个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
34
4
我想在 10 分钟内多次尝试登录失败后锁定特定用户。目的是使用 pNumber 作为锁定条件,而不是 IP 地址,因为 IP 地址被多个用户使用。
当我执行基于 ip 的选择时,代码能够检查用户是否输入了错误的 pNumber 和密码,以及是否正确。它打印错误,指示第一次尝试错误,同时将失败的尝试存储在 db_table 中。因此,当失败尝试总数 >= 3 时,它就会锁定。
这不是我想要的,因为我希望它锁定特定的时间,并且它应该根据用户 pNumber 而不是 IP 地址锁定。 IP地址被许多用户共享。
session_start();
include_once 'dbconnect.php';
if(isset($_SESSION['user'])!="")
{
header("Location: home.php");
}
if(isset($_POST['btn-login']))
{
//check login attempts
$userIP = $_SERVER['REMOTE_ADDR'];
$attempt_id = NULL;
$when = date('m/d/Y h:i:s', time());
$aptSql = mysql_query("SELECT COUNT(ip) AS failed_log FROM attempts WHERE pNumber='$pNumber'");
$row_count = mysql_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$aptSql = mysql_free_result();
?>
<script>alert('<?php echo $failed_attempt;?>');</script>
<?php
if($failed_attempt >= 3)
{
$time = new Datetime();
?>
<script>alert('Sorry, you have exceeded numbers of attempts allowed. Please see your department manager');</script>
<?php
}
else
{
//Users login details
$pNumber = mysql_real_escape_string($_POST['pNumber']);
$upass = mysql_real_escape_string($_POST['pass']);
//check the details entered by user
$res=mysql_query("SELECT users.*, employees.* FROM users NATURAL JOIN employees WHERE users.pNumber='$pNumber'");
$row=mysql_fetch_array($res);
if($row['password']==md5($upass))
{
$_SESSION['user'] = $row['user_id'];
header("Location: home.php");
}
else
{
//Insert login attempts to table
$insertSql = mysql_query("INSERT INTO `employees`.`attempts` (`id`, `ip`, `when`, `pNumber`) VALUES ('$attempt_id', '$userIP', '$when', '$pNumber')");
//result
if($insertSql != false)
{
?>
<script>alert('You entered an invalid username or password, your attempt has been stored.');</script>
<?php
}
else
{
?>
<script>alert('Error Inserting your details. Please, see your department manager');</script>
<?php
}
}
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="Lee & Micheal" content="">
<link rel="icon" href="../favicon.ico">
<title>Employee Time Stamp System</title>
<!-- Bootstrap core CSS -->
<link href="../dist/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="signin.css" rel="stylesheet">
<!-- debug and js -->
<script src="../assets/js/ie-emulation-modes-warning.js"></script>
</head>
<body>
<div class="container">
<tr>
<td><center><h1>EMPLOYEE LOGIN</h1></center><br></td>
</tr>
<form method="post" class="form-signin" ><br>
<h2 class="form-signin-heading">LOGIN</h2>
<label for="inputEmail" class="sr-only">Personal ID</label>
<input type="text" name="pNumber" id="inputEmail" class="form-control" placeholder="Personal ID" required autofocus>
<label for="inputPassword" class="sr-only">Password</label>
<input type="password" name="pass" id="inputPassword" class="form-control" placeholder="Password" required>
<div class="checkbox">
<label>
<input type="checkbox" value="remember-me"> Remember me
</label>
</div>
<button class="btn btn-lg btn-primary btn-block" type="submit" name="btn-login">Login in</button>
</form>
</div> <!-- /container -->
<!-- IE10 viewport hack for Surface/desktop Windows 8 bug -->
<script src="../../assets/js/ie10-viewport-bug-workaround.js"></script>
</body>
</html>
我也应该更改这些代码吗?
