From 76b965ec20be814b2b2758b27e02d562805bee93 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sun, 24 Apr 2022 10:52:05 +0100
Subject: [PATCH] Adjust brute force notification to be in notifications, not
 alerts

---
 login.php | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/login.php b/login.php
index 38599ab5..de52a352 100644
--- a/login.php
+++ b/login.php
@@ -8,14 +8,11 @@ if(!file_exists('config.php')){
 include("config.php");
 include("functions.php");
 
-// SESSION FINGERPRINT
+// IP & User Agent for logging
 $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
-$os = strip_tags(mysqli_real_escape_string($mysqli,get_os()));
-
-// User agent
 $user_agent = strip_tags(mysqli_real_escape_string($mysqli,$_SERVER['HTTP_USER_AGENT']));
 
-// HTTP Only cookies
+// HTTP-Only cookies
 ini_set("session.cookie_httponly", True);
 
 // Tell client to only send cookie(s) over HTTPS
@@ -23,6 +20,7 @@ if($config_https_only){
   ini_set("session.cookie_secure", True);
 }
 
+// Handle POST login request
 if(isset($_POST['login'])){
 
     // Sessions should start after the user has POSTed data
@@ -37,11 +35,11 @@ if(isset($_POST['login'])){
     if($failed_login_count >= 10){
 
       // Logging
-      mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW()");
+      mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt due to IP lockout', log_ip = '$ip', log_user_agent = '$user_agent'");
 
       // Send an alert only count hits 10 to reduce flooding alerts (using 1 as "default" company)
       if($failed_login_count == 10){
-          mysqli_query($mysqli,"INSERT INTO alerts SET alert_type = 'Lockout', alert_message = '$ip was locked out for repeated failed login attempts.', alert_date = NOW(), company_id = '1'");
+          mysqli_query($mysqli,"INSERT INTO notifications SET notification_type = 'Lockout', notification = '$ip was locked out for repeated failed login attempts.', notification_timestamp = NOW() company_id = '1'");
       }
 
       // Inform user
@@ -55,8 +53,8 @@ if(isset($_POST['login'])){
         if(isset($_POST['current_code'])){
             $current_code = strip_tags(mysqli_real_escape_string($mysqli, $_POST['current_code']));
         }
-        $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_email = '$email' AND user_archived_at IS NULL");
-        $row = mysqli_fetch_array($sql);
+
+        $row = mysqli_fetch_assoc(mysqli_query($mysqli, "SELECT * FROM users WHERE user_email = '$email' AND user_archived_at IS NULL"));
         if (password_verify($password, $row['user_password'])) {
 
             $token = $row['user_token'];
@@ -86,7 +84,7 @@ if(isset($_POST['login'])){
 
             if (empty($token)) {
                 $_SESSION['logged'] = TRUE;
-                mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_user_id = $user_id");
+                mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Login', log_action = 'Success', log_description = '$user_name successfully logged in', log_ip = '$ip', log_user_agent = '$user_agent', log_user_id = $user_id");
 
                 header("Location: dashboard_financial.php");
             } else {