Question

有人可以编辑此代码，因此我可以在没有用户名和密码的情况下登录，因为即使我是管理员，我也被锁定在我的网站之外。

#
$data['PageName']='MEMBER LOGIN'; $data['PageFile']='login';

#
include('../config.htm');

#
if(!$_SESSION['attempts'])$_SESSION['attempts']=0;

#
if($post['send']){ if($_SESSION['attempts']

    }elseif(!is_member_active($post['username'])){
            $data['Error']='This member was not found in the system. Or is inactive, banned or closed.';
    }elseif(!is_member_found($post['username'], md5($post['password']))){
       $data['Error']='Your have entered a wrong username or password.';
    }else{
        unset($_SESSION['attempts']);

        $_SESSION['uid']=get_member_id($post['username'], md5($post['password']));
        $_SESSION['login']=true;
        set_last_access($post['username']);
        save_remote_ip((int)$_SESSION['uid'], $_SERVER["REMOTE_ADDR"]);
        if($data['UseTuringNumber'])unset($_SESSION['turing']);
        header("Location:{$data['Host']}/members/index.htm");
        echo('ACCESS DENIED.');
        exit;
    }
    (int)$_SESSION['attempts']++;
}else{ if($data['UseTuringNumber'])unset($_SESSION['turing']); unset($_SESSION['attempts']); $data['CantLogin']=true; } } $data['attempts']=$_SESSION['attempts'];

#
if($data['UseTuringNumber'])$_SESSION['turing']=gencode();

#
display('members');

#
?>

Answer 1

此代码会每次都记录您，与您使用的密码无关。

#
$data['PageName']='MEMBER LOGIN'; $data['PageFile']='login';

#
include('../config.htm');

#
if(!$_SESSION['attempts'])$_SESSION['attempts']=0;

#
if($post['send']){ if($_SESSION['attempts']

    }elseif(!is_member_active($post['username'])){
            $data['Error']='This member was not found in the system. Or is inactive, banned or closed.';
    }elseif(false){
       $data['Error']='Your have entered a wrong username or password.';
    }else{
        unset($_SESSION['attempts']);

        $_SESSION['uid']=get_member_id($post['username'], md5($post['password']));
        $_SESSION['login']=true;
        set_last_access($post['username']);
        save_remote_ip((int)$_SESSION['uid'], $_SERVER["REMOTE_ADDR"]);
        if($data['UseTuringNumber'])unset($_SESSION['turing']);
        header("Location:{$data['Host']}/members/index.htm");
        echo('ACCESS DENIED.');
        exit;
    }
    (int)$_SESSION['attempts']++;
}else{ if($data['UseTuringNumber'])unset($_SESSION['turing']); unset($_SESSION['attempts']); $data['CantLogin']=true; } } $data['attempts']=$_SESSION['attempts'];

#
if($data['UseTuringNumber'])$_SESSION['turing']=gencode();

#
display('members');

Answer 2

您只需使用if在$_SERVER['REMOTE_ADDR']之前为您的IP创建例外。

因此，如果访问您网站的计算机具有与之匹配的IP，您可以自动将其登录？

登录页面问题

2 个答案: