/[LeafOK_CVS]/fenglin/bbs/user_service_login.php
ViewVC logotype

Contents of /fenglin/bbs/user_service_login.php

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.6 - (show annotations)
Fri Oct 24 02:45:16 2025 UTC (4 months, 3 weeks ago) by sysadm
Branch: MAIN
Changes since 1.5: +1 -1 lines 
Remove legacy param $use_proxy of LML()
1 <?php
2 require_once "../lib/db_open.inc.php";
3 require_once "../lib/lml.inc.php";
4 require_once "../lib/passwd.inc.php";
5 require_once "../lib/vn_gif.inc.php";
6 require_once "../lib/client_addr.inc.php";
7 require_once "../lib/ip_mask.inc.php";
8 require_once "./session_init.inc.php";
9 require_once "./user_login.inc.php";
10
11 $data = json_decode(file_get_contents("php://input"), true);
12
13 $username = (isset($data["username"]) ? trim($data["username"]) : "");
14 $password = (isset($data["password"]) ? trim($data["password"]) : "");
15 $ch_passwd = (isset($data["ch_passwd"]) && $data["ch_passwd"] == "1" ? 1 : 0);
16 $password_new = (isset($data["password_new"]) ? trim($data["password_new"]) : "");
17 $agreement = (isset($data["agreement"]) && $data["agreement"] == "1");
18 $mfa = (isset($data["mfa"]) && $data["mfa"] == "1" ? 1 : 0);
19 $vn_str = (isset($data["vn_str"]) ? trim($data["vn_str"]) : "");
20
21 $result_set = array(
22 "return" => array(
23 "code" => 0,
24 "message" => "",
25 "errorFields" => array(),
26 )
27 );
28
29 header("Content-Type:application/json; charset=utf-8");
30
31 // Validate input data
32 if (!preg_match("/^[A-Za-z][A-Za-z0-9]{2,11}$/", $username))
33 {
34 $result_set["return"]["code"] = -1;
35 array_push($result_set["return"]["errorFields"], array(
36 "id" => "username",
37 "errMsg" => "不符合格式要求",
38 ));
39 }
40
41 if (!preg_match("/^[A-Za-z0-9]{5,12}$/", $password))
42 {
43 $result_set["return"]["code"] = -1;
44 array_push($result_set["return"]["errorFields"], array(
45 "id" => "password",
46 "errMsg" => "不符合格式要求",
47 ));
48 }
49
50 if ($ch_passwd)
51 {
52 if (!preg_match("/^[A-Za-z0-9]{6,12}$/", $password_new))
53 {
54 $result_set["return"]["code"] = -1;
55 array_push($result_set["return"]["errorFields"], array(
56 "id" => "password_new",
57 "errMsg" => "不符合格式要求",
58 ));
59 }
60
61 if (!verify_pass_complexity($password_new, $username, 6))
62 {
63 $result_set["return"]["code"] = -1;
64 array_push($result_set["return"]["errorFields"], array(
65 "id" => "password_new",
66 "errMsg" => "不符合复杂性要求",
67 ));
68 }
69 }
70
71 if ($mfa)
72 {
73 if ((!isset($_SESSION["BBS_vn_str"])) || $_SESSION["BBS_vn_str"] == "" || strcasecmp($_SESSION["BBS_vn_str"], $vn_str) != 0)
74 {
75 $result_set["return"]["code"] = -1;
76 array_push($result_set["return"]["errorFields"], array(
77 "id" => "vn_str",
78 "errMsg" => "验证码错误",
79 ));
80 }
81 }
82
83 if ($result_set["return"]["code"] != 0)
84 {
85 mysqli_close($db_conn);
86 exit(json_encode($result_set));
87 }
88
89 // Begin transaction
90 $rs = mysqli_query($db_conn, "SET autocommit=0");
91 if ($rs == false)
92 {
93 $result_set["return"]["code"] = -2;
94 $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
95
96 mysqli_close($db_conn);
97 exit(json_encode($result_set));
98 }
99
100 $rs = mysqli_query($db_conn, "BEGIN");
101 if ($rs == false)
102 {
103 $result_set["return"]["code"] = -2;
104 $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
105
106 mysqli_close($db_conn);
107 exit(json_encode($result_set));
108 }
109
110 if (!$mfa)
111 {
112 // Failed login attempts from the same source (subnet /24) during certain time period
113 $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
114 WHERE login_dt >= SUBDATE(NOW(), INTERVAL 10 MINUTE)
115 AND login_ip LIKE '" . client_addr(1) . "'";
116 $rs = mysqli_query($db_conn, $sql);
117 if ($rs == false)
118 {
119 $result_set["return"]["code"] = -2;
120 $result_set["return"]["message"] = "Query login log error: " . mysqli_error($db_conn);
121
122 mysqli_close($db_conn);
