--- fenglin/bbs/user_service_login.php	2025/04/27 04:32:05	1.2
+++ fenglin/bbs/user_service_login.php	2025/12/23 09:23:10	1.13
@@ -29,7 +29,7 @@
 	header("Content-Type:application/json; charset=utf-8");
 
 	// Validate input data
-	if (!preg_match("/^[A-Za-z][A-Za-z0-9]{2,11}$/", $username))
+	if (!preg_match("/^[A-Za-z][A-Za-z0-9_]{2,11}$/", $username))
 	{
 		$result_set["return"]["code"] = -1;
 		array_push($result_set["return"]["errorFields"], array(
@@ -125,7 +125,7 @@
 
 		if ($row = mysqli_fetch_array($rs))
 		{
-			if ($row["err_count"] >= 2)
+			if ($row["err_count"] >= 10)
 			{
 				$result_set["return"]["code"] = 1;
 				$result_set["return"]["message"] = "来源存在多次失败登陆尝试，请输入验证码";
@@ -136,9 +136,13 @@
 		}
 		mysqli_free_result($rs);
 
-		// Failed login attempts against the current username during certain time period
+		// Failed login attempts against the current username since last successful login
 		$sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
-				WHERE username = '$username' AND login_dt >= SUBDATE(NOW(), INTERVAL 1 DAY)";
+				LEFT JOIN user_list ON user_err_login_log.username = user_list.username
+				LEFT JOIN user_pubinfo ON user_list.UID = user_pubinfo.UID
+				WHERE user_err_login_log.username = '$username'
+				AND (user_err_login_log.login_dt >= user_pubinfo.last_login_dt
+				OR user_pubinfo.last_login_dt IS NULL)";
 		$rs = mysqli_query($db_conn, $sql);
 		if ($rs == false)
 		{
@@ -151,7 +155,7 @@
 
 		if ($row = mysqli_fetch_array($rs))
 		{
-			if ($row["err_count"] >= 5)
+			if ($row["err_count"] >= 3)
 			{
 				$result_set["return"]["code"] = 1;
 				$result_set["return"]["message"] = "账户存在多次失败登陆尝试，请输入验证码";
@@ -163,11 +167,12 @@
 		mysqli_free_result($rs);
 	}
 
-	$sql = "SELECT UID, p_login, verified, temp_password,
-			password = MD5('$password') AS old_pass
+	$sql = "SELECT UID, username, p_login, verified, temp_password,
+			password = MD5('$password') AS old_pass,
+			(temp_password = SHA2('$password', 256) OR temp_password = '$password') AS temp_pass
 			FROM user_list WHERE username = '$username' AND
 			(password = MD5('$password') OR password = SHA2('$password', 256) OR
-			temp_password = '$password')
+			temp_password = SHA2('$password', 256) OR temp_password = '$password')
 			AND enable FOR UPDATE";
 
 	$rs = mysqli_query($db_conn, $sql);
@@ -185,8 +190,9 @@
 	if ($row = mysqli_fetch_array($rs))
 	{
 		$uid = intval($row["UID"]);
+		$username = $row["username"];
 
-		if ($password == $row["temp_password"] && !$ch_passwd)
+		if ($row["temp_pass"] && !$ch_passwd)
 		{
 			$result_set["return"]["code"] = 2;
 			$result_set["return"]["message"] = "使用临时密码登录需设置新密码";
@@ -197,7 +203,7 @@
 
 		if ($ch_passwd)
 		{
-			if ($password == $row["temp_password"]) // New user first time login with temp password
+			if ($row["temp_pass"]) // Login with temp password
 			{
 				$verified = 1;
 
@@ -340,10 +346,10 @@
 		case -2:
 			if (!$agreement)
 			{
-				$buffer = file_get_contents("./doc/license/" . (new DateTime($BBS_license_dt))->format("Ymd") . ".txt");
+				$buffer = file_get_contents("../bbs/doc/eula.txt");
 
 				$result_set["return"]["code"] = 4;
-				$result_set["return"]["message"] = LML(htmlspecialchars($buffer, ENT_HTML401, 'UTF-8'), false, false, 1024);
+				$result_set["return"]["message"] = LML($buffer, 1024, false);
 
 				mysqli_close($db_conn);
 				exit(json_encode($result_set));
@@ -385,4 +391,3 @@
 
 	mysqli_close($db_conn);
 	exit(json_encode($result_set));
-?>