fenglin/bbs/user_login_service.php

<?
        require_once "../lib/db_open.inc.php";
        require_once "../lib/lml.inc.php";
        require_once "../lib/passwd.inc.php";
        require_once "../lib/vn_gif.inc.php";
        require_once "../lib/client_addr.inc.php";
        require_once "../lib/ip_mask.inc.php";
        require_once "./session_init.inc.php";
        require_once "./user_login.inc.php";

        $data = json_decode(file_get_contents("php://input"), true);

        $username = (isset($data["username"]) ? $data["username"] : "");
        $password = (isset($data["password"]) ? $data["password"] : "");
        $ch_passwd = (isset($data["ch_passwd"]) && $data["ch_passwd"] == "1" ? 1 : 0);
        $password_new = (isset($data["password_new"]) ? $data["password_new"] : "");
        $agreement = (isset($data["agreement"]) && $data["agreement"] == "1");
        $mfa = (isset($data["mfa"]) && $data["mfa"] == "1" ? 1 : 0);
        $vn_str = (isset($data["vn_str"]) ? $data["vn_str"] : "");

        $result_set = array(
                "return" => array(
                        "code" => 0,
                        "message" => "",
                        "errorFields" => array(),
                )
        );

        header("Content-Type:application/json; charset=utf-8");

        // Validate input data
        if (!preg_match("/^[A-Za-z][A-Za-z0-9]{2,11}$/", $username))
        {
                $result_set["return"]["code"] = -1;
                array_push($result_set["return"]["errorFields"], array(
                        "id" => "username",
                        "errMsg" => "不符合格式要求",
                ));
        }

        if (!preg_match("/^[A-Za-z0-9]{5,12}$/", $password))
        {
                $result_set["return"]["code"] = -1;
                array_push($result_set["return"]["errorFields"], array(
                        "id" => "password",
                        "errMsg" => "不符合格式要求",
                ));
        }

        if ($ch_passwd)
        {
                if (!preg_match("/^[A-Za-z0-9]{6,12}$/", $password_new))
                {
                        $result_set["return"]["code"] = -1;
                        array_push($result_set["return"]["errorFields"], array(
                                "id" => "password_new",
                                "errMsg" => "不符合格式要求",
                        ));
                }

                if (!verify_pass_complexity($password_new, $username, 6))
                {
                        $result_set["return"]["code"] = -1;
                        array_push($result_set["return"]["errorFields"], array(
                                "id" => "password_new",
                                "errMsg" => "不符合复杂性要求",
                        ));
                }
        }

        if ($mfa)
        {
                if ((!isset($_SESSION["BBS_vn_str"])) || VN_check($_SESSION["BBS_vn_str"], $vn_str) != 0)
                {
                        $result_set["return"]["code"] = -1;
                        array_push($result_set["return"]["errorFields"], array(
                                "id" => "vn_str",
                                "errMsg" => "验证码错误",
                        ));
                }
        }

        if ($result_set["return"]["code"] != 0)
        {
                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }

        // Begin transaction
        $rs = mysqli_query($db_conn, "SET autocommit=0");
        if ($rs == false)
        {
                $result_set["return"]["code"] = -2;
                $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }
        
        $rs = mysqli_query($db_conn, "BEGIN");
        if ($rs == false)
        {
                $result_set["return"]["code"] = -2;
                $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }

        if (!$mfa)
        {
                // Failed login attempts from the same source (subnet /24) during certain time period
                $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
                                WHERE login_dt >= SUBDATE(NOW(), INTERVAL '10' MINUTE)
                                AND login_ip LIKE '" . client_addr(1) . "'";
                $rs = mysqli_query($db_conn, $sql);
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Query login log error; " . mysqli_error($db_conn);
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                if ($row = mysqli_fetch_array($rs))
                {
                        if ($row["err_count"] >= 2)
                        {
                                $result_set["return"]["code"] = 1;
                                $result_set["return"]["message"] = "来源存在多次失败登陆尝试，请输入验证码";

                                mysqli_close($db_conn);
                                exit(json_encode($result_set));
                        }
                }
                mysqli_free_result($rs);

                // Failed login attempts against the current username during certain time period
                $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
                                WHERE username = '$username' AND login_dt >= SUBDATE(NOW(), INTERVAL '1' DAY)";
                $rs = mysqli_query($db_conn, $sql);
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Query login log error; " . mysqli_error($db_conn);
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                if ($row = mysqli_fetch_array($rs))
                {
                        if ($row["err_count"] >= 5)
                        {
                                $result_set["return"]["code"] = 1;
                                $result_set["return"]["message"] = "账号存在多次失败登陆尝试，请输入验证码";