123 exit(json_encode($result_set));
124 }
125
126 if ($row = mysqli_fetch_array($rs))
127 {
128 if ($row["err_count"] >= 10)
129 {
130 $result_set["return"]["code"] = 1;
131 $result_set["return"]["message"] = "来源存在多次失败登陆尝试,请输入验证码";
132
133 mysqli_close($db_conn);
134 exit(json_encode($result_set));
135 }
136 }
137 mysqli_free_result($rs);
138
139 // Failed login attempts against the current username since last successful login
140 $sql = "SELECT COUNT(*) AS err_count FROM user_err_login_log
141 LEFT JOIN user_list ON user_err_login_log.username = user_list.username
142 LEFT JOIN user_pubinfo ON user_list.UID = user_pubinfo.UID
143 WHERE user_err_login_log.username = '$username'
144 AND (user_err_login_log.login_dt >= user_pubinfo.last_login_dt
145 OR user_pubinfo.last_login_dt IS NULL)";
146 $rs = mysqli_query($db_conn, $sql);
147 if ($rs == false)
148 {
149 $result_set["return"]["code"] = -2;
150 $result_set["return"]["message"] = "Query login log error: " . mysqli_error($db_conn);
151
152 mysqli_close($db_conn);
153 exit(json_encode($result_set));
154 }
155
156 if ($row = mysqli_fetch_array($rs))
157 {
158 if ($row["err_count"] >= 3)
159 {
160 $result_set["return"]["code"] = 1;
161 $result_set["return"]["message"] = "账户存在多次失败登陆尝试,请输入验证码";
162
163 mysqli_close($db_conn);
164 exit(json_encode($result_set));
165 }
166 }
167 mysqli_free_result($rs);
168 }
169
170 $sql = "SELECT UID, username, p_login, verified, temp_password,
171 password = MD5('$password') AS old_pass
172 FROM user_list WHERE username = '$username' AND
173 (password = MD5('$password') OR password = SHA2('$password', 256) OR
174 temp_password = '$password')
175 AND enable FOR UPDATE";
176
177 $rs = mysqli_query($db_conn, $sql);
178 if ($rs == false)
179 {
180 $result_set["return"]["code"] = -2;
181 $result_set["return"]["message"] = "Query user list error: " . mysqli_error($db_conn);
182
183 mysqli_close($db_conn);
184 exit(json_encode($result_set));
185 }
186
187 $uid = 0;
188
189 if ($row = mysqli_fetch_array($rs))
190 {
191 $uid = intval($row["UID"]);
192 $username = $row["username"];
193
194 if ($password == $row["temp_password"] && !$ch_passwd)
195 {
196 $result_set["return"]["code"] = 2;
197 $result_set["return"]["message"] = "使用临时密码登录需设置新密码";
198
199 mysqli_close($db_conn);
200 exit(json_encode($result_set));
201 }
202
203 if ($ch_passwd)
204 {
205 if ($password == $row["temp_password"]) // New user first time login with temp password
206 {
207 $verified = 1;
208
209 // Set life = 150 for verified user
210 $sql = "UPDATE user_pubinfo SET life = 150 WHERE UID = $uid";
211 $rs_life = mysqli_query($db_conn, $sql);
212 if ($rs_life == false)
213 {
214 $result_set["return"]["code"] = -2;
215 $result_set["return"]["message"] = "Update user life error: " . mysqli_error($db_conn);
216
217 mysqli_close($db_conn);
218 exit(json_encode($result_set));
219 }
220 }
221 else
222 {
223 $verified = $row["verified"];
224 }
225
226 $sql = "UPDATE user_list SET password = SHA2('$password_new', 256),
227 temp_password = '', verified = $verified WHERE UID = $uid";
228 $rs_p = mysqli_query($db_conn, $sql);
229 if ($rs_p == false)
230 {
231 $result_set["return"]["code"] = -2;
232 $result_set["return"]["message"] = "Update password error: " . mysqli_error($db_conn);
233
234 mysqli_close($db_conn);
235 exit(json_encode($result_set));
236 }
237 }
238 else if ($row["old_pass"])
239 {
240 $sql = "UPDATE user_list SET password = SHA2('$password', 256) WHERE UID = $uid";
241 $rs_p = mysqli_query($db_conn, $sql);
242 if ($rs_p == false)
243 {
244 $result_set["return"]["code"] = -2;
245 $result_set["return"]["message"] = "Upgrade password error: " . mysqli_error($db_conn);
246
247 mysqli_close($db_conn);
248 exit(json_encode($result_set));
249 }
250 }
251
252 mysqli_free_result($rs);
253
254 // Add user login log
255 $sql = "INSERT INTO user_login_log(uid, login_dt, login_ip) VALUES($uid, NOW(), '" .
