fenglin/bbs/user_login_service.php

<?
        require_once "../lib/db_open.inc.php";
        require_once "../lib/lml.inc.php";
        require_once "../lib/passwd.inc.php";
        require_once "../lib/vn_gif.inc.php";
        require_once "../lib/client_addr.inc.php";
        require_once "../lib/ip_mask.inc.php";
        require_once "./session_init.inc.php";
        require_once "./user_login.inc.php";

        $data = json_decode(file_get_contents("php://input"), true);

        $username = (isset($data["username"]) ? $data["username"] : "");
        $password = (isset($data["password"]) ? $data["password"] : "");
        $ch_passwd = (isset($data["ch_passwd"]) && $data["ch_passwd"] == "1" ? 1 : 0);
        $password_new = (isset($data["password_new"]) ? $data["password_new"] : "");
        $agreement = (isset($data["agreement"]) && $data["agreement"] == "1");
        $mfa = (isset($data["mfa"]) && $data["mfa"] == "1" ? 1 : 0);
        $vn_str = (isset($data["vn_str"]) ? $data["vn_str"] : "");

        $result_set = array(
                "return" => array(
                        "code" => 0,
                        "message" => "",
                        "errorFields" => array(),
                )
        );

        header("Content-Type:application/json; charset=utf-8");

        // Validate input data

        if (!preg_match("/^[A-Za-z][A-Za-z0-9]{4,11}$/", $username))
        {
                $result_set["return"]["code"] = -1;
                array_push($result_set["return"]["errorFields"], array(
                        "id" => "username",
                        "errMsg" => "不符合格式要求",
                ));
        }

        if (!preg_match("/^[A-Za-z0-9]{5,12}$/", $password))
        {
                $result_set["return"]["code"] = -1;
                array_push($result_set["return"]["errorFields"], array(
                        "id" => "password",
                        "errMsg" => "不符合格式要求",
                ));
        }

        if ($ch_passwd)
        {
                if (!preg_match("/^[A-Za-z0-9]{5,12}$/", $password_new))
                {
                        $result_set["return"]["code"] = -1;
                        array_push($result_set["return"]["errorFields"], array(
                                "id" => "password_new",
                                "errMsg" => "不符合格式要求",
                        ));
                }

                if (!verify_pass_complexity($password_new, $username, 6))
                {
                        $result_set["return"]["code"] = -1;
                        array_push($result_set["return"]["errorFields"], array(
                                "id" => "password_new",
                                "errMsg" => "不符合复杂性要求",
                        ));
                }
        }

        if ($mfa)
        {
                if ((!isset($_SESSION["BBS_vn_str"])) || VN_check($_SESSION["BBS_vn_str"], $vn_str) != 0)
                {
                        $result_set["return"]["code"] = -1;
                        array_push($result_set["return"]["errorFields"], array(
                                "id" => "vn_str",
                                "errMsg" => "验证码错误",
                        ));
                }
        }

        if ($result_set["return"]["code"] != 0)
        {
                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }

        // Begin transaction
        $rs = mysqli_query($db_conn, "SET autocommit=0");
        if ($rs == false)
        {
                $result_set["return"]["code"] = -2;
                $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }
        
        $rs = mysqli_query($db_conn, "BEGIN");
        if ($rs == false)
        {
                $result_set["return"]["code"] = -2;
                $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }

        if (!$mfa)
        {
                // Failed login attempts from the same source (subnet /24) during certain time period
                $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
                                WHERE login_dt >= SUBDATE(NOW(), INTERVAL '10' MINUTE)
                                AND login_ip LIKE '" . client_addr(1) . "'";
                $rs = mysqli_query($db_conn, $sql);
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Query login log error; " . mysqli_error($db_conn);
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                if ($row = mysqli_fetch_array($rs))
                {
                        if ($row["err_count"] >= 2)
                        {
                                $result_set["return"]["code"] = 1;
                                $result_set["return"]["message"] = "来源存在多次失败登陆尝试，请输入验证码";

                                mysqli_close($db_conn);
                                exit(json_encode($result_set));
                        }
                }
                mysqli_free_result($rs);

                // Failed login attempts against the current username during certain time period
                $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
                                WHERE username = '$username' AND login_dt >= SUBDATE(NOW(), INTERVAL '1' DAY)";
                $rs = mysqli_query($db_conn, $sql);
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Query login log error; " . mysqli_error($db_conn);
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                if ($row = mysqli_fetch_array($rs))
                {
                        if ($row["err_count"] >= 5)
                        {
                                $result_set["return"]["code"] = 1;
                                $result_set["return"]["message"] = "账号存在多次失败登陆尝试，请输入验证码";