                                mysqli_close($db_conn);
                                exit(json_encode($result_set));
                        }
                }
                mysqli_free_result($rs);
        }

        $sql = "SELECT UID, p_login, verified, temp_password,
                        password = MD5('$password') AS old_pass
                        FROM user_list WHERE username = '$username' AND
                        (password = MD5('$password') OR password = SHA2('$password', 256) OR
                        temp_password = '$password')
                        AND enable";

        $rs = mysqli_query($db_conn, $sql);
        if ($rs == false)
        {
                $result_set["return"]["code"] = -2;
                $result_set["return"]["message"] = "Query user list error; " . mysqli_error($db_conn);

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }

        $uid = 0;

        if ($row = mysqli_fetch_array($rs))
        {
                $uid = $row["UID"];

                if ($password == $row["temp_password"] && !$ch_passwd)
                {
                        $result_set["return"]["code"] = 2;
                        $result_set["return"]["message"] = "使用临时密码登录需设置新密码";

                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                if ($ch_passwd)
                {
                        $verified = ($password == $row["temp_password"] ? 1 : $row["verified"]); // New user first time login with temp password

                        $sql = "UPDATE user_list SET password = SHA2('$password_new', 256),
                                        temp_password = '', verified = $verified WHERE UID = $uid";
                        $rs_p = mysqli_query($db_conn, $sql);
                        if ($rs_p == false)
                        {
                                $result_set["return"]["code"] = -2;
                                $result_set["return"]["message"] = "Update password error; " . mysqli_error($db_conn);
                
                                mysqli_close($db_conn);
                                exit(json_encode($result_set));
                        }
                }
                else if ($row["old_pass"])
                {
                        $sql = "UPDATE user_list SET password = SHA2('$password', 256) WHERE UID = $uid";
                        $rs_p = mysqli_query($db_conn, $sql);
                        if ($rs_p == false)
                        {
                                $result_set["return"]["code"] = -2;
                                $result_set["return"]["message"] = "Upgrade password error; " . mysqli_error($db_conn);
                
                                mysqli_close($db_conn);
                                exit(json_encode($result_set));
                        }
                }

                mysqli_free_result($rs);

                // Add user login log
                $sql = "INSERT INTO user_login_log(uid, login_dt, login_ip) VALUES($uid, NOW(), '" .
                                client_addr() . "')";
                $rs = mysqli_query($db_conn, $sql);
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Write log error; " . mysqli_error($db_conn);

                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                // Commit transaction
                $rs = mysqli_query($db_conn, "COMMIT");
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);

                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }
                
                // Forbidden user
                if (!$row["p_login"])
                {
                        $result_set["return"]["code"] = 3;
                        $result_set["return"]["message"] = "您已被封禁全站登陆权限！";
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }
        }
        else
        {
                // Log login failure
                $sql = "INSERT INTO user_err_login_log(username, password, login_dt, login_ip)
                                VALUES('$username', '$password', NOW(), '" . client_addr() . "')";

                $rs = mysqli_query($db_conn, $sql);
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Write log error; " . mysqli_error($db_conn);
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                // Commit transaction
                $rs = mysqli_query($db_conn, "COMMIT");
                if ($rs == false)
                {
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);

                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                }

                $result_set["return"]["code"] = 3;
                $result_set["return"]["message"] = "用户名或密码不正确";

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }

        // SET AUTOCOMMIT = 1
        $rs = mysqli_query($db_conn, "SET autocommit=1");
        if ($rs == false)
        {
                $result_set["return"]["code"] = -2;
                $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }
        
        //Load User Information
        $ret = load_user_info($uid, $db_conn);
        switch($ret)
        {
                case "-1":
                        $result_set["return"]["code"] = -2;
                        $result_set["return"]["message"] = "User data not found; " . mysqli_error($db_conn);
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
                case "-2":
                        if (!$agreement)
                        {
                                $buffer = file_get_contents("./doc/license/" . (new DateTime($BBS_license_dt))->format("Ymd") . ".txt");
                
                                $result_set["return"]["code"] = 4;
                                $result_set["return"]["message"] = LML(htmlspecialchars($buffer, ENT_HTML401, 'UTF-8'), false, false, 1024);
                        
