TwoTalesDev/4WDCSA.co.za
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
27 Commits 12 Branches 0 Tags
0d01c7da90a7c8272b56c3b36ec8e3cbd8d490ad
Commit Graph

12 Commits

Author SHA1 Message Date
twotalesanimation
def849ac11 Fix: Use SQL DATE_SUB for accurate datetime comparison in rate limiting 
Changed countRecentFailedAttempts() to use MySQL DATE_SUB(NOW(), INTERVAL ? MINUTE)
instead of PHP-calculated cutoff time. This ensures consistent datetime comparison
on the database server without timezone mismatches between PHP and MySQL.

This fixes the issue where the AND attempted_at condition was filtering out all
recent attempts due to timestamp comparison inconsistencies.
 2025-12-03 15:43:39 +02:00
twotalesanimation
88832d1af2 Fix: Rate limiting now checks email only, not IP address 
The countRecentFailedAttempts() function was requiring BOTH email AND ip_address to match, which caused failed attempts from different IPs to not count together. This prevented account lockout from working properly.

Changed to count failed attempts by email only. IP address is still recorded for audit purposes but doesn't affect the failed attempt count.

This ensures:
- Failed attempts accumulate correctly regardless of IP changes
- Accounts lock after 5 failed attempts within 15 minutes
- Prevents attackers from bypassing by changing IP
 2025-12-03 15:39:26 +02:00
twotalesanimation
b120415d53 Task 10: Harden file upload validation 
Enhanced validateFileUpload() function in functions.php with comprehensive security:
- Hardcoded MIME type whitelist per file type (profile_picture, proof_of_payment, document)
- Strict file size limits per type (5MB images, 10MB documents)
- Extension validation against whitelist
- Double extension prevention (e.g., shell.php.jpg)
- MIME type verification using finfo
- Image validation with getimagesize()
- is_uploaded_file() verification
- Random filename generation to prevent path traversal

Updated file upload handlers:
- upload_profile_picture.php - Profile picture uploads (JPEG, PNG, GIF, WEBP, 5MB max)
- submit_pop.php - Proof of payment uploads (PDF only, 10MB max) + CSRF validation + audit logging
- add_campsite.php - Campsite thumbnail uploads + input validation + CSRF validation + audit logging

Security improvements:
- All uploads use random filenames to prevent directory traversal
- All uploads use secure file permissions (0644)
- File validation occurs before move_uploaded_file()
- Comprehensive error logging for failed uploads
- Audit logging for successful file operations
 2025-12-03 13:30:45 +02:00
twotalesanimation
1ef4d06627 Phase 1: Implement CSRF protection, input validation, and rate limiting 
Major security improvements:
- Added CSRF token generation, validation, and cleanup functions
- Implemented comprehensive input validators (email, phone, name, date, amount, ID, file uploads)
- Added rate limiting with login attempt tracking and account lockout (5 failures = 15 min lockout)
- Implemented session fixation protection with session_regenerate_id() and 30-min timeout
- Fixed SQL injection in getResultFromTable() with whitelisted columns/tables
- Added audit logging for security events
- Applied CSRF validation to all 7 process_*.php files
- Applied input validation to critical endpoints (login, registration, bookings, application)
- Created database migration for login_attempts, audit_log tables and locked_until column

Modified files:
- functions.php: +500 lines of security functions
- validate_login.php: Added CSRF, rate limiting, session hardening
- register_user.php: Added CSRF, input validation, registration rate limiting
- process_*.php (7 files): Added CSRF token validation
- Created migration: 001_phase1_security_schema.sql

Next steps: Add CSRF tokens to form templates, harden file uploads, create testing checklist
 2025-12-03 11:28:53 +02:00
twotalesanimation
062dc46ffd small updates 2025-12-02 18:17:20 +02:00
twotalesanimation
b69f8f5f1b local changes. 2025-07-24 07:20:51 +02:00
Chris Pinto
561592bc0d Merge branch 'feature/pop_submit' 2025-06-13 10:30:27 +02:00
Chris Pinto
d1dc0b4ad0 Pop submit ready 2025-06-13 10:22:14 +02:00
twotalesanimation
4bdfbff0b6 Member info update 2025-06-08 16:29:50 +02:00
twotalesanimation
07d75bc004 More ENV updates 2025-05-23 14:25:27 +02:00
twotalesanimation
a103c5e272 dotenv implementation 2025-05-23 11:50:53 +02:00
Local Administrator
b83134aca3 Initial commit 2025-04-18 10:32:42 +02:00