256 client_addr() . "')";
257 $rs = mysqli_query($db_conn, $sql);
258 if ($rs == false)
259 {
260 $result_set["return"]["code"] = -2;
261 $result_set["return"]["message"] = "Write log error: " . mysqli_error($db_conn);
262
263 mysqli_close($db_conn);
264 exit(json_encode($result_set));
265 }
266
267 // Commit transaction
268 $rs = mysqli_query($db_conn, "COMMIT");
269 if ($rs == false)
270 {
271 $result_set["return"]["code"] = -2;
272 $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
273
274 mysqli_close($db_conn);
275 exit(json_encode($result_set));
276 }
277
278 // Forbidden user
279 if (!$row["p_login"])
280 {
281 $result_set["return"]["code"] = 3;
282 $result_set["return"]["message"] = "您已被封禁全站登陆权限!";
283
284 mysqli_close($db_conn);
285 exit(json_encode($result_set));
286 }
287 }
288 else
289 {
290 // Log login failure
291 $sql = "INSERT INTO user_err_login_log(username, password, login_dt, login_ip)
292 VALUES('$username', '$password', NOW(), '" . client_addr() . "')";
293
294 $rs = mysqli_query($db_conn, $sql);
295 if ($rs == false)
296 {
297 $result_set["return"]["code"] = -2;
298 $result_set["return"]["message"] = "Write log error: " . mysqli_error($db_conn);
299
300 mysqli_close($db_conn);
301 exit(json_encode($result_set));
302 }
303
304 // Commit transaction
305 $rs = mysqli_query($db_conn, "COMMIT");
306 if ($rs == false)
307 {
308 $result_set["return"]["code"] = -2;
309 $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
310
311 mysqli_close($db_conn);
312 exit(json_encode($result_set));
313 }
314
315 $_SESSION["BBS_vn_str"] = ""; // Force change vn_str
316
317 $result_set["return"]["code"] = 3;
318 $result_set["return"]["message"] = "用户名或密码不正确";
319
320 mysqli_close($db_conn);
321 exit(json_encode($result_set));
322 }
323
324 // SET AUTOCOMMIT = 1
325 $rs = mysqli_query($db_conn, "SET autocommit=1");
326 if ($rs == false)
327 {
328 $result_set["return"]["code"] = -2;
329 $result_set["return"]["message"] = "Mysqli error: " . mysqli_error($db_conn);
330
331 mysqli_close($db_conn);
332 exit(json_encode($result_set));
333 }
334
335 //Load User Information
336 $ret = load_user_info($uid, $db_conn);
337 switch($ret)
338 {
339 case -1:
340 $result_set["return"]["code"] = -2;
341 $result_set["return"]["message"] = "User data not found: " . mysqli_error($db_conn);
342
343 mysqli_close($db_conn);
344 exit(json_encode($result_set));
345 case -2:
346 if (!$agreement)
347 {
348 $buffer = file_get_contents("./doc/license/" . (new DateTime($BBS_license_dt))->format("Ymd") . ".txt");
349
350 $result_set["return"]["code"] = 4;
351 $result_set["return"]["message"] = LML(htmlspecialchars($buffer, ENT_HTML401, 'UTF-8'), false, 1024);
352
353 mysqli_close($db_conn);
354 exit(json_encode($result_set));
355 }
356 break;
357 case -3:
358 $result_set["return"]["code"] = 3;
359 $result_set["return"]["message"] = "很遗憾,您已经永远离开了我们的世界……";
360
361 mysqli_close($db_conn);
362 exit(json_encode($result_set));
363 }
364
365 $sql = "UPDATE user_pubinfo SET visit_count = visit_count + 1,
366 last_login_dt = NOW() WHERE UID = $uid";
367 $rs = mysqli_query($db_conn, $sql);
368 if ($rs == false)
369 {
370 $result_set["return"]["code"] = -2;
371 $result_set["return"]["message"] = "Update login info error: " . mysqli_error($db_conn);
372
373 mysqli_close($db_conn);
374 exit(json_encode($result_set));
375 }
376
377 $_SESSION["BBS_uid"] = $uid;
378 $_SESSION["BBS_username"] = $username;
379 $_SESSION["BBS_login_tm"] = time();
380 $_SESSION["BBS_vn_str"] = "";
381
382 if (!keep_alive($db_conn))
383 {
384 $result_set["return"]["code"] = -2;
385 $result_set["return"]["message"] = "Keep alive error: " . mysqli_error($db_conn);
386
387 mysqli_close($db_conn);
388 exit(json_encode($result_set));
389 }
390
391 mysqli_close($db_conn);
392 exit(json_encode($result_set));
webmaster@leafok.com
 ViewVC Help
Powered by ViewVC 1.3.0-beta1