                                mysqli_close($db_conn);
                                exit(json_encode($result_set));
                        }
                        break;
                case "-3":
                        $result_set["return"]["code"] = 3;
                        $result_set["return"]["message"] = "很遗憾，您已经永远离开了我们的世界……";
        
                        mysqli_close($db_conn);
                        exit(json_encode($result_set));
        }

        $sql = "UPDATE user_pubinfo SET visit_count = visit_count + 1,
                        last_login_dt = NOW() WHERE UID = $uid";
        $rs = mysqli_query($db_conn, $sql);
        if ($rs == false)
        {
                $result_set["return"]["code"] = -2;
                $result_set["return"]["message"] = "Update login info error; " . mysqli_error($db_conn);

                mysqli_close($db_conn);
                exit(json_encode($result_set));
        }

        $_SESSION["BBS_uid"] = $uid;
        $_SESSION["BBS_username"] = $username;
        $_SESSION["BBS_login_tm"] = time();
        $_SESSION["BBS_vn_str"] == "";

        mysqli_close($db_conn);
        exit(json_encode($result_set));
?>
1	<?
2	require_once "../lib/db_open.inc.php";
3	require_once "../lib/lml.inc.php";
4	require_once "../lib/passwd.inc.php";
5	require_once "../lib/vn_gif.inc.php";
6	require_once "../lib/client_addr.inc.php";
7	require_once "../lib/ip_mask.inc.php";
8	require_once "./session_init.inc.php";
9	require_once "./user_login.inc.php";
10
11	$data = json_decode(file_get_contents("php://input"), true);
12
13	$username = (isset($data["username"]) ? $data["username"] : "");
14	$password = (isset($data["password"]) ? $data["password"] : "");
15	$ch_passwd = (isset($data["ch_passwd"]) && $data["ch_passwd"] == "1" ? 1 : 0);
16	$password_new = (isset($data["password_new"]) ? $data["password_new"] : "");
17	$agreement = (isset($data["agreement"]) && $data["agreement"] == "1");
18	$mfa = (isset($data["mfa"]) && $data["mfa"] == "1" ? 1 : 0);
19	$vn_str = (isset($data["vn_str"]) ? $data["vn_str"] : "");
20
21	$result_set = array(
22	"return" => array(
23	"code" => 0,
24	"message" => "",
25	"errorFields" => array(),
26	)
27	);
28
29	header("Content-Type:application/json; charset=utf-8");
30
31	// Validate input data
32	if (!preg_match("/^[A-Za-z][A-Za-z0-9]{2,11}$/", $username))
33	{
34	$result_set["return"]["code"] = -1;
35	array_push($result_set["return"]["errorFields"], array(
36	"id" => "username",
37	"errMsg" => "不符合格式要求",
38	));
39	}
40
41	if (!preg_match("/^[A-Za-z0-9]{5,12}$/", $password))
42	{
43	$result_set["return"]["code"] = -1;
44	array_push($result_set["return"]["errorFields"], array(
45	"id" => "password",
46	"errMsg" => "不符合格式要求",
47	));
48	}
49
50	if ($ch_passwd)
51	{
52	if (!preg_match("/^[A-Za-z0-9]{6,12}$/", $password_new))
53	{
54	$result_set["return"]["code"] = -1;
55	array_push($result_set["return"]["errorFields"], array(
56	"id" => "password_new",
57	"errMsg" => "不符合格式要求",
58	));
59	}
60
61	if (!verify_pass_complexity($password_new, $username, 6))
62	{
63	$result_set["return"]["code"] = -1;
64	array_push($result_set["return"]["errorFields"], array(
65	"id" => "password_new",
66	"errMsg" => "不符合复杂性要求",
67	));
68	}
69	}
70
71	if ($mfa)
72	{
73	if ((!isset($_SESSION["BBS_vn_str"])) \|\| VN_check($_SESSION["BBS_vn_str"], $vn_str) != 0)
74	{
75	$result_set["return"]["code"] = -1;
76	array_push($result_set["return"]["errorFields"], array(
77	"id" => "vn_str",
78	"errMsg" => "验证码错误",
79	));
80	}
81	}
82
83	if ($result_set["return"]["code"] != 0)
84	{
85	mysqli_close($db_conn);
86	exit(json_encode($result_set));
87	}
88
89	// Begin transaction
90	$rs = mysqli_query($db_conn, "SET autocommit=0");
91	if ($rs == false)
92	{
93	$result_set["return"]["code"] = -2;