$pNumber = mysql_real_escape_string($_POST['pNumber']);
$upass = mysql_real_escape_string($_POST['pass']);
致:
$pNumber = mysqli_real_escape_string($_POST['pNumber']);
$upass = mysqli_real_escape_string($_POST['pass']);
这就是代码现在的样子
session_start();
include_once 'dbconnect.php';
if(isset($_SESSION['user'])!="")
{
header("Location: home.php");
}
if(isset($_POST['btn-login']))
{
//check login attempts
$userIP = $_SERVER['REMOTE_ADDR'];
$attempt_id = NULL;
$when = date('m/d/Y h:i:s', time());
$aptSql = mysqli_query($con, "SELECT COUNT(ip) AS failed_log FROM attempts WHERE pNumber='$pNumber'");
row_count = mysqli_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$aptSql = mysqli_free_result();
?>
<script>alert('<?php echo $failed_attempt;?>');</script>
<?php
if($failed_attempt >= 3)
{
$time = new Datetime();
?>
<script>alert('Sorry, you have exceeded numbers of attempts allowed. Please see your department manager');</script>
<?php
}
else
{
//Users login details
$pNumber = mysqli_real_escape_string($_POST['pNumber']);
$upass = mysqli_real_escape_string($_POST['pass']);
//check the details entered by user
$res=mysqli_query($con, "SELECT users.*, employees.* FROM users NATURAL JOIN employees WHERE users.pNumber='$pNumber'");
$row=mysqli_fetch_array($res);
if($row['password']==phpass($upass))
{
$_SESSION['user'] = $row['user_id'];
header("Location: home.php");
}
else
{
//Insert login attempts to table
$insertSql = mysqli_query($con, "INSERT INTO `employees`.`attempts` (`id`, `ip`, `when`, `pNumber`) VALUES ('$attempt_id', '$userIP', '$when', '$pNumber')");
//result
if($insertSql != false)
{
?>
<script>alert('You entered an invalid username or password, your attempt has been stored.');</script>
<?php
}
else
{
?>
<script>alert('Error Inserting your details. Please, see your department manager');</script>
<?php
}
}
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="Lee & Micheal" content="">
<link rel="icon" href="../favicon.ico">
<title>Employee Time Stamp System</title>
<!-- Bootstrap core CSS -->
<link href="../dist/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="signin.css" rel="stylesheet">
<!-- debug and js -->
<script src="../assets/js/ie-emulation-modes-warning.js"></script>
</head>
<body>
<div class="container">
<tr>
<td><center><h1>EMPLOYEE LOGIN</h1></center><br></td>
</tr>
<form method="post" class="form-signin" ><br>
<h2 class="form-signin-heading">LOGIN</h2>
<label for="inputEmail" class="sr-only">Personal ID</label>
<input type="text" name="pNumber" id="inputEmail" class="form-control" placeholder="Personal ID" required autofocus>
<label for="inputPassword" class="sr-only">Password</label>
<input type="password" name="pass" id="inputPassword" class="form-control" placeholder="Password" required>
<div class="checkbox">
<label>
<input type="checkbox" value="remember-me"> Remember me
</label>
</div>
<button class="btn btn-lg btn-primary btn-block" type="submit" name="btn-login">Login in</button>
</form>
</div> <!-- /container -->
<!-- IE10 viewport hack for Surface/desktop Windows 8 bug -->
