Phase 1: Implement CSRF protection, input validation, and rate limiting

Major security improvements:
- Added CSRF token generation, validation, and cleanup functions
- Implemented comprehensive input validators (email, phone, name, date, amount, ID, file uploads)
- Added rate limiting with login attempt tracking and account lockout (5 failures = 15 min lockout)
- Implemented session fixation protection with session_regenerate_id() and 30-min timeout
- Fixed SQL injection in getResultFromTable() with whitelisted columns/tables
- Added audit logging for security events
- Applied CSRF validation to all 7 process_*.php files
- Applied input validation to critical endpoints (login, registration, bookings, application)
- Created database migration for login_attempts, audit_log tables and locked_until column

Modified files:
- functions.php: +500 lines of security functions
- validate_login.php: Added CSRF, rate limiting, session hardening
- register_user.php: Added CSRF, input validation, registration rate limiting
- process_*.php (7 files): Added CSRF token validation
- Created migration: 001_phase1_security_schema.sql

Next steps: Add CSRF tokens to form templates, harden file uploads, create testing checklist

register_user.php

@@ -1,13 +1,12 @@
 <?php
 require_once("env.php");
+require_once("session.php");
 require_once("connection.php");
 require_once("functions.php");
 require_once "vendor/autoload.php";
 
 use GuzzleHttp\Client;
 
-
-
 // Create connection
 $conn = openDatabaseConnection();
 
@@ -19,20 +18,78 @@ if ($conn->connect_error) {
 
 // Form processing
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    // Sanitize and validate input
-    $first_name = ucwords(strtolower($conn->real_escape_string($_POST['first_name'])));
-    $last_name = ucwords(strtolower($conn->real_escape_string($_POST['last_name'])));
-    $phone_number = $conn->real_escape_string($_POST['phone_number']);
-    $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
-    $password = $_POST['password'];
-    $password_confirm = $_POST['password_confirm'];
-    $name = $first_name . " " . $last_name;
-
-    // Basic validation
-    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
+    // CSRF Token Validation
+    if (!isset($_POST['csrf_token']) || !validateCSRFToken($_POST['csrf_token'])) {
+        auditLog(null, 'CSRF_VALIDATION_FAILED', 'users', null, ['endpoint' => 'register_user.php']);
+        echo json_encode(['status' => 'error', 'message' => 'Security token validation failed. Please try again.']);
+        exit();
+    }
+    
+    // Check rate limiting on registration endpoint (by IP)
+    $ip = getClientIPAddress();
+    $cutoffTime = date('Y-m-d H:i:s', time() - (3600)); // Last hour
+    
+    $stmt = $conn->prepare("SELECT COUNT(*) as count FROM audit_log WHERE action = 'REGISTRATION_ATTEMPT' AND ip_address = ? AND created_at > ?");
+    $stmt->bind_param('ss', $ip, $cutoffTime);
+    $stmt->execute();
+    $stmt->bind_result($regAttempts);
+    $stmt->fetch();
+    $stmt->close();
+    
+    // Allow max 5 registration attempts per IP per hour
+    if ($regAttempts >= 5) {
+        auditLog(null, 'REGISTRATION_RATE_LIMIT_EXCEEDED', 'users', null, ['ip' => $ip, 'attempts' => $regAttempts]);
+        echo json_encode(['status' => 'error', 'message' => 'Too many registration attempts. Please try again later.']);
+        exit();
+    }
+    
+    // Validate and sanitize first name
+    $first_name = validateName($_POST['first_name'] ?? '');
+    if ($first_name === false) {
+        auditLog(null, 'REGISTRATION_INVALID_FIRST_NAME', 'users');
+        echo json_encode(['status' => 'error', 'message' => 'Invalid first name. Only letters, spaces, hyphens, and apostrophes allowed (2-100 characters).']);
+        exit();
+    }
+    
+    // Validate and sanitize last name
+    $last_name = validateName($_POST['last_name'] ?? '');
+    if ($last_name === false) {
+        auditLog(null, 'REGISTRATION_INVALID_LAST_NAME', 'users');
+        echo json_encode(['status' => 'error', 'message' => 'Invalid last name. Only letters, spaces, hyphens, and apostrophes allowed (2-100 characters).']);
+        exit();
+    }
+    
+    // Validate and sanitize phone number
+    $phone_number = validatePhoneNumber($_POST['phone_number'] ?? '');
+    if ($phone_number === false) {
+        auditLog(null, 'REGISTRATION_INVALID_PHONE', 'users');
+        echo json_encode(['status' => 'error', 'message' => 'Invalid phone number format.']);
+        exit();
+    }
+    
+    // Validate email
+    $email = validateEmail($_POST['email'] ?? '');
+    if ($email === false) {
+        auditLog(null, 'REGISTRATION_INVALID_EMAIL', 'users');
         echo json_encode(['status' => 'error', 'message' => 'Invalid email format.']);
         exit();
     }
+    
+    $password = $_POST['password'] ?? '';
+    $password_confirm = $_POST['password_confirm'] ?? '';
+    
+    // Validate password strength (minimum 8 characters, must contain uppercase, lowercase, number, special char)
+    if (strlen($password) < 8) {
+        echo json_encode(['status' => 'error', 'message' => 'Password must be at least 8 characters long.']);
+        exit();
+    }
+    
+    if (!preg_match('/[A-Z]/', $password) || !preg_match('/[a-z]/', $password) || 
+        !preg_match('/[0-9]/', $password) || !preg_match('/[!@#$%^&*]/', $password)) {
+        echo json_encode(['status' => 'error', 'message' => 'Password must contain uppercase, lowercase, number, and special character (!@#$%^&*).']);
+        exit();
+    }
+    
     if ($password !== $password_confirm) {
         echo json_encode(['status' => 'error', 'message' => 'Passwords do not match.']);
         exit();
@@ -45,6 +102,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     $stmt->store_result();
 