94	$result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
95
96	mysqli_close($db_conn);
97	exit(json_encode($result_set));
98	}
99
100	$rs = mysqli_query($db_conn, "BEGIN");
101	if ($rs == false)
102	{
103	$result_set["return"]["code"] = -2;
104	$result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
105
106	mysqli_close($db_conn);
107	exit(json_encode($result_set));
108	}
109
110	if (!$mfa)
111	{
112	// Failed login attempts from the same source (subnet /24) during certain time period
113	$sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
114	WHERE login_dt >= SUBDATE(NOW(), INTERVAL '10' MINUTE)
115	AND login_ip LIKE '" . client_addr(1) . "'";
116	$rs = mysqli_query($db_conn, $sql);
117	if ($rs == false)
118	{
119	$result_set["return"]["code"] = -2;
120	$result_set["return"]["message"] = "Query login log error; " . mysqli_error($db_conn);
121
122	mysqli_close($db_conn);
123	exit(json_encode($result_set));
124	}
125
126	if ($row = mysqli_fetch_array($rs))
127	{
128	if ($row["err_count"] >= 2)
129	{
130	$result_set["return"]["code"] = 1;
131	$result_set["return"]["message"] = "来源存在多次失败登陆尝试，请输入验证码";
132
133	mysqli_close($db_conn);
134	exit(json_encode($result_set));
135	}
136	}
137	mysqli_free_result($rs);
138
139	// Failed login attempts against the current username during certain time period
140	$sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
141	WHERE username = '$username' AND login_dt >= SUBDATE(NOW(), INTERVAL '1' DAY)";
142	$rs = mysqli_query($db_conn, $sql);
143	if ($rs == false)
144	{
145	$result_set["return"]["code"] = -2;
146	$result_set["return"]["message"] = "Query login log error; " . mysqli_error($db_conn);
147
148	mysqli_close($db_conn);
149	exit(json_encode($result_set));
150	}
151
152	if ($row = mysqli_fetch_array($rs))
153	{
154	if ($row["err_count"] >= 5)
155	{
156	$result_set["return"]["code"] = 1;
157	$result_set["return"]["message"] = "账号存在多次失败登陆尝试，请输入验证码";
158
159	mysqli_close($db_conn);
160	exit(json_encode($result_set));
161	}
162	}
163	mysqli_free_result($rs);
164	}
165
166	$sql = "SELECT UID, p_login, verified, temp_password,
167	password = MD5('$password') AS old_pass
168	FROM user_list WHERE username = '$username' AND
169	(password = MD5('$password') OR password = SHA2('$password', 256) OR
170	temp_password = '$password')
171	AND enable";
172
173	$rs = mysqli_query($db_conn, $sql);
174	if ($rs == false)
175	{
176	$result_set["return"]["code"] = -2;
177	$result_set["return"]["message"] = "Query user list error; " . mysqli_error($db_conn);
178
179	mysqli_close($db_conn);
180	exit(json_encode($result_set));
181	}
182
183	$uid = 0;
184
185	if ($row = mysqli_fetch_array($rs))
186	{
187	$uid = $row["UID"];
188
189	if ($password == $row["temp_password"] && !$ch_passwd)
190	{
191	$result_set["return"]["code"] = 2;
192	$result_set["return"]["message"] = "使用临时密码登录需设置新密码";
193
194	mysqli_close($db_conn);
195	exit(json_encode($result_set));
196	}
197
198	if ($ch_passwd)
199	{
200	$verified = ($password == $row["temp_password"] ? 1 : $row["verified"]); // New user first time login with temp password
201
202	$sql = "UPDATE user_list SET password = SHA2('$password_new', 256),
203	temp_password = '', verified = $verified WHERE UID = $uid";
204	$rs_p = mysqli_query($db_conn, $sql);
205	if ($rs_p == false)
206	{
207	$result_set["return"]["code"] = -2;
208	$result_set["return"]["message"] = "Update password error; " . mysqli_error($db_conn);
209
210	mysqli_close($db_conn);
211	exit(json_encode($result_set));
212	}
213	}
214	else if ($row["old_pass"])
215	{
216	$sql = "UPDATE user_list SET password = SHA2('$password', 256) WHERE UID = $uid";
217	$rs_p = mysqli_query($db_conn, $sql);
218	if ($rs_p == false)
219	{
220	$result_set["return"]["code"] = -2;
221	$result_set["return"]["message"] = "Upgrade password error; " . mysqli_error($db_conn);
222