                                mysqli_close($db_conn);
                                exit(json_encode($result_set));
                        }
                }
                mysqli_free_result($rs);
        }

        $sql = "SELECT UID, p_login, verified, temp_password,
                        password = MD5('$password') AS old_pass
                        FROM user_list WHERE username = '$username' AND
                        (password = MD5('$password') OR password = SHA2('$password', 256) OR
                        temp_password = '$password')
                        AND enable";

        $rs = mysqli_query($db_conn, $sql);
        if ($rs == false)
        {
                $result_set["return"]["code"] = -2;
                $result_set["return"]["message"] = "Query user list error; " . mysqli_error($db_conn);

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }

        $uid = 0;

        if ($row = mysqli_fetch_array($rs))
        {
                $uid = $row["UID"];

                if ($password == $row["temp_password"] && !$ch_passwd)
                {
                        $result_set["return"]["code"] = 2;
                        $result_set["return"]["message"] = "使用临时密码登录需设置新密码";

                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                if ($ch_passwd)
                {
                        $verified = ($password == $row["temp_password"] ? 1 : $row["verified"]); // New user first time login with temp password

                        $sql = "UPDATE user_list SET password = SHA2('$password_new', 256),
                                        temp_password = '', verified = $verified WHERE UID = $uid";
                        $rs_p = mysqli_query($db_conn, $sql);
                        if ($rs_p == false)
                        {
                                $result_set["return"]["code"] = -2;
                                $result_set["return"]["message"] = "Update password error; " . mysqli_error($db_conn);
                
                                mysqli_close($db_conn);
                                exit(json_encode($result_set));
                        }
                }
                else if ($row["old_pass"])
                {
                        $sql = "UPDATE user_list SET password = SHA2('$password', 256) WHERE UID = $uid";
                        $rs_p = mysqli_query($db_conn, $sql);
                        if ($rs_p == false)
                        {
                                $result_set["return"]["code"] = -2;
                                $result_set["return"]["message"] = "Upgrade password error; " . mysqli_error($db_conn);
                
                                mysqli_close($db_conn);
                                exit(json_encode($result_set));
                        }
                }

                mysqli_free_result($rs);

                // Add user login log
                $sql = "INSERT INTO user_login_log(uid, login_dt, login_ip) VALUES($uid, NOW(), '" .
                                client_addr() . "')";
                $rs = mysqli_query($db_conn, $sql);
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Write log error; " . mysqli_error($db_conn);

                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                // Commit transaction
                $rs = mysqli_query($db_conn, "COMMIT");
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);

                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }
                
                // Forbidden user
                if (!$row["p_login"])
                {
                        $result_set["return"]["code"] = 3;
                        $result_set["return"]["message"] = "您已被封禁全站登陆权限！";
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }
        }
        else
        {
                // Log login failure
                $sql = "INSERT INTO user_err_login_log(username, password, login_dt, login_ip)
                                VALUES('$username', '$password', NOW(), '" . client_addr() . "')";

                $rs = mysqli_query($db_conn, $sql);
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Write log error; " . mysqli_error($db_conn);
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                // Commit transaction
                $rs = mysqli_query($db_conn, "COMMIT");
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);

                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                $result_set["return"]["code"] = 3;
                $result_set["return"]["message"] = "用户名或密码不正确";

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }

        // SET AUTOCOMMIT = 1
        $rs = mysqli_query($db_conn, "SET autocommit=1");
        if ($rs == false)
        {
                $result_set["return"]["code"] = -2;
                $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }
        
        //Load User Information
        $ret = load_user_info($uid, $db_conn);
        switch($ret)
        {
                case "-1":
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "User data not found; " . mysqli_error($db_conn);
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                case "-2":
                        if (!$agreement)
                        {
                                $buffer = file_get_contents("./doc/license/" . (new DateTime($BBS_license_dt))->format("Ymd") . ".txt");
                
                                $result_set["return"]["code"] = 4;
                                $result_set["return"]["message"] = LML(htmlspecialchars($buffer, ENT_HTML401, 'UTF-8'), false, false, 1024);
                        
