/[LeafOK_CVS]/fenglin/bbs/user_service_login.php
ViewVC logotype

Annotation of /fenglin/bbs/user_service_login.php

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.13 - (hide annotations)
Tue Dec 23 09:23:10 2025 UTC (2 months, 3 weeks ago) by sysadm
Branch: MAIN
CVS Tags: HEAD
Changes since 1.12: +5 -4 lines 
Use encrypted text instead plain text for temp_password
1 sysadm 1.1 <?php
2     require_once "../lib/db_open.inc.php";
3 sysadm 1.8 require_once "../lib/lml.inc.php";
4 sysadm 1.1 require_once "../lib/passwd.inc.php";
5     require_once "../lib/vn_gif.inc.php";
6     require_once "../lib/client_addr.inc.php";
7     require_once "../lib/ip_mask.inc.php";
8     require_once "./session_init.inc.php";
9     require_once "./user_login.inc.php";
10    
11     $data = json_decode(file_get_contents("php://input"), true);
12    
13     $username = (isset($data["username"]) ? trim($data["username"]) : "");
14     $password = (isset($data["password"]) ? trim($data["password"]) : "");
15     $ch_passwd = (isset($data["ch_passwd"]) && $data["ch_passwd"] == "1" ? 1 : 0);
16     $password_new = (isset($data["password_new"]) ? trim($data["password_new"]) : "");
17     $agreement = (isset($data["agreement"]) && $data["agreement"] == "1");
18     $mfa = (isset($data["mfa"]) && $data["mfa"] == "1" ? 1 : 0);
19     $vn_str = (isset($data["vn_str"]) ? trim($data["vn_str"]) : "");
20    
21     $result_set = array(
22     "return" => array(
23     "code" => 0,
24     "message" => "",
25     "errorFields" => array(),
26     )
27     );
28    
29     header("Content-Type:application/json; charset=utf-8");
30    
31     // Validate input data
32 sysadm 1.10 if (!preg_match("/^[A-Za-z][A-Za-z0-9_]{2,11}$/", $username))
33 sysadm 1.1 {
34     $result_set["return"]["code"] = -1;
35     array_push($result_set["return"]["errorFields"], array(
36     "id" => "username",
37     "errMsg" => "不符合格式要求",
38     ));
39     }
40    
41     if (!preg_match("/^[A-Za-z0-9]{5,12}$/", $password))
42     {
43     $result_set["return"]["code"] = -1;
44     array_push($result_set["return"]["errorFields"], array(
45     "id" => "password",
46     "errMsg" => "不符合格式要求",
47     ));
48     }
49    
50     if ($ch_passwd)
51     {
52     if (!preg_match("/^[A-Za-z0-9]{6,12}$/", $password_new))
53     {
54     $result_set["return"]["code"] = -1;
55     array_push($result_set["return"]["errorFields"], array(
56     "id" => "password_new",
57     "errMsg" => "不符合格式要求",
58     ));
59     }
60    
61     if (!verify_pass_complexity($password_new, $username, 6))
62     {
63     $result_set["return"]["code"] = -1;
64     array_push($result_set["return"]["errorFields"], array(
65     "id" => "password_new",
66     "errMsg" => "不符合复杂性要求",
67     ));
68     }
69     }
70    
71     if ($mfa)
72     {
73     if ((!isset($_SESSION["BBS_vn_str"])) || $_SESSION["BBS_vn_str"] == "" || strcasecmp($_SESSION["BBS_vn_str"], $vn_str) != 0)
74     {
75     $result_set["return"]["code"] = -1;
76     array_push($result_set["return"]["errorFields"], array(
