我从W3Schools网站上学习了几本书中的PHP并使用了大量的Stack Overflow帖子。
尝试将某些内容付诸实践我正在尝试创建一个实现用户身份验证系统的小型图库。用户有一个安全访问权限,可以确定他们已经阅读,读写访问权限或管理其他用户等。我只是登录并添加用户的东西。
我已经模仿了我的工作,每个人都有一个唯一的员工ID和8位数的电子邮件ID。
我知道这是一个很长的镜头,但我只是想知道是否有人能够看一看并告诉我我的代码是否正在走向正确的轨道?从书本中提供的基本例子中将这样的“真实世界”放在一起是如此不同。任何意见和建议将不胜感激....
的login.php
<!DOCTYPE html>
<?php
// Connect to the database
include('./helpers/db.php');
include('./helpers/general.php');
// Check if the user has submitted their details.
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$loginId = htmlspecialchars(($_POST['userId']));
$loginPass = htmlspecialchars(sha1($_POST['password']));
// Check if they've submitted blank details.
if (!checkLoginId($loginId) || (!checkPassword($_POST['password']))) {
$errorMsg = "Please enter a valid username or password!";
}
else {
// Select the details we want for the session info.
$stmt = $dbh->prepare("SELECT firstName, lastName, securityLevel FROM
userDetails WHERE registeredNumber = :loginId
AND password = :loginPass" );
$stmt->bindParam(':loginId', $loginId);
$stmt->bindParam(':loginPass', $loginPass);
$stmt->execute();
// Make sure the user is found, and that there security level is 1 or more.
if ($stmt->rowCount() > 0) {
$userDetails = $stmt->fetch();
if ($userDetails['securityLevel'] < 1) {
$errorMsg = "Insufficient access for this user.";
}
else {
// Start a new session and set up the regularly used info.
session_start();
$_SESSION['loggedIn'] = 1;
$_SESSION['userID'] = $loginId;
$_SESSION['fname'] = $userDetails['firstName'];
$_SESSION['lname'] = $userDetails['lastName'];
$_SESSION['security'] = $userDetails['securityLevel'];
header("Location: ./browser/");
}
}
else {
$errorMsg = "Invalid User ID or Password!";
}
}
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title></title>
</head>
<style type="text/css">
body {font-family:sans-serif;}
.warning {color:red;font-weight:bold;}
#login {margin-left:auto;margin-right:auto;width:200px;border-style:solid;border-width:1px;padding:20px;}
</style>
<body>
<!-- Display the login form -->
<div id="login">
<form action="login.php" method="POST">
<?php
if (isset($errorMsg)) {
echo '<span class="warning">'. $errorMsg . '</span>';
}
?>
<p><label for="userId">User Name:</label><br />
<input type="text" maxlength="5" name="userId"
title="Enter your User ID:">
</p>
<p><label for="pasword">Password:</label><br/>
<input type="password" maxlength="12" name="password"
title="Enter your password:"/>
</p>
<p><input id="submit" type="submit" name="submit" value="Submit"></p>
</form>
</div>
</body>
db.php中
<?php
$hostname = 'localhost';
$dbname = 'dam';
$dbuser = 'root';
$dbpass = '****';
// Try and connect to the database and catch the error if it doesn't work.
try
{
$dbh = new PDO("mysql:host=$hostname;dbname=$dbname", $dbuser, $dbpass);
echo "Connected to Database<br/>";
}
catch (PDOException $e)
{
print "Error! " . $e->getMessage() . '<br/>';
die();
}
?>
general.php
<?php
// Checks wether the loginID/Registered Number is valid
function checkLoginId($login) {
if ($login == '' || $login == NULL || (!is_numeric($login))) {
return 0;
}
else return 1;
}
// Checks whether the password is valid
function checkPassword($password) {
if ($password == '' || $password == NULL) {
return 0;
}
else return 1;
}
function verifyNewUser($userID, $upass, $fname, $lname, $email) {
$hasErrors = 0;
$errorMsg = array();
if ($userID == '' || $userID == NULL || (!is_numeric($userID)) || (strlen($userID) != 5)) {
$hasErrors++;
$errorMsg[] = "User ID is either missing, or does not have 5 digits";
}
if ($upass == '' || $upass == NULL || (strlen($upass) < 6)) {
$hasErrors++;
$errorMsg[] = "Password is either missing, or does not meet minimum length of six";
}
if ($fname == '' || $fname == NULL || empty($fname)) {
$hasErrors++;
$errorMsg[] = "First name is missing.";
}
if ($lname == '' || $lname == NULL || empty($lname)) {
$hasErrors++;
$errorMsg[] = "Last name is missing.";
}
if ($email == '' || $email == NULL || empty($email) || (strlen($email) != 8)) {
$hasErrors++;
$errorMsg[] = "Check email id, should be 8 characters.";
}
if ($hasErrors == 0) {
return 1;
}
else {
echo "Returning with errors<br/>";
return $errorMsg;
}
}
?>
adduser.php
include ("./helpers/general.php");
include('./helpers/db.php');
session_start();
// If the user isn't logged in, send them away...