                                mysqli_close($db_conn);
                                exit(json_encode($result_set));
                        }
                        break;
                case "-3":
                        $result_set["return"]["code"] = 3;
                        $result_set["return"]["message"] = "很遗憾，您已经永远离开了我们的世界……";
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
        }

        $sql = "UPDATE user_pubinfo SET visit_count = visit_count + 1,
                        last_login_dt = NOW() WHERE UID = $uid";
        $rs = mysqli_query($db_conn, $sql);
        if ($rs == false)
        {
                $result_set["return"]["code"] = -2;
                $result_set["return"]["message"] = "Update login info error; " . mysqli_error($db_conn);

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }

        $_SESSION["BBS_uid"] = $uid;
        $_SESSION["BBS_username"] = $username;
        $_SESSION["BBS_login_tm"] = time();
        $_SESSION["BBS_vn_str"] == "";

        mysqli_close($db_conn);
        exit(json_encode($result_set));
?>
1	<?
2	require_once "../lib/db_open.inc.php";
3	require_once "../lib/lml.inc.php";
4	require_once "../lib/passwd.inc.php";
5	require_once "../lib/vn_gif.inc.php";
6	require_once "../lib/client_addr.inc.php";
7	require_once "../lib/ip_mask.inc.php";
8	require_once "./session_init.inc.php";
9	require_once "./user_login.inc.php";
10
11	$data = json_decode(file_get_contents("php://input"), true);
12
13	$username = (isset($data["username"]) ? $data["username"] : "");
14	$password = (isset($data["password"]) ? $data["password"] : "");
15	$ch_passwd = (isset($data["ch_passwd"]) && $data["ch_passwd"] == "1" ? 1 : 0);
16	$password_new = (isset($data["password_new"]) ? $data["password_new"] : "");
17	$agreement = (isset($data["agreement"]) && $data["agreement"] == "1");
18	$mfa = (isset($data["mfa"]) && $data["mfa"] == "1" ? 1 : 0);
19	$vn_str = (isset($data["vn_str"]) ? $data["vn_str"] : "");
20
21	$result_set = array(
22	"return" => array(
23	"code" => 0,
24	"message" => "",
25	"errorFields" => array(),
26	)
27	);
28
29	header("Content-Type:application/json; charset=utf-8");
30
31	// Validate input data
32
33	if (!preg_match("/^[A-Za-z][A-Za-z0-9]{4,11}$/", $username))
34	{
35	$result_set["return"]["code"] = -1;
36	array_push($result_set["return"]["errorFields"], array(
37	"id" => "username",
38	"errMsg" => "不符合格式要求",
39	));
40	}
41
42	if (!preg_match("/^[A-Za-z0-9]{5,12}$/", $password))
43	{
44	$result_set["return"]["code"] = -1;
45	array_push($result_set["return"]["errorFields"], array(
46	"id" => "password",
47	"errMsg" => "不符合格式要求",
48	));
49	}
50
51	if ($ch_passwd)
52	{
53	if (!preg_match("/^[A-Za-z0-9]{5,12}$/", $password_new))
54	{
55	$result_set["return"]["code"] = -1;
56	array_push($result_set["return"]["errorFields"], array(
57	"id" => "password_new",
58	"errMsg" => "不符合格式要求",
59	));
60	}
61
62	if (!verify_pass_complexity($password_new, $username, 6))
63	{
64	$result_set["return"]["code"] = -1;
65	array_push($result_set["return"]["errorFields"], array(
66	"id" => "password_new",
67	"errMsg" => "不符合复杂性要求",
68	));
69	}
70	}
71
72	if ($mfa)
73	{
74	if ((!isset($_SESSION["BBS_vn_str"])) \|\| VN_check($_SESSION["BBS_vn_str"], $vn_str) != 0)
75	{
76	$result_set["return"]["code"] = -1;
77	array_push($result_set["return"]["errorFields"], array(
78	"id" => "vn_str",
79	"errMsg" => "验证码错误",
80	));
81	}
82	}
83
84	if ($result_set["return"]["code"] != 0)
85	{
86	mysqli_close($db_conn);
87	exit(json_encode($result_set));
88	}
89
90	// Begin transaction
91	$rs = mysqli_query($db_conn, "SET autocommit=0");
92	if ($rs == false)
93	{
94	$result_set["return"]["code"] = -2;
95	$result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
96
97	mysqli_close($db_conn);
