我之前在使用 MySQL, 并被告知这是不安全的, 所以现在我重新编码了在 PDO 中的管理员登录板, 用户和其他论坛都说不能注射。 但是黑客仍然在进入... 我编辑了登录后的网页, 告诉黑客告诉我我在上面放了什么, 黑客告诉我...
我需要知道我的密码是否安全 他告诉我他通过SQL进入
所以我首先把他们的IP存储在会话中, 所以如果他们的IP更改了, 它会把它们记录出来( 或用户名)
if ( isset($_SESSION[ last_ip ]) == false )
{
$_SESSION[ last_ip ] = $_SERVER[ REMOTE_ADDR ];
}
if ( $_SESSION[ last_ip ] !== $_SERVER[ REMOTE_ADDR ] )
{
session_unset();
session_destroy();
}
那么这是我的登录:
session_start();
include functions/functions.php ;
$db = mysqlconnect();
$password = md5($_POST[ mypassword ]);
$mod = 1;
$statement = $db->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$statement->execute(array($_POST[ myusername ],$password));
$result = $statement->fetchObject()->mod;
$count = $statement->rowCount();
if ( $result == 1 ) {
$db = mysqlconnect();
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION[ user ] = $_POST[ myusername ] ;
//Test if it is a shared client
if ( !empty($_SERVER[ HTTP_CLIENT_IP ]) ) {
$ip=$_SERVER[ HTTP_CLIENT_IP ];
//Is it a proxy address
} elseif ( !empty($_SERVER[ HTTP_X_FORWARDED_FOR ]) ) {
$ip=$_SERVER[ HTTP_X_FORWARDED_FOR ];
} else {
$ip=$_SERVER[ REMOTE_ADDR ];
}
$sqll = "UPDATE users SET lastip=? WHERE username=?";
$q = $db->prepare($sqll);
$q->execute(array($ip,$_SESSION[ username ]));
$_SESSION[ user ] = $_POST[ myusername ] ;
$sqlll = "INSERT INTO user_log (username,ip) VALUES (?, ?)";
$qq = $db->prepare($sqlll);
$qq->execute(array($_SESSION[ username ],$ip));
header("Location: home.php");
} else {
echo "Wrong Username or Password";
}
密码能注射吗?
这是我家的.php页面 阻止用户观看它。
/// My conenct is here
$sql = "SELECT * FROM users WHERE username= $_SESSION[user] ";
$result = mysql_query($sql) or die(mysql_error());
$values = mysql_fetch_array($result);
if( isset($_SESSION[ user ]) ) {
} else {
echo "Bye Bye";
die;
}
if ( $values[ mod ] == 1 ) {
echo "welcome";
} else {
echo"Your account has been reported for hacking";
die;
}