     if ($stmt->num_rows > 0) {
+        auditLog(null, 'REGISTRATION_EMAIL_EXISTS', 'users', null, ['email' => $email]);
         echo json_encode(['status' => 'error', 'message' => 'Email is already registered.']);
         $stmt->close();
         $conn->close();
@@ -56,7 +114,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     // Hash password
     $hashed_password = password_hash($password, PASSWORD_BCRYPT);
 
-    // Generate token
+    // Generate email verification token
     $token = bin2hex(random_bytes(50));
 
     // Prepare and execute query
@@ -68,14 +126,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     if ($stmt->execute()) {
         $newUser_id = $conn->insert_id;
         processLegacyMembership($newUser_id);
-        if (sendVerificationEmail($email, $name, $token)) {
-            sendEmail('chrispintoza@gmail.com', '4WDCSA: New User Login', $name . ' has just created an account using Credentials.');
+        auditLog($newUser_id, 'USER_REGISTRATION', 'users', $newUser_id, ['email' => $email]);
+        
+        if (sendVerificationEmail($email, $first_name . ' ' . $last_name, $token)) {
+            sendEmail($_ENV['ADMIN_EMAIL'], '4WDCSA: New User Registration', $first_name . ' ' . $last_name . ' (' . $email . ') has just created an account using Credentials.');
             echo json_encode(['status' => 'success', 'message' => 'Registration successful. Please check your email to verify your account.']);
         } else {
             echo json_encode(['status' => 'error', 'message' => 'Failed to send verification email.']);
         }
     } else {
-        echo json_encode(['status' => 'error', 'message' => 'Failed to register user: ' . $stmt->error]);
+        auditLog(null, 'REGISTRATION_DATABASE_ERROR', 'users', null, ['email' => $email]);
+        echo json_encode(['status' => 'error', 'message' => 'Failed to register user.']);
     }
 
     $stmt->close();