98	exit(json_encode($result_set));
99	}
100
101	$rs = mysqli_query($db_conn, "BEGIN");
102	if ($rs == false)
103	{
104	$result_set["return"]["code"] = -2;
105	$result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
106
107	mysqli_close($db_conn);
108	exit(json_encode($result_set));
109	}
110
111	if (!$mfa)
112	{
113	// Failed login attempts from the same source (subnet /24) during certain time period
114	$sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
115	WHERE login_dt >= SUBDATE(NOW(), INTERVAL '10' MINUTE)
116	AND login_ip LIKE '" . client_addr(1) . "'";
117	$rs = mysqli_query($db_conn, $sql);
118	if ($rs == false)
119	{
120	$result_set["return"]["code"] = -2;
121	$result_set["return"]["message"] = "Query login log error; " . mysqli_error($db_conn);
122
123	mysqli_close($db_conn);
124	exit(json_encode($result_set));
125	}
126
127	if ($row = mysqli_fetch_array($rs))
128	{
129	if ($row["err_count"] >= 2)
130	{
131	$result_set["return"]["code"] = 1;
132	$result_set["return"]["message"] = "来源存在多次失败登陆尝试，请输入验证码";
133
134	mysqli_close($db_conn);
135	exit(json_encode($result_set));
136	}
137	}
138	mysqli_free_result($rs);
139
140	// Failed login attempts against the current username during certain time period
141	$sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
142	WHERE username = '$username' AND login_dt >= SUBDATE(NOW(), INTERVAL '1' DAY)";
143	$rs = mysqli_query($db_conn, $sql);
144	if ($rs == false)
145	{
146	$result_set["return"]["code"] = -2;
147	$result_set["return"]["message"] = "Query login log error; " . mysqli_error($db_conn);
148
149	mysqli_close($db_conn);
150	exit(json_encode($result_set));
151	}
152
153	if ($row = mysqli_fetch_array($rs))
154	{
155	if ($row["err_count"] >= 5)
156	{
157	$result_set["return"]["code"] = 1;
158	$result_set["return"]["message"] = "账号存在多次失败登陆尝试，请输入验证码";
159
160	mysqli_close($db_conn);
161	exit(json_encode($result_set));
162	}
163	}
164	mysqli_free_result($rs);
165	}
166
167	$sql = "SELECT UID, p_login, verified, temp_password,
168	password = MD5('$password') AS old_pass
169	FROM user_list WHERE username = '$username' AND
170	(password = MD5('$password') OR password = SHA2('$password', 256) OR
171	temp_password = '$password')
172	AND enable";
173
174	$rs = mysqli_query($db_conn, $sql);
175	if ($rs == false)
176	{
177	$result_set["return"]["code"] = -2;
178	$result_set["return"]["message"] = "Query user list error; " . mysqli_error($db_conn);
179
180	mysqli_close($db_conn);
181	exit(json_encode($result_set));
182	}
183
184	$uid = 0;
185
186	if ($row = mysqli_fetch_array($rs))
187	{
188	$uid = $row["UID"];
189
190	if ($password == $row["temp_password"] && !$ch_passwd)
191	{
192	$result_set["return"]["code"] = 2;
193	$result_set["return"]["message"] = "使用临时密码登录需设置新密码";
194
195	mysqli_close($db_conn);
196	exit(json_encode($result_set));
197	}
198
199	if ($ch_passwd)
200	{
201	$verified = ($password == $row["temp_password"] ? 1 : $row["verified"]); // New user first time login with temp password
202
203	$sql = "UPDATE user_list SET password = SHA2('$password_new', 256),
204	temp_password = '', verified = $verified WHERE UID = $uid";
205	$rs_p = mysqli_query($db_conn, $sql);
206	if ($rs_p == false)
207	{
208	$result_set["return"]["code"] = -2;
209	$result_set["return"]["message"] = "Update password error; " . mysqli_error($db_conn);
210
211	mysqli_close($db_conn);
212	exit(json_encode($result_set));
213	}
214	}
215	else if ($row["old_pass"])
216	{
217	$sql = "UPDATE user_list SET password = SHA2('$password', 256) WHERE UID = $uid";
218	$rs_p = mysqli_query($db_conn, $sql);
219	if ($rs_p == false)
220	{
221	$result_set["return"]["code"] = -2;
222	$result_set["return"]["message"] = "Upgrade password error; " . mysqli_error($db_conn);
223
224	mysqli_close($db_conn);
