一个登录,不仅仅是判断用户名密码正确与否,为了防止被他人攻击,还要注意加强安全性,此处是我做的一个较完整的登录
需实现的地方:
1.用户名密码正确
2.三次错误后该用户被锁
3.三次错误后,此ip的所有用户都不能登录
4.登录成功将错误次数,时间改变
5.登录成功后,页面若停留15分钟未动,则登录失效
login的代码例子如下:
function login() {
$username = $this->input->post('username');
$password = md5(md5($username.$this->input->post('password')));
$loginip=$_SERVER['REMOTE_ADDR'];//获取URL地址
if ($username == "") {
$this->load->view('login');
} else {
/* $sql="select * from user b,(select userid ,if(verify_time is
null,0,verify_time) as time from user) t where b.username=? AND
b.password=? AND (b.admin=? or b.admin =?) AND t.time!=-1 and
t.userid=b.userid";
*/
$sql="select * from user where b.username=? AND b.password=? AND (b.admin=? or b.admin =?) AND b.verify_time!=-1 ";
$row = $this->db->query($sql,array($username,$password,1,2))->row();
$sql = "select * from userb where b.username=? AND (b.admin=? or b.admin =?) AND b.verify_time!=-1 ;";
$re2 = $this->db->query($sql,array($username,1,2))->row();
$sql = "select * from user b where b.username=? AND (b.admin=? or b.admin =?) AND b.verify_time=-1;";
$re5 = $this->db->query($sql,array($username,1,2))->row();
$sql="select * from t_login_conf ";
$pz=$this->db->query($sql)->row();
$sql = "select * from user b where b.verify_time!=-1 and b.userid=?;";
$re1=$this->db->query($sql,array($re2->userid))->row();
$times=$re1->login_error;
$rebegintime=$re1->verify_time;
// $nowtime = date('Y-m-d H:i:s',time());
$nowtime = time();
// $jtime=floor(((strtotime($nowtime)-strtotime($re1->verify_time))%86400/60)/60);
$jtime=floor((($nowtime - ($re1->verify_time))%86400/60)/60);
if($jtime > 12){
$sql="update user set login_error=?,login_ip=null,verify_time=? where userid=?";
$this->db->query($sql,array(0,time(),$re2->userid));
}else{
if($times > $pz->login_error_count){
if($nowtime >$rebegintime){
$sql="update user set login_error=?,login_ip=null,verify_time=? where userid=?";
$this->db->query($sql,array(0,time(),$re2->userid));
}
}
}
$sql = "select * from user b where b.verify_time!=-1 and b.userid=?;";
$re4=$this->db->query($sql,array($re2->userid))->row();
$times=$re4->login_error;
$re3=$this->db->query("select login_ip from t_webuser")->result();
$judgementip=0;
foreach($re3 as $rr){
if(!empty($rr->login_ip)){
if($loginip==$rr->login_ip){//当前ip只要与被锁ip中一个相同,那么所有的用户在当前ip上就都不能登录
$judgementip=1;
}
}
}
if($judgementip==0){//ip未被锁
if($times <= $pz->login_error_count){//错误次数
if ($row) {
$expiretime=time()+($pz->sessionlivetime)*60;
$this->session->set_userdata('expiretime',$expiretime);
$this->session->set_userdata (
'admin_userdata',
array(
"userid" => $row->userid,
"username" => $row->username,
"admin" => $row->admin,
"expiretime" => $expiretime,
"sessionlivetime"=>$pz->sessionlivetime,
"login_lock_time" =>$pz->login_lock_time
)
);
$admin=$row->admin;
if($admin==1){
$sql="update user set login_error=?,verify_time=? where userid=?";
$this->db->query($sql,array(0,time(),$row->userid));
$data = array(
"userid" => $row->userid,
"time" => $_SERVER['REQUEST_TIME'],
"log" => $row->username ."登录成功",
);
$this->db->insert('t_webscan_log', $data);
echo '{"title":"","message":"","url":"/yoda/systemwelcome","target":"refresh"}';
}else{
echo '{"title":"","message":"","url":"/yoda/index","target":"refresh"}';
}
} else {
if($times < $pz->login_error_count){
$times++;
}else{
$times=$pz->login_error_count;
}
if($times >= ($pz->login_error_count)){
$rebegintime = time()+($pz->login_lock_time)*60;
$sql="update user set login_error=?,verify_time=?,login_ip=? where userid=?";
$this->db->query($sql,array($times,$rebegintime,$loginip,$re2->userid));
}else{
$sql="update user set login_error=?,verify_time=? where userid=?";
$this->db->query($sql,array($times,time(),$re2->userid));
}
$ll=$this->db->query("select login_error from user where userid=?",array($re2->userid))->row();
if(empty($re5)){
if(empty($re2)){
echo '{"title":"登录失败","message":"用户名或者密码错误!","url":""}';
}else{
$message="密码错误,还有 ".(($pz->login_error_count)-($ll->login_error)) ." 次机会!";
echo '{"title":"登录失败","message":"'.$message.'","url":""}';
}
}else{
echo '{"title":"登录失败","message":"该用户被锁!","url":""}';
}
}//if
}else{
$message=$pz->login_error_count ." 次机会已用完,请 ".$pz->login_lock_time ." 分钟后再登录!";
// $rebegintime = date("Y-m-d H:i:s",strtotime($re1->verify_time)+($pz->login_lock_time)*60);
echo '{"title":"登录失败","message":"'.$message.'","url":""}';
}//times
}else{
$message="当前ip已被锁,请 ".$pz->login_lock_time ." 分钟后再登录!";
echo '{"title":"登录失败","message":"'.$message.'","url":""}';
}//judgementip
}
}