77     "id" => "vn_str",
78     "errMsg" => "验证码错误",
79     ));
80     }
81     }
82    
83     if ($result_set["return"]["code"] != 0)
84     {
85     mysqli_close($db_conn);
86     exit(json_encode($result_set));
87     }
88    
89     // Begin transaction
90     $rs = mysqli_query($db_conn, "SET autocommit=0");
91     if ($rs == false)
92     {
93     $result_set["return"]["code"] = -2;
94     $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
95    
96     mysqli_close($db_conn);
97     exit(json_encode($result_set));
98     }
99 sysadm 1.2
100 sysadm 1.1 $rs = mysqli_query($db_conn, "BEGIN");
101     if ($rs == false)
102     {
103     $result_set["return"]["code"] = -2;
104     $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
105    
106     mysqli_close($db_conn);
107     exit(json_encode($result_set));
108     }
109    
110     if (!$mfa)
111     {
112     // Failed login attempts from the same source (subnet /24) during certain time period
113     $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
114     WHERE login_dt >= SUBDATE(NOW(), INTERVAL 10 MINUTE)
115     AND login_ip LIKE '" . client_addr(1) . "'";
116     $rs = mysqli_query($db_conn, $sql);
117     if ($rs == false)
118     {
119     $result_set["return"]["code"] = -2;
120     $result_set["return"]["message"] = "Query login log error: " . mysqli_error($db_conn);
121 sysadm 1.2
122 sysadm 1.1 mysqli_close($db_conn);
123     exit(json_encode($result_set));
124     }
125    
126     if ($row = mysqli_fetch_array($rs))
127     {
128 sysadm 1.4 if ($row["err_count"] >= 10)
129 sysadm 1.1 {
130     $result_set["return"]["code"] = 1;
131     $result_set["return"]["message"] = "来源存在多次失败登陆尝试,请输入验证码";
132    
133     mysqli_close($db_conn);
134     exit(json_encode($result_set));
135     }
136     }
137     mysqli_free_result($rs);
138    
139 sysadm 1.4 // Failed login attempts against the current username since last successful login
140 sysadm 1.1 $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
141 sysadm 1.4 LEFT JOIN user_list ON user_err_login_log.username = user_list.username
142     LEFT JOIN user_pubinfo ON user_list.UID = user_pubinfo.UID
143     WHERE user_err_login_log.username = '$username'
144     AND (user_err_login_log.login_dt >= user_pubinfo.last_login_dt
145     OR user_pubinfo.last_login_dt IS NULL)";
146 sysadm 1.1 $rs = mysqli_query($db_conn, $sql);
147     if ($rs == false)
148     {
149     $result_set["return"]["code"] = -2;
150     $result_set["return"]["message"] = "Query login log error: " . mysqli_error($db_conn);
151 sysadm 1.2
152 sysadm 1.1 mysqli_close($db_conn);
153     exit(json_encode($result_set));
154     }
155    
156     if ($row = mysqli_fetch_array($rs))
157     {
158 sysadm 1.4 if ($row["err_count"] >= 3)
159 sysadm 1.1 {
160     $result_set["return"]["code"] = 1;
161     $result_set["return"]["message"] = "账户存在多次失败登陆尝试,请输入验证码";
162    
163     mysqli_close($db_conn);
164     exit(json_encode($result_set));
165     }
166     }
167     mysqli_free_result($rs);
168     }
169    