<script src="../../assets/js/ie10-viewport-bug-workaround.js"></script>
</body>
</html>
现在有什么问题
session_start();
include_once 'dbconnect.php';
if(isset($_SESSION['user'])!="")
{
header("Location: home.php");
}else
if(isset($_POST['btn-login']))
{
//check login attempts
$pNumber = mysqli_real_escape_string($_POST['pNumber']);
$upass = mysqli_real_escape_string($_POST['pass']);
$userIP = $_SERVER['REMOTE_ADDR'];
$attempt_id = NULL;
$when = date('m/d/Y h:i:s', time());
$aptSql = mysqli_query($con, "SELECT COUNT(ip) AS failed_log FROM attempts WHERE pNumber='$pNumber'");
$row_count = mysqli_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$lastlocked = date('m/d/Y h:i:s', time());
$query = mysqli_query ($con, "SELECT id, pNumber, UNIX_TIMESTAMP(lastlocked) as lockDatetimestamp ROM manage_users HERE (id = $attempt_id) and (lastlocked IS NOT NULL) and
(lastlocked <= DATE_SUB(now(), INTERVAL 10 MINUTE))");
$new_row = mysqli_fetch_array($query);
$aptSql = mysqli_free_result();
?>
<script>alert('<?php echo $failed_attempt;?>');</script>
<?php
if($failed_attempt >= 3)
{
?>
<script>alert('Sorry, you have exceeded numbers of attempts allowed. Please see your department manager');</script>
<?php
}
else
{
//Users login details
//check the details entered by user
$res=mysqli_query($con, "SELECT users.*, employees.* FROM users NATURAL JOIN employees WHERE users.pNumber='$pNumber'");
$row=mysqli_fetch_array($res);
if($row['password']==phpass($upass))
{
$_SESSION['user'] = $row['user_id'];
header("Location: home.php");
}
else
{
//Insert login attempts to table
$insertSql = mysqli_query($con, "INSERT INTO `employees`.`attempts` (`id`, `ip`, `when`, `pNumber`, `lastlocked`) VALUES ('$attempt_id', '$userIP', '$when', '$pNumber', '$lastlocked')");
//result
if($insertSql != false)
{
?>
<script>alert('You entered an invalid username or password, your attempt has been stored.');</script>
<?php
}
else
{
?>
<script>alert('Error Inserting your details. Please, see your department manager');</script>
<?php
}
}
}
}
这段代码有问题
$row_count = mysqli_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$lastlocked = date('m/d/Y h:i:s', time());
$query = mysqli_query ($con, "SELECT id, pNumber, UNIX_TIMESTAMP(lastlocked) as lockDatetimestamp ROM manage_users HERE (id = $attempt_id) and (lastlocked IS NOT NULL) and
(lastlocked <= DATE_SUB(now(), INTERVAL 10 MINUTE))");
$new_row = mysqli_fetch_array($query);
$lockedtime = $mysqli_fetch_array['lockDatetimestamp'];
$query=mysqli_free_result();
$aptSql = mysqli_free_result();
已进行一些更新。首先,我必须恢复到旧的 mysql 语句,以确保代码执行其必须执行的操作。当问题解决后我会将其改回 mysqli 语句。
锁定超过 >=3 次的尝试后现在出现问题。很难将 MAX(laSTLocked) 与 30 分钟后的当前时间进行比较,以再次解锁登录表单。所以我的问题是如何做到这一点,我应该使用 switch 循环,其次 if($failed_attempt >= 3) 阻止所有用户,这不是我想要的。
session_start();
include_once 'dbconnect.php';
if(isset($_SESSION['user'])!="")
{
header("Location: home.php");
}
if(isset($_POST['btn-login']))
{
//prevents SQL injecions
$pNumber = mysql_real_escape_string($_POST['pNumber']);
$upass = mysql_real_escape_string($_POST['pass']);
//used for failed attempts
$userIP = $_SERVER['REMOTE_ADDR'];
$attempt_id = NULL;
$aptSql = mysql_query("SELECT COUNT(pNumber) AS failed_log FROM attempts WHERE ip='$userIP'");
$row_count = mysql_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$lastlocked = mysql_query("SELECT MAX(lastlocked) FROM attempts WHERE pNumber='$pNumber'");
$yeah = mysql_fetch_array($lastlocked);
if($failed_attempt >= 3)
{
?>
<script>alert('Sorry, you have exceeded numbers of attempts allowed. Please see your department manager');</script>
<?php
}
elseif(strtotime($lastlocked) < time())
{
?>
<script>alert('<?php echo $lastlocked['lastlocked'];?>');</script>
<?php
}
else
{
$res=mysql_query("SELECT users.*, employees.* FROM users NATURAL JOIN employees WHERE users.pNumber='$pNumber'");
$row=mysql_fetch_array($res);
if($row['password']==md5($upass))
{
$_SESSION['user'] = $row['user_id'];
header("Location: home.php");
}
else
{
//Insert login attempts to table
$insertSql = mysql_query("INSERT INTO `employees`.`attempts` (`id`, `ip`, `pNumber`) VALUES ('$attempt_id', '$userIP', '$pNumber')");
//result
if($insertSql != false)
{
?>
<script>
alert('You entered an invalid username or password, your attempt has been stored.');
</script>
<?php
}
else
{
?>
<script>
alert('Error Inserting your details. Please, see your department manager');
</script>
<?php
}
}
}
}
最后,解决了问题,我从这里得到的贡献帮助了我。下面是任何有同样问题的人的工作代码。
session_start();
include_once 'dbconnect.php';
if(isset($_SESSION['user'])!="")
{
header("Location: home.php");
}
if(isset($_POST['btn-login']))
{
//prevents SQL injecions
$pNumber = mysql_real_escape_string($_POST['pNumber']);
$upass = mysql_real_escape_string($_POST['pass']);
//used for failed attempts
$userIP = $_SERVER['REMOTE_ADDR'];
$attempt_id = NULL;
$aptSql = mysql_query("SELECT COUNT(pNumber) AS failed_log FROM attempts WHERE pNumber='$pNumber'");
$row_count = mysql_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$locked_time = mysql_query("SELECT LAST_INSERT_ID(), DATE_ADD(lastlocked, INTERVAL 2 MINUTE) AS cheknow FROM `attempts` ORDER BY id DESC LIMIT 1");
$show_row_res = mysql_fetch_array($locked_time);
$convert_time= strtotime($show_row_res['cheknow']);
$current_time = time();
?>
<script>alert('The time now is : <?php echo $current_time; ?>') </script>
<script>alert('The converted time : <?php echo $convert_time['cheknow']; ?>') </script>
<?php
//check attempts and lock out user not ip address
if($failed_attempt >= 3 and $convert_time > $current_time)
{
?>
<script>alert('Sorry, you have exceeded numbers of attempts allowed. Please see your department manager');</script>
<?php
}
else
{
$res=mysql_query("SELECT users.*, employees.* FROM users NATURAL JOIN employees WHERE users.pNumber='$pNumber'");
$row=mysql_fetch_array($res);
if($row['password']==md5($upass))
{
$_SESSION['user'] = $row['user_id'];
header("Location: home.php");
}
else
{
//Insert login attempts to table
$insertSql = mysql_query("INSERT INTO `employees`.`attempts` (`id`, `ip`, `pNumber`) VALUES ('$attempt_id', '$userIP', '$pNumber')");
//result
if($insertSql != false)
{
?>
<script>
