如果登录尝试达到最大值,如何删除整个站点目录

时间:2011-12-24 23:06:41

标签: php mysql zend-framework

我有一个非常机密的网站,只有少数人可以登录。如何检查用户是否尝试过三次登录,如果有,则从我的服务器中删除整个目录。难道这难吗?

这是我的登录页面:

<?php
require_once('scripts/user_authentication.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href='http://fonts.googleapis.com/css?family=Inder' rel='stylesheet' type='text/css'>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Access login</title>
<link href="../styles/users.css" rel="stylesheet" type="text/css" />
<style>
span {font-family: 'Inder', sans-serif; color: #369; font-style: italic;}

#login {width: 400px; margin: 60px auto 0 auto; padding: 20px; text-align: center; 
    box-shadow: 0px 9px 21px rgba(0, 0, 0, 0.63);
    -moz-box-shadow: 0px 9px 21px rgba(0, 0, 0, 0.63);
    -webkit-box-shadow: 0px 9px 21px rgba(0, 0, 0, 0.63);
}

#login p {text-align: left;}

form {padding: 0; margin: 0; }
input {margin: 0; padding: 0;}

h1 { margin: 0 0 20px 0; padding: 0;}

</style>


</head>

<body>
<div id="login">
<h1><span>p*******</span> Partners Only</h1>
<div id="inner">
<?php if ($failed) { ?>
<p class="warning">Login failed. Try Again. Please contact ******* ***** if you do not know your access information. After multiple attempts this site will self destruct. Thank you for your cooperation.</p>
<?php } ?>
<form id="form1" name="form1" method="POST">
  <p>
    <label for="username">Username:</label>
    <input type="text" name="username" id="username" />
  </p>
  <p>
    <label for="password">Password:</label>
    <input type="password" name="password" id="password" />
  </p>
  <p>
    <input type="submit" name="signin" id="signin" value="Sign in" />
  </p>
</form>
</div>
</div>
</body>
</html>

这是user_authentication:

<?php
$failed = FALSE;
if ($_POST) {
  if (empty($_POST['username']) || empty($_POST['password'])) {
    $failed = TRUE;
  } else {
    require_once('library.php');
    // check the user's credentials
    try {
      $auth = Zend_Auth::getInstance();
      $adapter = new Zend_Auth_Adapter_DbTable($dbRead, 'users', 'first_name', 'family_name', 'password' 'sha1(?)');
      $adapter->setIdentity($_POST['username']);
      $adapter->setCredential($_POST['password']);
      $result = $auth->authenticate($adapter);
      if ($result->isValid()) {
        $storage = $auth->getStorage();
        $storage->write($adapter->getResultRowObject(array(
          'username', 'first_name', 'family_name')));
        header('Location: members_only.php');
        exit;
      } else {
        $failed = TRUE;
      }
    } catch (Exception $e) {
      echo $e->getMessage();
    }
  }
}
if (isset($_GET['logout'])) {
  require_once('library.php');
  try {
    $auth = Zend_Auth::getInstance();
    $auth->clearIdentity();
  } catch (Exception $e) {
    echo $e->getMessage();
  }
}

2 个答案:

答案 0 :(得分:6)

你的方法(删除用户的文件)是非常糟糕的做法,但如果你绝对需要这样做,这是一种方式......

创建数据库表(或现有表中的条目)以存储用户名和尝试次数。在进行身份验证之前,请检查尝试是否低于设定的金额。在身份验证部分,如果密码错误,请递增“尝试”列。每当用户成功登录时,再次设置尝试为零。如果它们超过了尝试次数,请删除文件或采取您需要的任何安全措施。

现在,为了使这个设计更好,我建议不要实际删除服务器上的数据。相反,我建议在X次尝试失败后,增加的安全措施将应用于尝试登录该用户名的人,例如;

  • 要求用户解决验证码,以便您知道他们不是尝试多个密码的机器人

  • 为每个用户存储“安全问题”(例如“你的生日是什么”),并要求他们回答这些问题

  • 锁定帐户并为真实用户提供安全程序以便再次访问

答案 1 :(得分:1)

正如人们在评论中所提到的那样,做到这一点非常危险。

但是,如果您仍然认为该信息具有那么重要性,并且指向登录页面的链接非常隐秘,并且您在其他地方有备份,则此代码应该执行此操作:

<?php
session_start(); // Add this only if you don't have it in some other header files

// Checking if the session variable exists and initiating it if it does not.
if (!isset($_SESSION['failed'])) {
    $_SESSION['failed'] = 0;
}

$failed = FALSE;
if ($_POST) {
  if (empty($_POST['username']) || empty($_POST['password'])) {
    $failed = TRUE;
  } else {
    require_once('library.php');
    // check the user's credentials
    try {
      $auth = Zend_Auth::getInstance();
      $adapter = new Zend_Auth_Adapter_DbTable($dbRead, 'users', 'first_name', 'family_name', 'password' 'sha1(?)');
      $adapter->setIdentity($_POST['username']);
      $adapter->setCredential($_POST['password']);
      $result = $auth->authenticate($adapter);
      if ($result->isValid()) {

        // Setting the counter to 0 in case of successful login.
        $_SESSION['failed'] = 0;

        $storage = $auth->getStorage();
        $storage->write($adapter->getResultRowObject(array(
          'username', 'first_name', 'family_name')));
        header('Location: members_only.php');
        exit;
      } else {
        $failed = TRUE;

        // Increment the failed logins counter at each failed login.
        $_SESSION['failed']++;

        // In case of 3 or more failed attempts
        if ($_SESSION['failed'] > 3) {

            // Remove some directory
            rmdir("/path/to/the/dir");
            $_SESSION['failed'] = 0;
        }
      }
    } catch (Exception $e) {
      echo $e->getMessage();
    }
  }
}
if (isset($_GET['logout'])) {
  require_once('library.php');
  try {
    $auth = Zend_Auth::getInstance();
    $auth->clearIdentity();
  } catch (Exception $e) {
    echo $e->getMessage();
  }
}
相关问题
最新问题