我的表单如下所示..我希望在用户输入错误的密码3次之后执行操作,在他的帐户被锁定几分钟之后...我如何在我的表单中实现?
<?php
session_start();
if(isset($_POST['username']) && isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
$connect = mysql_connect('localhost', 'root', 'root');
mysql_selectdb('lr') or die('Couldnt find database');
$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
$numrows = mysql_num_rows($query);
if($numrows !=0){
while ($row = mysql_fetch_assoc($query)){
$dbuser = $row['username'];
$dbpass = $row['password'];
}
if ($username == $dbuser && $password == $dbpass){
$_SESSION['username'] = $dbuser;
if($_SESSION['username']){
echo 'Welcome ' . $_SESSION['username'] . ' ! <br>';
echo 'Click <a href = "index.php"> here </a> to log out !';
}
} else
echo 'Incorrect Username or Password Combinations ';
} else
die('That user does not exist');
}
?>
答案 0 :(得分:1)
像其他用户说的那样,你很容易受到SQL注入攻击。始终确认用户输入!
关于您的问题,您可以使用数据库,然后有人可以轻松阻止其他用户的帐户。您也可以使用会话变量。您只需要在会话中记录失败登录的次数。在3次失败后,您可以设置一个会话变量,其时间戳为允许用户再次登录的时间戳(当前时间戳+ X),并且在运行SQL检查之前是否通过时间。 如果用户登录成功,则应清除或重置这些会话变量。 (抱歉,我没有时间制作你的例子,但它很容易实现。)
用鼠标垫制作,未经过任何方式测试,但它会给你一些我希望的提示。
<?php
session_start();
define('MAX_LOGIN_ATTEMPTS',3);
if(isset($_SESSION['loginTimeout']) && $_SESSION['loginTimeout']<time()) {
echo "You used all login attempts. Try again in a little while.";
exit() // ups, forgot about this :)
}
if(isset($_POST['username']) && isset($_POST['password'])){
$connect = mysql_connect('localhost', 'root', 'root');
mysql_selectdb('lr') or die('Couldnt find database');
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$query = mysql_query("SELECT * FROM users WHERE username = '$username'");
$numrows = mysql_num_rows($query);
$bFail = false;
if($numrows !=0){
while ($row = mysql_fetch_assoc($query)){
$dbuser = $row['username'];
$dbpass = $row['password'];
}
if ($username == $dbuser && $password == $dbpass){
unset($_SESSION['loginTimeout']);
$_SESSION['username'] = $dbuser;
if($_SESSION['username']){
echo 'Welcome ' . $_SESSION['username'] . ' ! <br>';
echo 'Click <a href = "index.php"> here </a> to log out !';
}
} else {
echo 'Incorrect Username or Password Combinations ';
$bFail = true;
}
} else {
die('That user does not exist');
$bFail = true;
}
if($bFail) {
if(isset($_SESSION['loginAttempts'])) $_SESSION['loginAttempts']++;
else $_SESSION['loginAttempts'] = 1;
if($_SESSION['loginAttempts']>MAX_LOGIN_ATTEMPTS) {
// one hour timeout
$_SESSION['loginTimeout'] = time() + 1*60*60;
}
}
}
?>