因此,当用户第一次登录失败时,它执行任务70-73,然后跳转到111.该部分正常工作但是当剩下的机会变为0时意味着db中的failedLogins值将是5它应该从第76行开始执行步骤,但事实并非如此。相反,它显示0为剩余的机会然后就是它。我确信我的逻辑是正确的,但代码只是放在错误的地方。
// User is registered and verified
$query = "SELECT * FROM manager_users_logins_hacking WHERE userID = '".$userID."'";
$result = mysqli_query($dbc,$query);
$row = mysqli_fetch_array($result);
$lockDate = $row['lockDate'];
// Find out if user is locked out of their account
if (($lockDate !== "0000-00-00 00:00:00") AND (strtotime($lockDate) <= time())) {
$currentDateTime = time();
$minutes = floor(($currentDateTime-$lockDate) / 60);
// Take minutes and perform tasks
if ($lockDate > 0 && $minutes < 10) {
// Calculate time remaining
$timeRemaining = 10 - $minutes;
// Account locked error
$output = array('errorsExist' => true, 'message' => 'Your account is currently locked, we appologize for the inconvienence. You must wait ' .$timeRemaining.' minutes before you can log in again!');
} else {
// Clear the lock
$query = "UPDATE manager_users_logins_hacking SET lockDate = NULL, hackerIPAddress = NULL, failedLogins = 0 WHERE userID = '".$userID."'";
$result = mysqli_query($dbc,$query);
}
} else {
// Escape post data
$password = mysqli_real_escape_string($dbc,$_POST['password']);
// Assign hashed password to variable
$regenFromPostPW = reGenPassHash($password, $passwordDB2);
// Comparing the database password with the posted password
if ($passwordDB == $regenFromPostPW) {
$query2 = "UPDATE manager_users_logins SET numberOfLogins = numberOfLogins + 1, lastOnline = CURRENT_TIMESTAMP WHERE userID = '".$userID."'";
$result2 = mysqli_query($dbc,$query2);
// Assign user data into an array
$loggedinUserDataArray = array('userID' => $userID, 'name' => $firstName . " " . $lastName);
// Assign user data array to new session
$_SESSION['user_data'] = $loggedinUserDataArray;
// See if the remember me checkbox was checked
if (isset($_POST['remember'])) {
// Sets an expiration time for the cookie
$myExpiration = time()+60*60*24*100;
// Sets the cookie for the username
setcookie("username", $username, $myExiration, "/");
}
// Succesful login complete
$output = array('errorsExist' => false, 'message' => 'You have been logged in, please allow a moment while we load your account data!');
} else {
// Login unsuccessful
$query = "SELECT * FROM manager_users_logins_hacking WHERE userID = '".$userID."'";
$result = mysqli_query($dbc,$query);
$row = mysqli_fetch_array($result);
$failedLogins = $row['failedLogins'];
// Take failed logins and compare it
if ($row['failedLogins'] >= 5) {
// Retrieve IP Address of user trying to hack into account
$hackerIPAddress = $_SERVER['REMOTE_ADDR'];
// Update database after account getting hacked and run query
$query = "UPDATE manager_users_logins_hacking SET lockDate = CURRENT_TIMESTAMP, hackerIPAddress = '".$hackerIPAddress."' WHERE userID = '".$userID."'";
$result = mysqli_query($dbc,$query);
$query2 = "SELECT * FROM manager_users WHERE userID = '".$userID."'";
$result2 = mysqli_query($dbc,$query2);
$row = mysqli_fetch_array($result2);
$firstName = $row['firstName'];
$lastName = $row['lastName'];
// Email user new registration account
function my_domain_name() {
$my_domain = $_SERVER['HTTP_HOST'];
$my_domain = str_replace('www.', '', $my_domain);
return $my_domain;
}
$sender_email = "noreply@kansasoutlawwrestling.com";
$reply_to = "noreply@kansasoutlawwrestling.com";
$recipient_email = $email;
$email_subject = "KOW Manager Account Locked";
$email_body = 'Hello '.$firstName.' '.$lastName.' You, or someone using your account at '.my_domain_name().', has attempted to hack into your account. If this is an error, ignore this email and you will be removed from our mailing list.<br /><br />Regards, '.my_domain_name().' Team';
mailSomeone($email, $sender_email, $email_subject, $email_body);
// Account locked error
$output = array('errorsExist' => true, 'message' => 'Your account is currently locked, we appologize for the inconvienence. This is a security messure implimented by to many failed login\'s! You must wait 10 minutes before you can login again!');
} else {
$query = "UPDATE manager_users_logins_hacking SET failedLogins = '".$failedLogins."'+ 1 WHERE userID = '".$userID."'";
$result = mysqli_query($dbc,$query);
$query2 = "SELECT * FROM manager_users_logins_hacking WHERE userID = '".$userID."'";
$result2 = mysqli_query($dbc,$query2);
$row2 = mysqli_fetch_array($result2);
$failedLogins = $row2['failedLogins'];
// Calculate how many chances the user has to login before account gets locked
$chancesLeft = 5 - $failedLogins;
// Invalid username and password error
$output = array('errorsExist' => true, 'message' => 'Invalid Username and Password combination! You have ' .$chancesLeft.' chances left to login succesfully or the account will be locked!');
}
}
}
答案 0 :(得分:0)
我尝试调试您的代码,我认为代码是正确的,并且完全符合您的描述。但由于小错误,它显示误导性消息:执行更新查询并将计数器增加到1,然后选择此值并在计算中使用它。您应该在计算中使用旧值,而不是新值。不是吗?
要解决此问题,您可以删除以下无用的行:
$query2 = "SELECT * FROM manager_users_logins_hacking WHERE userID = '".$userID."'";
$result2 = mysqli_query($dbc,$query2);
$row2 = mysqli_fetch_array($result2);
$failedLogins = $row2['failedLogins'];
答案 1 :(得分:0)
$ lockDate有时是一个日期字符串,有时你会尝试用它减去。 $ currentDateTime = time(); $ minutes = floor(($ currentDateTime- $ lockDate)/ 60);
这是一个问题,或上面的strtotime($ lockdate)将是一个问题。