Commit b5e5f9226fad9d3ca486c54f65b1d5f7d65ec2ac
1 parent
1dcf9fcf
feat: add device existence check to prevent ghost bindings
Showing
1 changed file
with
19 additions
and
11 deletions
| @@ -35,18 +35,26 @@ if ($pdo && $_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && | @@ -35,18 +35,26 @@ if ($pdo && $_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && | ||
| 35 | $user = $stmt->fetch(PDO::FETCH_ASSOC); | 35 | $user = $stmt->fetch(PDO::FETCH_ASSOC); |
| 36 | 36 | ||
| 37 | if ($user) { | 37 | if ($user) { |
| 38 | - // 2. 插入/更新绑定 | ||
| 39 | - // 先检查是否已存在 | ||
| 40 | - $check = $pdo->prepare("SELECT id FROM user_device_bindings WHERE user_id = ? AND device_id = ?"); | ||
| 41 | - $check->execute([$user['id'], $deviceId]); | ||
| 42 | - | ||
| 43 | - if (!$check->fetch()) { | ||
| 44 | - // FIX: use 'bound_at' instead of 'created_at' | ||
| 45 | - $bind = $pdo->prepare("INSERT INTO user_device_bindings (user_id, device_id, is_primary, bound_at) VALUES (?, ?, ?, NOW())"); | ||
| 46 | - $bind->execute([$user['id'], $deviceId, $isPrimary]); | ||
| 47 | - $message = "<div style='color: green; margin-bottom: 20px; background: #e6fffa; padding: 10px; border-radius: 4px;'>✅ 成功将设备 <b>$deviceId</b> 绑定给用户 <b>{$user['nickname']}</b></div>"; | 38 | + // 2. 验证设备是否存在 (Prevent Ghost Bindings) |
| 39 | + $deviceCheck = $pdo->prepare("SELECT id FROM devices WHERE id = ?"); | ||
| 40 | + $deviceCheck->execute([$deviceId]); | ||
| 41 | + | ||
| 42 | + if (!$deviceCheck->fetch()) { | ||
| 43 | + $message = "<div style='color: red; margin-bottom: 20px;'>❌ 设备ID <b>$deviceId</b> 不存在。请确认该设备已录入系统。</div>"; | ||
| 48 | } else { | 44 | } else { |
| 49 | - $message = "<div style='color: orange; margin-bottom: 20px;'>⚠️ 该用户已经绑定过此设备,无需重复操作。</div>"; | 45 | + // 3. 插入/更新绑定 |
| 46 | + // 先检查是否已存在 | ||
| 47 | + $check = $pdo->prepare("SELECT id FROM user_device_bindings WHERE user_id = ? AND device_id = ?"); | ||
| 48 | + $check->execute([$user['id'], $deviceId]); | ||
| 49 | + | ||
| 50 | + if (!$check->fetch()) { | ||
| 51 | + // FIX: use 'bound_at' instead of 'created_at' | ||
| 52 | + $bind = $pdo->prepare("INSERT INTO user_device_bindings (user_id, device_id, is_primary, bound_at) VALUES (?, ?, ?, NOW())"); | ||
| 53 | + $bind->execute([$user['id'], $deviceId, $isPrimary]); | ||
| 54 | + $message = "<div style='color: green; margin-bottom: 20px; background: #e6fffa; padding: 10px; border-radius: 4px;'>✅ 成功将设备 <b>$deviceId</b> 绑定给用户 <b>{$user['nickname']}</b></div>"; | ||
| 55 | + } else { | ||
| 56 | + $message = "<div style='color: orange; margin-bottom: 20px;'>⚠️ 该用户已经绑定过此设备,无需重复操作。</div>"; | ||
| 57 | + } | ||
| 50 | } | 58 | } |
| 51 | } else { | 59 | } else { |
| 52 | $message = "<div style='color: red; margin-bottom: 20px;'>❌ 手机号 <b>$phone</b> 未找到。请确保用户已在小程序登录过。</div>"; | 60 | $message = "<div style='color: red; margin-bottom: 20px;'>❌ 手机号 <b>$phone</b> 未找到。请确保用户已在小程序登录过。</div>"; |
Please
register
or
login
to post a comment