dongyou5271
2011-12-24 23:06 阅读 36
已采纳

如果登录尝试达到最大值,如何删除整个站点目录

I have a very confidential site where only a few people have access to logging in. How do I check if a user has attempted to login in three times and if they have, the entire directory is deleted from my server. Is this difficult to do?

Here is my login page:

<?php
require_once('scripts/user_authentication.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href='http://fonts.googleapis.com/css?family=Inder' rel='stylesheet' type='text/css'>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Access login</title>
<link href="../styles/users.css" rel="stylesheet" type="text/css" />
<style>
span {font-family: 'Inder', sans-serif; color: #369; font-style: italic;}

#login {width: 400px; margin: 60px auto 0 auto; padding: 20px; text-align: center; 
    box-shadow: 0px 9px 21px rgba(0, 0, 0, 0.63);
    -moz-box-shadow: 0px 9px 21px rgba(0, 0, 0, 0.63);
    -webkit-box-shadow: 0px 9px 21px rgba(0, 0, 0, 0.63);
}

#login p {text-align: left;}

form {padding: 0; margin: 0; }
input {margin: 0; padding: 0;}

h1 { margin: 0 0 20px 0; padding: 0;}

</style>


</head>

<body>
<div id="login">
<h1><span>p*******</span> Partners Only</h1>
<div id="inner">
<?php if ($failed) { ?>
<p class="warning">Login failed. Try Again. Please contact ******* ***** if you do not know your access information. After multiple attempts this site will self destruct. Thank you for your cooperation.</p>
<?php } ?>
<form id="form1" name="form1" method="POST">
  <p>
    <label for="username">Username:</label>
    <input type="text" name="username" id="username" />
  </p>
  <p>
    <label for="password">Password:</label>
    <input type="password" name="password" id="password" />
  </p>
  <p>
    <input type="submit" name="signin" id="signin" value="Sign in" />
  </p>
</form>
</div>
</div>
</body>
</html>

and here is user_authentication:

<?php
$failed = FALSE;
if ($_POST) {
  if (empty($_POST['username']) || empty($_POST['password'])) {
    $failed = TRUE;
  } else {
    require_once('library.php');
    // check the user's credentials
    try {
      $auth = Zend_Auth::getInstance();
      $adapter = new Zend_Auth_Adapter_DbTable($dbRead, 'users', 'first_name', 'family_name', 'password' 'sha1(?)');
      $adapter->setIdentity($_POST['username']);
      $adapter->setCredential($_POST['password']);
      $result = $auth->authenticate($adapter);
      if ($result->isValid()) {
        $storage = $auth->getStorage();
        $storage->write($adapter->getResultRowObject(array(
          'username', 'first_name', 'family_name')));
        header('Location: members_only.php');
        exit;
      } else {
        $failed = TRUE;
      }
    } catch (Exception $e) {
      echo $e->getMessage();
    }
  }
}
if (isset($_GET['logout'])) {
  require_once('library.php');
  try {
    $auth = Zend_Auth::getInstance();
    $auth->clearIdentity();
  } catch (Exception $e) {
    echo $e->getMessage();
  }
}
  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

2条回答 默认 最新

  • 已采纳
    duannaozhao4626 duannaozhao4626 2011-12-24 23:31

    Your approach (deleting files for the user) is really bad practice, but if you absolutely need to do it, here is one way...

    Create a database table (or entries in an existing table) to store the username and number of attempts. Before authenticating, check the attempts are below a set amount. In the authentication part, if the password is wrong, increment the "attempts" column. Whenever the user successfully logs in, set attempts to zero again. If they exceed the number of attempts, delete the files or take whatever security measures you need to.

    Now, to make this design better, I would suggest not to actually delete the data on the server. Instead, I would recommend that after X number of failed attempts, increased security measures are applied to people attempting to log in for that username, such as;

    • require the user to solve a captcha so you know they aren't a bot trying multiple passwords

    • store "security questions" for each user (e.g. "What is your birthday"), and require them to answer those

    • lock the account out and have a secure procedure for the real user to gain access again
    点赞 评论 复制链接分享
  • duanming0494 duanming0494 2011-12-24 23:21

    As people mentioned in the comments it is very dangerous doing that.

    However, if you still believe that the information is of that importance and the link to the login page is very secret and you have backups somewhere else, this code should do it:

    <?php
    session_start(); // Add this only if you don't have it in some other header files
    
    // Checking if the session variable exists and initiating it if it does not.
    if (!isset($_SESSION['failed'])) {
        $_SESSION['failed'] = 0;
    }
    
    $failed = FALSE;
    if ($_POST) {
      if (empty($_POST['username']) || empty($_POST['password'])) {
        $failed = TRUE;
      } else {
        require_once('library.php');
        // check the user's credentials
        try {
          $auth = Zend_Auth::getInstance();
          $adapter = new Zend_Auth_Adapter_DbTable($dbRead, 'users', 'first_name', 'family_name', 'password' 'sha1(?)');
          $adapter->setIdentity($_POST['username']);
          $adapter->setCredential($_POST['password']);
          $result = $auth->authenticate($adapter);
          if ($result->isValid()) {
    
            // Setting the counter to 0 in case of successful login.
            $_SESSION['failed'] = 0;
    
            $storage = $auth->getStorage();
            $storage->write($adapter->getResultRowObject(array(
              'username', 'first_name', 'family_name')));
            header('Location: members_only.php');
            exit;
          } else {
            $failed = TRUE;
    
            // Increment the failed logins counter at each failed login.
            $_SESSION['failed']++;
    
            // In case of 3 or more failed attempts
            if ($_SESSION['failed'] > 3) {
    
                // Remove some directory
                rmdir("/path/to/the/dir");
                $_SESSION['failed'] = 0;
            }
          }
        } catch (Exception $e) {
          echo $e->getMessage();
        }
      }
    }
    if (isset($_GET['logout'])) {
      require_once('library.php');
      try {
        $auth = Zend_Auth::getInstance();
        $auth->clearIdentity();
      } catch (Exception $e) {
        echo $e->getMessage();
      }
    }
    
    点赞 评论 复制链接分享

相关推荐