225	exit(json_encode($result_set));
226	}
227	}
228
229	mysqli_free_result($rs);
230
231	// Add user login log
232	$sql = "INSERT INTO user_login_log(uid, login_dt, login_ip) VALUES($uid, NOW(), '" .
233	client_addr() . "')";
234	$rs = mysqli_query($db_conn, $sql);
235	if ($rs == false)
236	{
237	$result_set["return"]["code"] = -2;
238	$result_set["return"]["message"] = "Write log error; " . mysqli_error($db_conn);
239
240	mysqli_close($db_conn);
241	exit(json_encode($result_set));
242	}
243
244	// Commit transaction
245	$rs = mysqli_query($db_conn, "COMMIT");
246	if ($rs == false)
247	{
248	$result_set["return"]["code"] = -2;
249	$result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
250
251	mysqli_close($db_conn);
252	exit(json_encode($result_set));
253	}
254
255	// Forbidden user
256	if (!$row["p_login"])
257	{
258	$result_set["return"]["code"] = 3;
259	$result_set["return"]["message"] = "您已被封禁全站登陆权限！";
260
261	mysqli_close($db_conn);
262	exit(json_encode($result_set));
263	}
264	}
265	else
266	{
267	// Log login failure
268	$sql = "INSERT INTO user_err_login_log(username, password, login_dt, login_ip)
269	VALUES('$username', '$password', NOW(), '" . client_addr() . "')";
270
271	$rs = mysqli_query($db_conn, $sql);
272	if ($rs == false)
273	{
274	$result_set["return"]["code"] = -2;
275	$result_set["return"]["message"] = "Write log error; " . mysqli_error($db_conn);
276
277	mysqli_close($db_conn);
278	exit(json_encode($result_set));
279	}
280
281	// Commit transaction
282	$rs = mysqli_query($db_conn, "COMMIT");
283	if ($rs == false)
284	{
285	$result_set["return"]["code"] = -2;
286	$result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
287
288	mysqli_close($db_conn);
289	exit(json_encode($result_set));
290	}
291
292	$result_set["return"]["code"] = 3;
293	$result_set["return"]["message"] = "用户名或密码不正确";
294
295	mysqli_close($db_conn);
296	exit(json_encode($result_set));
297	}
298
299	// SET AUTOCOMMIT = 1
300	$rs = mysqli_query($db_conn, "SET autocommit=1");
301	if ($rs == false)
302	{
303	$result_set["return"]["code"] = -2;
304	$result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
305
306	mysqli_close($db_conn);
307	exit(json_encode($result_set));
308	}
309
310	//Load User Information
311	$ret = load_user_info($uid, $db_conn);
312	switch($ret)
313	{
314	case "-1":
315	$result_set["return"]["code"] = -2;
316	$result_set["return"]["message"] = "User data not found; " . mysqli_error($db_conn);
317
318	mysqli_close($db_conn);
319	exit(json_encode($result_set));
320	case "-2":
321	if (!$agreement)
322	{
323	$buffer = file_get_contents("./doc/license/" . (new DateTime($BBS_license_dt))->format("Ymd") . ".txt");
324
325	$result_set["return"]["code"] = 4;
326	$result_set["return"]["message"] = LML(htmlspecialchars($buffer, ENT_HTML401, 'UTF-8'), false, false, 1024);
327
328	mysqli_close($db_conn);
329	exit(json_encode($result_set));
330	}
331	break;
332	case "-3":
333	$result_set["return"]["code"] = 3;
334	$result_set["return"]["message"] = "很遗憾，您已经永远离开了我们的世界……";
335
336	mysqli_close($db_conn);
337	exit(json_encode($result_set));
338	}
339
340	$sql = "UPDATE user_pubinfo SET visit_count = visit_count + 1,
341	last_login_dt = NOW() WHERE UID = $uid";
342	$rs = mysqli_query($db_conn, $sql);
343	if ($rs == false)
344	{
345	$result_set["return"]["code"] = -2;
346	$result_set["return"]["message"] = "Update login info error; " . mysqli_error($db_conn);
347
348	mysqli_close($db_conn);
349	exit(json_encode($result_set));
350	}
351
352	$_SESSION["BBS_uid"] = $uid;
353	$_SESSION["BBS_username"] = $username;
354	$_SESSION["BBS_login_tm"] = time();
355	$_SESSION["BBS_vn_str"] == "";
356
357	mysqli_close($db_conn);
358	exit(json_encode($result_set));
359	?>
webmaster@leafok.com	ViewVC Help
Powered by ViewVC 1.3.0-beta1