パスワードエラーまたはアカウントエラーを複数回ログインし、そのアカウントを凍結します.
ログイン回数が5を超えると、ユーザblocked=1がフリーズする
<?php
if (!isset($_SESSION['AttemptsCounter'])){
$_SESSION['AttemptsCounter'] = 0;
}
if (!isset($AllowAnyone)){ /* only do security checks if AllowAnyone is not true */
if (!isset($_SESSION['AccessLevel']) OR $_SESSION['AccessLevel'] == '' OR
(isset($_POST['UserNameEntryField']) AND $_POST['UserNameEntryField'] != '')) {
/* if not logged in */
$_SESSION['AttemptsCounter']++;
// Show login screen
if (!isset($_POST['UserNameEntryField']) or $_POST['UserNameEntryField'] == '') {
include('includes/Login.php');
exit;
}
$sql = "SELECT www_users.*
FROM www_users
WHERE www_users.userid='" . $_POST['UserNameEntryField'] . "'
AND (www_users.password='" . CryptPass($_POST['Password']) . "'
OR www_users.password='" . $_POST['Password'] . "')";
$Auth_Result = DB_query($sql, $db);
// Populate session variables with data base results
if (DB_num_rows($Auth_Result) > 0) {
exit;
} else { // Incorrect password
// 5 login attempts, show failed login screen
if (!isset($_SESSION['AttemptsCounter'])) {
$_SESSION['AttemptsCounter'] = 0;
} elseif ($_SESSION['AttemptsCounter'] >= 5 AND isset($_POST['UserNameEntryField'])) {
/*User blocked from future accesses until sysadmin releases */
$sql = "UPDATE www_users SET blocked=1 WHERE www_users.userid='" . $_POST['UserNameEntryField'] . "'";
$Auth_Result = DB_query($sql, $db);
die(include('includes/FailedLogin.php'));
}
$demo_text = '<FONT SIZE="3" COLOR="red"><b>' . _('incorrect password') . '</B></FONT><BR><B>' . _('The user/password combination') . '<BR>' . _('is not a valid user of the system') . '</B>';
die(include('includes/Login.php'));
}
} // End of userid/password check
} /* only do security checks if AllowAnyone is not true */
function CryptPass( $Password ) {
global $CryptFunction;
if ( $CryptFunction == 'sha1' ) {
return sha1($Password);
} elseif ( $CryptFunction == 'md5' ) {
return md5($Password);
} else {
return $Password;
}
}
?>