--- fenglin/bbs/user_service_login.php	2025/04/29 11:55:32	1.3
+++ fenglin/bbs/user_service_login.php	2025/11/03 06:19:31	1.9
@@ -29,7 +29,7 @@
 	header("Content-Type:application/json; charset=utf-8");
 
 	// Validate input data
-	if (!preg_match("/^[A-Za-z][A-Za-z0-9]{2,11}$/", $username))
+	if (!preg_match("/^[A-Za-z][A-Za-z0-9_]{4,11}$/", $username))
 	{
 		$result_set["return"]["code"] = -1;
 		array_push($result_set["return"]["errorFields"], array(
@@ -125,7 +125,7 @@
 
 		if ($row = mysqli_fetch_array($rs))
 		{
-			if ($row["err_count"] >= 2)
+			if ($row["err_count"] >= 10)
 			{
 				$result_set["return"]["code"] = 1;
 				$result_set["return"]["message"] = "来源存在多次失败登陆尝试，请输入验证码";
@@ -136,9 +136,13 @@
 		}
 		mysqli_free_result($rs);
 
-		// Failed login attempts against the current username during certain time period
+		// Failed login attempts against the current username since last successful login
 		$sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
-				WHERE username = '$username' AND login_dt >= SUBDATE(NOW(), INTERVAL 1 DAY)";
+				LEFT JOIN user_list ON user_err_login_log.username = user_list.username
+				LEFT JOIN user_pubinfo ON user_list.UID = user_pubinfo.UID
+				WHERE user_err_login_log.username = '$username'
+				AND (user_err_login_log.login_dt >= user_pubinfo.last_login_dt
+				OR user_pubinfo.last_login_dt IS NULL)";
 		$rs = mysqli_query($db_conn, $sql);
 		if ($rs == false)
 		{
@@ -151,7 +155,7 @@
 
 		if ($row = mysqli_fetch_array($rs))
 		{
-			if ($row["err_count"] >= 5)
+			if ($row["err_count"] >= 3)
 			{
 				$result_set["return"]["code"] = 1;
 				$result_set["return"]["message"] = "账户存在多次失败登陆尝试，请输入验证码";
@@ -163,7 +167,7 @@
 		mysqli_free_result($rs);
 	}
 
-	$sql = "SELECT UID, p_login, verified, temp_password,
+	$sql = "SELECT UID, username, p_login, verified, temp_password,
 			password = MD5('$password') AS old_pass
 			FROM user_list WHERE username = '$username' AND
 			(password = MD5('$password') OR password = SHA2('$password', 256) OR
@@ -185,6 +189,7 @@
 	if ($row = mysqli_fetch_array($rs))
 	{
 		$uid = intval($row["UID"]);
+		$username = $row["username"];
 
 		if ($password == $row["temp_password"] && !$ch_passwd)
 		{
@@ -343,7 +348,7 @@
 				$buffer = file_get_contents("./doc/license/" . (new DateTime($BBS_license_dt))->format("Ymd") . ".txt");
 
 				$result_set["return"]["code"] = 4;
-				$result_set["return"]["message"] = LML(htmlspecialchars($buffer, ENT_HTML401, 'UTF-8'), false, false, 1024);
+				$result_set["return"]["message"] = LML($buffer, 1024, false);
 
 				mysqli_close($db_conn);
 				exit(json_encode($result_set));