250px;"></h1>
</div>
<h3>Welcome to Taattva</h3>
<p>Login in. To see it in action.</p>
<form class="m-t" role="form" action="" method="POST" id="loginfrm">
<div class="form-group">
<input type="text" class="form-control" id="username" name="username" placeholder="Username & Email">
</div>
<div class="form-group">
<input type="password" class="form-control" id="password" name="password" placeholder="Password">
</div>
<button type="submit" name="btnLogin" class="btn btn-primary block full-width m-b">Login</button>
</form>
</div>
</div>
<!-- Mainly scripts -->
<script src="js/jquery-2.1.1.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/jquery.form-validator.min.js"></script>
<script type="text/javascript">
$("#loginfrm").validate({
rules: {
username: {
required: true,
},
password: {
required: true,
minlength: 6,
}
},
messages: {
username: {
required: "Please enter username",
},
password: {
required: "Please enter Password",
minlength: "Password at least 6 digit"
}
},
submitHandler: function(form) {
form.submit();
}
});
</script>
</body>
</html>
PK 99