1ef4d06627
Major security improvements: - Added CSRF token generation, validation, and cleanup functions - Implemented comprehensive input validators (email, phone, name, date, amount, ID, file uploads) - Added rate limiting with login attempt tracking and account lockout (5 failures = 15 min lockout) - Implemented session fixation protection with session_regenerate_id() and 30-min timeout - Fixed SQL injection in getResultFromTable() with whitelisted columns/tables - Added audit logging for security events - Applied CSRF validation to all 7 process_*.php files - Applied input validation to critical endpoints (login, registration, bookings, application) - Created database migration for login_attempts, audit_log tables and locked_until column Modified files: - functions.php: +500 lines of security functions - validate_login.php: Added CSRF, rate limiting, session hardening - register_user.php: Added CSRF, input validation, registration rate limiting - process_*.php (7 files): Added CSRF token validation - Created migration: 001_phase1_security_schema.sql Next steps: Add CSRF tokens to form templates, harden file uploads, create testing checklist
21 lines
384 B
PHP
21 lines
384 B
PHP
<?php
|
|
require 'env.php';
|
|
require 'connection.php';
|
|
|
|
$conn = openDatabaseConnection();
|
|
|
|
if (!$conn) {
|
|
die('Database connection failed');
|
|
}
|
|
|
|
$sql = file_get_contents('migrations/001_phase1_security_schema.sql');
|
|
|
|
if ($conn->multi_query($sql)) {
|
|
echo "✓ Migration executed successfully\n";
|
|
} else {
|
|
echo "✗ Migration error: " . $conn->error . "\n";
|
|
}
|
|
|
|
$conn->close();
|
|
?>
|