223	mysqli_close($db_conn);
224	exit(json_encode($result_set));
225	}
226	}
227
228	mysqli_free_result($rs);
229
230	// Add user login log
231	$sql = "INSERT INTO user_login_log(uid, login_dt, login_ip) VALUES($uid, NOW(), '" .
232	client_addr() . "')";
233	$rs = mysqli_query($db_conn, $sql);
234	if ($rs == false)
235	{
236	$result_set["return"]["code"] = -2;
237	$result_set["return"]["message"] = "Write log error; " . mysqli_error($db_conn);
238
239	mysqli_close($db_conn);
240	exit(json_encode($result_set));
241	}
242
243	// Commit transaction
244	$rs = mysqli_query($db_conn, "COMMIT");
245	if ($rs == false)
246	{
247	$result_set["return"]["code"] = -2;
248	$result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
249
250	mysqli_close($db_conn);
251	exit(json_encode($result_set));
252	}
253
254	// Forbidden user
255	if (!$row["p_login"])
256	{
257	$result_set["return"]["code"] = 3;
258	$result_set["return"]["message"] = "您已被封禁全站登陆权限！";
259
260	mysqli_close($db_conn);
261	exit(json_encode($result_set));
262	}
263	}
264	else
265	{
266	// Log login failure
267	$sql = "INSERT INTO user_err_login_log(username, password, login_dt, login_ip)
268	VALUES('$username', '$password', NOW(), '" . client_addr() . "')";
269
270	$rs = mysqli_query($db_conn, $sql);
271	if ($rs == false)
272	{
273	$result_set["return"]["code"] = -2;
274	$result_set["return"]["message"] = "Write log error; " . mysqli_error($db_conn);
275
276	mysqli_close($db_conn);
277	exit(json_encode($result_set));
278	}
279
280	// Commit transaction
281	$rs = mysqli_query($db_conn, "COMMIT");
282	if ($rs == false)
283	{
284	$result_set["return"]["code"] = -2;
285	$result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
286
287	mysqli_close($db_conn);
288	exit(json_encode($result_set));
289	}
290
291	$result_set["return"]["code"] = 3;
292	$result_set["return"]["message"] = "用户名或密码不正确";
293
294	mysqli_close($db_conn);
295	exit(json_encode($result_set));
296	}
297
298	// SET AUTOCOMMIT = 1
299	$rs = mysqli_query($db_conn, "SET autocommit=1");
300	if ($rs == false)
301	{
302	$result_set["return"]["code"] = -2;
303	$result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
304
305	mysqli_close($db_conn);
306	exit(json_encode($result_set));
307	}
308
309	//Load User Information
310	$ret = load_user_info($uid, $db_conn);
311	switch($ret)
312	{
313	case "-1":
314	$result_set["return"]["code"] = -2;
315	$result_set["return"]["message"] = "User data not found; " . mysqli_error($db_conn);
316
317	mysqli_close($db_conn);
318	exit(json_encode($result_set));
319	case "-2":
320	if (!$agreement)
321	{
322	$buffer = file_get_contents("./doc/license/" . (new DateTime($BBS_license_dt))->format("Ymd") . ".txt");
323
324	$result_set["return"]["code"] = 4;
325	$result_set["return"]["message"] = LML(htmlspecialchars($buffer, ENT_HTML401, 'UTF-8'), false, false, 1024);
326
327	mysqli_close($db_conn);
328	exit(json_encode($result_set));
329	}
330	break;
331	case "-3":
332	$result_set["return"]["code"] = 3;
333	$result_set["return"]["message"] = "很遗憾，您已经永远离开了我们的世界……";
334
335	mysqli_close($db_conn);
336	exit(json_encode($result_set));
337	}
338
339	$sql = "UPDATE user_pubinfo SET visit_count = visit_count + 1,
340	last_login_dt = NOW() WHERE UID = $uid";
341	$rs = mysqli_query($db_conn, $sql);
342	if ($rs == false)
343	{
344	$result_set["return"]["code"] = -2;
345	$result_set["return"]["message"] = "Update login info error; " . mysqli_error($db_conn);
346
347	mysqli_close($db_conn);
348	exit(json_encode($result_set));
349	}
350
351	$_SESSION["BBS_uid"] = $uid;
352	$_SESSION["BBS_username"] = $username;
353	$_SESSION["BBS_login_tm"] = time();
354	$_SESSION["BBS_vn_str"] == "";
355
356	mysqli_close($db_conn);
357	exit(json_encode($result_set));
358	?>
webmaster@leafok.com	ViewVC Help
Powered by ViewVC 1.3.0-beta1