有人可以编辑此代码,因此我可以在没有用户名和密码的情况下登录,因为即使我是管理员,我也被锁定在我的网站之外。
#
$data['PageName']='MEMBER LOGIN'; $data['PageFile']='login';
#
include('../config.htm');
#
if(!$_SESSION['attempts'])$_SESSION['attempts']=0;
#
if($post['send']){ if($_SESSION['attempts']
}elseif(!is_member_active($post['username'])){
$data['Error']='This member was not found in the system. Or is inactive, banned or closed.';
}elseif(!is_member_found($post['username'], md5($post['password']))){
$data['Error']='Your have entered a wrong username or password.';
}else{
unset($_SESSION['attempts']);
$_SESSION['uid']=get_member_id($post['username'], md5($post['password']));
$_SESSION['login']=true;
set_last_access($post['username']);
save_remote_ip((int)$_SESSION['uid'], $_SERVER["REMOTE_ADDR"]);
if($data['UseTuringNumber'])unset($_SESSION['turing']);
header("Location:{$data['Host']}/members/index.htm");
echo('ACCESS DENIED.');
exit;
}
(int)$_SESSION['attempts']++;
}else{ if($data['UseTuringNumber'])unset($_SESSION['turing']); unset($_SESSION['attempts']); $data['CantLogin']=true; } } $data['attempts']=$_SESSION['attempts'];
#
if($data['UseTuringNumber'])$_SESSION['turing']=gencode();
#
display('members');
#
?>
答案 0 :(得分:0)
此代码会每次都记录您,与您使用的密码无关。
#
$data['PageName']='MEMBER LOGIN'; $data['PageFile']='login';
#
include('../config.htm');
#
if(!$_SESSION['attempts'])$_SESSION['attempts']=0;
#
if($post['send']){ if($_SESSION['attempts']
}elseif(!is_member_active($post['username'])){
$data['Error']='This member was not found in the system. Or is inactive, banned or closed.';
}elseif(false){
$data['Error']='Your have entered a wrong username or password.';
}else{
unset($_SESSION['attempts']);
$_SESSION['uid']=get_member_id($post['username'], md5($post['password']));
$_SESSION['login']=true;
set_last_access($post['username']);
save_remote_ip((int)$_SESSION['uid'], $_SERVER["REMOTE_ADDR"]);
if($data['UseTuringNumber'])unset($_SESSION['turing']);
header("Location:{$data['Host']}/members/index.htm");
echo('ACCESS DENIED.');
exit;
}
(int)$_SESSION['attempts']++;
}else{ if($data['UseTuringNumber'])unset($_SESSION['turing']); unset($_SESSION['attempts']); $data['CantLogin']=true; } } $data['attempts']=$_SESSION['attempts'];
#
if($data['UseTuringNumber'])$_SESSION['turing']=gencode();
#
display('members');
答案 1 :(得分:0)
您只需使用if
在$_SERVER['REMOTE_ADDR']
之前为您的IP创建例外。
因此,如果访问您网站的计算机具有与之匹配的IP,您可以自动将其登录?