Question

目前,I m正在测试一个简单的标识系统I ve。文字是核对我数据库中的用户名和密码一,如果两者都吻合,则用户名称与会议变量。当我只读“成员”一页时,它将检查一下,如果会议没有变数,用户就不能看内容。似乎按预期开展工作。基于上述内容,我的问题是:

我的方法有哪些弱点/缺陷?
Can cookies make it more secure? If so, how would it do so with relation to my code?

这里指的是我迄今所做的工作:

用户名和密码核对:

<?
session_start();

$username = $_POST[ username ];
$password = $_POST[ password ];

if ($username && $password){
$query = mysql_query("SELECT * FROM user WHERE username= $username  ");
$numrows = mysql_num_rows($query);

    //if user exists
    if ($numrows !=0){
        while ($row = mysql_fetch_array($query)){
                $dbusername = $row[ username ];
                $dbpassword = $row[ password ];
            }

        if ($username == $dbusername && md5($password) == $dbpassword){
            echo  You re in! <a href="member.php">Click</a> here to enter the member page. ;   
            $_SESSION[ username ] = $dbusername;

        }
        else
            echo "incorrect password!";
    }
    else
        die("sorry, that user doesn t exist!");
}



?>

页: 1

<?
session_start();


if ($_SESSION[ username ]){
echo "Welcome, ".$_SESSION[ username ]."!<br>
<a href= changepassword.php >Change password</a>
";
}
else{
echo "please log in";   
}
?>

Answer 1

目前,最大的安全问题是卡片注射,这是目前文字中的巨大缺陷。任何人都可以在没有任何全权证书上填写你所写的文字。改变这一思路:

$username = $_POST[ username ];

参看:

$username = mysql_real_escape_string($_POST[ username ]);

就厨师而言,课程使用厨师,因此,你已经使用。第二,你在一家厨师身上的任何东西都从电线上转移,因此无法安全。

其他良好的安全措施是使用加密或至少一种沙2变式,而不是用5米宽的密码。

在你寄出电线之前使用java字母的密码也比较可取,如果你不使用SSL,这一点极其重要。

That ll get you started. After you take care of these problems you can move on to CSRF and session hijacking attacks.

Answer 2

我再次向你表示,由于许多原因,你会利用PDOPHP这一类别进行询问:

If you change your DBMS, you wouldn t have to edit all your mysql_query(), mysql_numrows(), etc.
For security reasons, because PDO has some pre-integrated functions to prevent from security issues.
...

因此,根据《人权法案》,你的法典就是这样:

<?php
session_start();

$db = new PDO( mysql:host= .DB_HOST. ;dbname= .DB_NAME, DB_USER, DB_PASS);

$username = $_POST[ username ];
$password = $_POST[ password ];

if ($username && $password){
$query = $db->prepare("SELECT * FROM user WHERE username = :usr");
$query->execute(array( usr  => $username));
$numrows = $query->rowCount();

    //if user exists
    if ($numrows !=0){
        while ($row = $query->fetch()){
                $dbusername = $row[ username ];
                $dbpassword = $row[ password ];
            }

        if ($username == $dbusername && md5($password) == $dbpassword){
            echo  You re in! <a href="member.php">Click</a> here to enter the member page. ;   
            $_SESSION[ username ] = $dbusername;

        }
        else
            echo "incorrect password!";
    }
    else
        die("sorry, that user doesn t exist!");
}
?>

这种方法prepare(>, 防止了Kum射。 <>t>execute() 需要在<>code>prepare(之后使用query(<> noexecute(>>。

<代码>fetch( >方法等于mysql_fetch_array(。

http://www.php.net/manual/en/book.pdo.php rel=“nofollow”http://www.php.net/manual/en/book.pdo.php。

我希望我帮助了。

NB:我更喜欢<?php,而不是<?。

友情链接