我有一个付费点击脚本,在此脚本中,我们有一个暂停会员的选项,当该会员尝试使用他们的用户名和密码登录他的帐户并立即单击登录按钮时,我们的系统会向他显示错误:"您的帐户已暂停"。
但我想向每个用户展示暂停的原因。我的意思是,当我暂停任何用户时,我会写下他被暂停的原因,之后当该用户尝试登录他的帐户时,我们的系统会向他显示错误(您的帐户被暂停),然后换行,我想在那里向他展示原因。
我已经在会员表中创建了一个名为"susreason"的列,并且我还向我的管理面板显示了每个带有暂停选项的用户编辑选项。现在,当我暂停用户并写下暂停原因时,用户成功暂停,但系统没有显示原因,因为用户会话未登录。
下面是代码,这是我的登录名.php:
$username = $db->real_escape_string($input->pc['username']);
$password = $input->p['password'];
$country = ip2country($_SERVER['REMOTE_ADDR']);
$ip_user = $_SERVER['REMOTE_ADDR'];
$sect = explode(".", $ip_user);
$reip = ((($sect[0] . ".") . $sect[1] . ".") . $sect[2] . ".") . $sect[3];
$reipa = (($sect[0] . ".") . $sect[1] . ".") . $sect[2] . ".*";
$reipb = ($sect[0] . ".") . $sect[1] . ".*.*";
$reipc = $sect[0] . ".*.*.*";
$verifyusername = $db->fetchOne(("SELECT COUNT(*) AS NUM FROM blacklist WHERE type='username' AND criteria='" . $username . "'"));
$ipban1 = $db->fetchOne(("SELECT COUNT(*) AS NUM FROM blacklist WHERE type='ip' AND criteria='" . $reip . "'"));
$ipban2 = $db->fetchOne(("SELECT COUNT(*) AS NUM FROM blacklist WHERE type='ip' AND criteria='" . $reipa . "'"));
$ipban3 = $db->fetchOne(("SELECT COUNT(*) AS NUM FROM blacklist WHERE type='ip' AND criteria='" . $reipb . "'"));
$ipban4 = $db->fetchOne(("SELECT COUNT(*) AS NUM FROM blacklist WHERE type='ip' AND criteria='" . $reipc . "'"));
$countryban = $db->fetchOne(("SELECT COUNT(*) AS NUM FROM blacklist WHERE type='country' AND criteria='" . $country . "'"));
if ($verifyusername != 0) {
serveranswer(0, $lang['txt']['usernameblocked']);
}
else {
if ((($ipban1 != 0 || $ipban2 != 0) || $ipban3 != 0) || $ipban4 != 0) {
serveranswer(0, $lang['txt']['ipblocked']);
}
else {
if ($countryban != 0) {
serveranswer(0, $lang['txt']['countryblocked']);
}
}
}
$verifyuser = $db->fetchOne(("SELECT COUNT(*) AS NUM FROM members WHERE username='" . $username . "'"));
if ($verifyuser == 0) {
serveranswer(0, $lang['txt']['invalidlogindetails']);
}
$user_info = $db->fetchRow(("SELECT id, username, password, status, country FROM members WHERE username='" . $username . "'"));
if ($user_info['password'] != md5($password)) {
$bid = array("user_id" => $user_info['id'], "ip" => $ip_user, "status" => "Failed", "password" => $password, "date" => TIMENOW, "agent" => (!empty($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : $_ENV['HTTP_USER_AGENT']));
$upd = $db->insert("login_history", $bid);
serveranswer(0, $lang['txt']['invalidlogindetails']);
}
if ($settings['multi_login'] == "yes") {
$checkip = $db->fetchOne("SELECT COUNT(*) AS NUM FROM members WHERE last_ip='" . $ip_user . "' AND id!=" . $user_info['id']);
if ($checkip != 0) {
$showip_error = "yes";
}
if ($showip_error == "yes") {
serveranswer(0, $lang['txt']['multipleaccountsdetected']);
}
}
if ($settings['multi_country'] == "yes") {
if ($country != $user_info['country'] && $country != "-") {
serveranswer(0, $lang['txt']['multiplecountrydetected']);
}
}
if ($user_info['status'] == "Un-verified") {
serveranswer(0, $lang['txt']['accountinactive']);
}
else {
if ($user_info['status'] == "Suspended") {
serveranswer(0, "<strong>Your Account has been Suspended</strong>" . "<br />" . "<div class='"site_content'"><div class='"info_box'"><strong>Reason of Suspend</strong>" . "<br />" . $user_info['susreason']);
}
}
此代码最后一行是 (if) 语句,当用户挂起时,然后系统将执行。
这段代码有一些安全问题,所以虽然这不是问题的直接答案,但我把它们写出来作为答案,因为它们很重要。
- 使用 MD5 散列的密码。多年来,这一直不是一种可接受的哈希算法,因为它太快并且容易进行暴力搜索。
- 没有哈希盐。这使您的密码容易受到彩虹表的查找。
您应该改用password_hash()
,这将解决这两个问题。这使用了一种缓慢的算法(目前是Bcrypt),随着新的PHP版本的发布,速度会增加(以补偿CPU性能的普遍提高,使暴力尝试大量密码变得更加困难)。它还将生成并存储盐作为哈希输出的一部分。
看起来用户需要在被告知暂停原因之前正确获取用户名和密码。这很好 - 在大多数情况下,如果某人只是拥有用户名(通常是公共信息),您不希望人们确定某人的暂停原因。