170 sysadm 1.5 $sql = "SELECT UID, username, p_login, verified, temp_password,
171 sysadm 1.13 password = MD5('$password') AS old_pass,
172     (temp_password = SHA2('$password', 256) OR temp_password = '$password') AS temp_pass
173 sysadm 1.1 FROM user_list WHERE username = '$username' AND
174     (password = MD5('$password') OR password = SHA2('$password', 256) OR
175 sysadm 1.13 temp_password = SHA2('$password', 256) OR temp_password = '$password')
176 sysadm 1.1 AND enable FOR UPDATE";
177    
178     $rs = mysqli_query($db_conn, $sql);
179     if ($rs == false)
180     {
181     $result_set["return"]["code"] = -2;
182     $result_set["return"]["message"] = "Query user list error: " . mysqli_error($db_conn);
183    
184     mysqli_close($db_conn);
185     exit(json_encode($result_set));
186     }
187    
188     $uid = 0;
189    
190     if ($row = mysqli_fetch_array($rs))
191     {
192     $uid = intval($row["UID"]);
193 sysadm 1.5 $username = $row["username"];
194 sysadm 1.1
195 sysadm 1.13 if ($row["temp_pass"] && !$ch_passwd)
196 sysadm 1.1 {
197     $result_set["return"]["code"] = 2;
198     $result_set["return"]["message"] = "使用临时密码登录需设置新密码";
199    
200     mysqli_close($db_conn);
201     exit(json_encode($result_set));
202     }
203    
204     if ($ch_passwd)
205     {
206 sysadm 1.13 if ($row["temp_pass"]) // Login with temp password
207 sysadm 1.1 {
208     $verified = 1;
209    
210     // Set life = 150 for verified user
211     $sql = "UPDATE user_pubinfo SET life = 150 WHERE UID = $uid";
212     $rs_life = mysqli_query($db_conn, $sql);
213     if ($rs_life == false)
214     {
215     $result_set["return"]["code"] = -2;
216     $result_set["return"]["message"] = "Update user life error: " . mysqli_error($db_conn);
217 sysadm 1.2
218 sysadm 1.1 mysqli_close($db_conn);
219     exit(json_encode($result_set));
220     }
221     }
222     else
223     {
224     $verified = $row["verified"];
225     }
226    
227     $sql = "UPDATE user_list SET password = SHA2('$password_new', 256),
228     temp_password = '', verified = $verified WHERE UID = $uid";
229     $rs_p = mysqli_query($db_conn, $sql);
230     if ($rs_p == false)
231     {
232     $result_set["return"]["code"] = -2;
233     $result_set["return"]["message"] = "Update password error: " . mysqli_error($db_conn);
234 sysadm 1.2
235 sysadm 1.1 mysqli_close($db_conn);
236     exit(json_encode($result_set));
237     }
238     }
239     else if ($row["old_pass"])
240     {
241     $sql = "UPDATE user_list SET password = SHA2('$password', 256) WHERE UID = $uid";
242     $rs_p = mysqli_query($db_conn, $sql);
243     if ($rs_p == false)
244     {
245     $result_set["return"]["code"] = -2;
246     $result_set["return"]["message"] = "Upgrade password error: " . mysqli_error($db_conn);
247 sysadm 1.2
248 sysadm 1.1 mysqli_close($db_conn);
249     exit(json_encode($result_set));
250     }
251     }
252    
253     mysqli_free_result($rs);
254    
255     // Add user login log
256     $sql = "INSERT INTO user_login_log(uid, login_dt, login_ip) VALUES($uid, NOW(), '" .
257     client_addr() . "')";
258     $rs = mysqli_query($db_conn, $sql);
259     if ($rs == false)
260     {
261     $result_set["return"]["code"] = -2;
262     $result_set["return"]["message"] = "Write log error: " . mysqli_error($db_conn);
263    
264     mysqli_close($db_conn);
265     exit(json_encode($result_set));
266     }
267    
268     // Commit transaction
269     $rs = mysqli_query($db_conn, "COMMIT");
270     if ($rs == false)
271     {
272     $result_set["return"]["code"] = -2;
273     $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
274    
275     mysqli_close($db_conn);
276     exit(json_encode($result_set));
277     }
278 sysadm 1.2
279 sysadm 1.1 // Forbidden user
280     if (!$row["p_login"])
281     {
282     $result_set["return"]["code"] = 3;
283     $result_set["return"]["message"] = "您已被封禁全站登陆权限!";
284 sysadm 1.2
285 sysadm 1.1 mysqli_close($db_conn);
286     exit(json_encode($result_set));
287     }
288     }
289     else
290     {
291     // Log login failure
292     $sql = "INSERT INTO user_err_login_log(username, password, login_dt, login_ip)
293     VALUES('$username', '$password', NOW(), '" . client_addr() . "')";
294    
295     $rs = mysqli_query($db_conn, $sql);
296     if ($rs == false)
297     {
298     $result_set["return"]["code"] = -2;
299     $result_set["return"]["message"] = "Write log error: " . mysqli_error($db_conn);
300 sysadm 1.2
301 sysadm 1.1 mysqli_close($db_conn);
302     exit(json_encode($result_set));
303     }
304    
305     // Commit transaction
306     $rs = mysqli_query($db_conn, "COMMIT");
307     if ($rs == false)
308     {
309     $result_set["return"]["code"] = -2;
310     $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
311    
312     mysqli_close($db_conn);
313     exit(json_encode($result_set));
314     }
315    
316     $_SESSION["BBS_vn_str"] = ""; // Force change vn_str
317    
318     $result_set["return"]["code"] = 3;
319     $result_set["return"]["message"] = "用户名或密码不正确";
320    
321     mysqli_close($db_conn);
322     exit(json_encode($result_set));
323     }
324    
325     // SET AUTOCOMMIT = 1
326     $rs = mysqli_query($db_conn, "SET autocommit=1");
327     if ($rs == false)
328     {
329     $result_set["return"]["code"] = -2;
330     $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
331    
332     mysqli_close($db_conn);
333     exit(json_encode($result_set));
334     }
335 sysadm 1.2
336 sysadm 1.1 //Load User Information
337     $ret = load_user_info($uid, $db_conn);
338     switch($ret)
339     {
340     case -1:
341     $result_set["return"]["code"] = -2;
342     $result_set["return"]["message"] = "User data not found: " . mysqli_error($db_conn);
343 sysadm 1.2
344 sysadm 1.1 mysqli_close($db_conn);
345     exit(json_encode($result_set));
346     case -2:
347     if (!$agreement)
348     {
349 sysadm 1.12 $buffer = file_get_contents("../bbs/doc/eula.txt");
350 sysadm 1.2
351 sysadm 1.1 $result_set["return"]["code"] = 4;
352 sysadm 1.8 $result_set["return"]["message"] = LML($buffer, 1024, false);
353 sysadm 1.2
354 sysadm 1.1 mysqli_close($db_conn);
355     exit(json_encode($result_set));
356     }
357     break;
358     case -3:
359     $result_set["return"]["code"] = 3;
360     $result_set["return"]["message"] = "很遗憾,您已经永远离开了我们的世界……";
361 sysadm 1.2
362 sysadm 1.1 mysqli_close($db_conn);
363     exit(json_encode($result_set));
364     }
365    
366     $sql = "UPDATE user_pubinfo SET visit_count = visit_count + 1,
367     last_login_dt = NOW() WHERE UID = $uid";
368     $rs = mysqli_query($db_conn, $sql);
369     if ($rs == false)
370     {
371     $result_set["return"]["code"] = -2;
372     $result_set["return"]["message"] = "Update login info error: " . mysqli_error($db_conn);
373    
374     mysqli_close($db_conn);
375     exit(json_encode($result_set));
376     }
377    
378     $_SESSION["BBS_uid"] = $uid;
379     $_SESSION["BBS_username"] = $username;
380     $_SESSION["BBS_login_tm"] = time();
381     $_SESSION["BBS_vn_str"] = "";
382    
383     if (!keep_alive($db_conn))
384     {
385     $result_set["return"]["code"] = -2;
386     $result_set["return"]["message"] = "Keep alive error: " . mysqli_error($db_conn);
387    
388     mysqli_close($db_conn);
389     exit(json_encode($result_set));
390     }
391    
392     mysqli_close($db_conn);
393     exit(json_encode($result_set));
webmaster@leafok.com
 ViewVC Help
Powered by ViewVC 1.3.0-beta1