alert('You entered an invalid username or password, your attempt has been stored.');
</script>
<?php
}
else
{
?>
<script>
alert('Error Inserting your details. Please, see your department manager');
</script>
<?php
}
}
}
}
最佳答案
首先。请使用 mysqli 或 PDO,因为 mysql 已贬值并将在 PHP7 中删除。在我建议的代码中,它使用 mysqli ,它需要连接变量,在本例中定义为 $con。
如果您还没有定义连接,请按如下方式定义:
$con = mysqli_connect("my_ip", "my_user", "my_password", "my_db");
据我所知,您的 $aptSql 查询中有 COUNT(ip)。我不知道到底发生了什么,但我会建议以下之一。
$aptSql = mysqli_query($con, "SELECT COUNT(*) AS failed_log FROM attempts WHERE pNumber='$pNumber'");
$row_count = mysqli_fetch_assoc($aptSql);
$failed_attempt = $row_count['failed_log'];
$aptSql = mysqli_free_result();
或者:
$aptSql = mysqli_query($con, "SELECT * FROM attempts WHERE pNumber='$pNumber'");
$failed_attempt = mysqli_num_rows($aptSql);
$aptSql = mysqli_free_result();
该选项中的第二行也可能是:(我是凭内存做的,目前没有测试环境)
$failed_attempt = mysqli_num_rows(mysqli_fetch_assoc($aptSql));
要锁定一段时间,请将帐户锁定的时间添加到用户数据库中,类似于 laSTLocked 的内容,并将其与登录时的当前时间进行比较,检查是否为 10分钟过去了。
关于php - 如何设置用户多次尝试失败后可以被锁定多长时间?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34055091/
34
4
0
在为 Web 应用程序用例图建模时,为用户可以拥有的每个角色创建一个角色是否更好?或拥有一个角色、用户和一个具有特权的矩阵? guest < 用户 < 版主 < 管理员 1: guest 、用户、版主
我无法使用 Elixir 连接到 Postgres: ** (Mix) The database for PhoenixChat.Repo couldn't be created: FATAL 28P
这个问题已经有答案了: Group by field name in Java (7 个回答) 已关闭 7 年前。 我必须编写一个需要 List 的方法并返回 Map> . User包含 Person
感谢您的帮助,首先我将显示代码: $dotaz = "Select * from customers JOIN contracts where customers.user_id ='".$_SESS
我只想向所有用户中的一个用户显示一个按钮。我尝试了 orderByKey() 但没有成功! 用户模型有 id 成员,我尝试使用 orderByChild("id") 但结果相同! 我什至尝试了以下技巧
我们在工作中从 MongoDB 切换到 Postgres,我正在建立一个 BDR 组。 在这一步,我正在考虑安全性并尽可能锁定。因此,我希望设置一个 replication 用户(角色)并让 BDR
export class UserListComponent implements OnInit{ users; constructor(private userService: UserS
我可以使用 Sonata User Bundle 将 FOS 包集成到 sonata Admin 包中。我的登录功能正常。现在我想添加 FOSUserBundle 中的更改密码等功能到 sonata
在 LinkedIn 中创建新应用程序时,我得到 4 个单独的代码: API key 秘钥 OAuth 用户 token OAuth 用户密码 我在 OAuth 流程中使用前两个。 的目的是什么?最后
所以..我几乎解决了所有问题。但现在我要处理另一个问题。我使用了这个连接字符串: SqlConnection con = new SqlConnection(@"Data Source=.\SQLEX
我有一组“用户”和一组“订单”。我想列出每个 user_id 的所有 order_id。 var users = { 0: { user_id: 111, us
我已经为我的Django应用创建了一个用户模型 class User(Model): """ The Authentication model. This contains the u
我被这个问题困住了,找不到解决方案。寻找一些方向。我正在用 laravel 开发一个新的项目,目前正致力于用户认证。我正在使用 Laravels 5.8 身份验证模块。 对密码恢复 View 做了一些
安装后我正在使用ansible配置几台计算机。 为此,我在机器上本地运行 ansible。安装中的“主要”用户通常具有不同的名称。我想将该用户用于诸如 become_user 之类的变量. “主要”用
我正在尝试制作一个运行 syncdb 的批处理文件来创建一个数据库文件,然后使用用户名“admin”和密码“admin”创建一个 super 用户。 到目前为止我的代码: python manage.
关闭。这个问题是opinion-based 。目前不接受答案。 想要改进这个问题吗?更新问题,以便 editing this post 可以用事实和引文来回答它。 . 已关闭 6 年前。 Improv
我已在 Azure 数据库服务器上设置异地复制。 服务器上运行的数据库之一具有我通过 SSMS 创建的登录名和用户: https://learn.microsoft.com/en-us/azure/s
我有一个 ionic 2 应用程序,正在使用 native FB Login 来检索名称/图片并将其保存到 NativeStorage。流程是我打开WelcomePage、登录并保存数据。从那里,na
这是我的用户身份验证方法: def user_login(request): if request.method == 'POST': username = request.P
我试图获取来自特定用户的所有推文,但是当我迭代在模板中抛出推文时,我得到“User”对象不可迭代 观看次数 tweets = User.objects.get(username__iexact='us
我是一名优秀的程序员,十分优秀!