feat: add device existence check to prevent ghost bindings

谭苏航
1 parent 1dcf9fcf
Showing 1 changed file with 19 additions and 11 deletions
admin/index.php
--- a/admin/index.php
View file @b5e5f92
+++ b/admin/index.php
View file @b5e5f92
@@ -35,18 +35,26 @@ if ($pdo && $_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && 
             $user = $stmt->fetch(PDO::FETCH_ASSOC);
 
             if ($user) {
-                // 2. 插入/更新绑定
-                // 先检查是否已存在
-                $check = $pdo->prepare("SELECT id FROM user_device_bindings WHERE user_id = ? AND device_id = ?");
-                $check->execute([$user['id'], $deviceId]);
-
-                if (!$check->fetch()) {
-                    // FIX: use 'bound_at' instead of 'created_at'
-                    $bind = $pdo->prepare("INSERT INTO user_device_bindings (user_id, device_id, is_primary, bound_at) VALUES (?, ?, ?, NOW())");
-                    $bind->execute([$user['id'], $deviceId, $isPrimary]);
-                    $message = "<div style='color: green; margin-bottom: 20px; background: #e6fffa; padding: 10px; border-radius: 4px;'>✅ 成功将设备 <b>$deviceId</b> 绑定给用户 <b>{$user['nickname']}</b></div>";
+                // 2. 验证设备是否存在 (Prevent Ghost Bindings)
+                $deviceCheck = $pdo->prepare("SELECT id FROM devices WHERE id = ?");
+                $deviceCheck->execute([$deviceId]);
+
+                if (!$deviceCheck->fetch()) {
+                    $message = "<div style='color: red; margin-bottom: 20px;'>❌ 设备ID <b>$deviceId</b> 不存在。请确认该设备已录入系统。</div>";
                 } else {
-                    $message = "<div style='color: orange; margin-bottom: 20px;'>⚠️ 该用户已经绑定过此设备，无需重复操作。</div>";
+                    // 3. 插入/更新绑定
+                    // 先检查是否已存在
+                    $check = $pdo->prepare("SELECT id FROM user_device_bindings WHERE user_id = ? AND device_id = ?");
+                    $check->execute([$user['id'], $deviceId]);
+
+                    if (!$check->fetch()) {
+                        // FIX: use 'bound_at' instead of 'created_at'
+                        $bind = $pdo->prepare("INSERT INTO user_device_bindings (user_id, device_id, is_primary, bound_at) VALUES (?, ?, ?, NOW())");
+                        $bind->execute([$user['id'], $deviceId, $isPrimary]);
+                        $message = "<div style='color: green; margin-bottom: 20px; background: #e6fffa; padding: 10px; border-radius: 4px;'>✅ 成功将设备 <b>$deviceId</b> 绑定给用户 <b>{$user['nickname']}</b></div>";
+                    } else {
+                        $message = "<div style='color: orange; margin-bottom: 20px;'>⚠️ 该用户已经绑定过此设备，无需重复操作。</div>";
+                    }
                 }
             } else {
                 $message = "<div style='color: red; margin-bottom: 20px;'>❌ 手机号 <b>$phone</b> 未找到。请确保用户已在小程序登录过。</div>";