if (!(isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] != '')) {
header("Location: ./login.php");
exit();
}
// Get the users full name so we can politely tell them to rack off if they
// don't have sufficient access to add users.
$uname = $_SESSION['fname'] . ' ' . $_SESSION['lname'];
// Check if the user has the security clearence to add a new user:
if ($_SESSION['security'] != 4) {
echo "Sorry $uname, only level 4 administrators can manage users.<br/>";
echo '<a href="./browser/">Back to Browser</a>';
exit();
}
// Check if they have submitted the form and validate the input
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$userID = htmlspecialchars($_POST['registeredNumber']);
$upass = htmlspecialchars($_POST['password']);
$fname = ucfirst(htmlspecialchars($_POST['firstName']));
$lname = ucfirst(htmlspecialchars($_POST['lastName']));
$email = htmlspecialchars($_POST['emailID']);
$secLev = $_POST['securityLevel'];
$creator = $_SESSION['userID'];
$valid = verifyNewUser($userID, $upass, $fname, $lname, $email);
if ($valid == 1) {
// Encrypt the password
$upass = sha1($upass);
// Create the array to feed the SQL statement.
$data = array($userID, $upass, $fname, $lname, $email, $secLev, date('Y-m-d H:i:s'), $creator);
$dbh->beginTransaction();
$stmt = $dbh->prepare("INSERT INTO userDetails VALUES('', ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->execute($data);
$dbh->commit();
if ($stmt->rowCount() > 0) {
echo "Success, new user $fname $lname added!<br/>";
echo "Email ID: $email<br/>";
echo "Security Level: $secLev<br/>";
}
}
else if (isset($valid)) {
foreach($valid as $error) {
echo '<span style="color:red;font-weight:bold">' . $error . "<span><br/>";
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Add A New User</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<form action="adduser.php" method="post">
<table>
<tr>
<td><label for="registeredNumber">Registered Number:</label></td>
<td><input type="text" maxlength="5" name="registeredNumber"/></td>
</tr>
<tr>
<td><label for="password">Password:</label></td>
<td><input type="password" maxlength="12" name="password"/></td>
</tr>
<tr>
<td><label for="firstName">First Name:</label></td>
<td><input type="text" maxlength="20" name="firstName"/></td>
</tr>
<tr>
<td><label for="lastName">Last Name:</label></td>
<td><input type="text" maxlength="20" name="lastName"/></td>
</tr>
<tr>
<td><label for="emailID">Email ID:</label></td>
<td><input type="text" maxlength="8" name="emailID"/></td>
</tr>
<tr>
<td><label for="securityLevel">Security Level:</label></td>
<td>
<select name="securityLevel">
<option value="0" selected="selected">0 - No Access</option>
<option value="1">1 - Read Access</option>
<option value="2">2 - Read/Write Access</option>
<option value="3">3 - Read/Write/Delete Access</option>
<option value="4">4 - User Administrator</option>
</select>
</td>
</tr>
</table>
<input type="submit" name="submit" value="Submit"/>
</form>
</body>
</html>
logout.php
<?php
// Destroy the session and go to the login screen.
session_start();
session_destroy();
header("Location: login.php");
?>
答案 0 :(得分:5)
您的方法存在严重的安全问题。
最大的问题是您将密码存储在数据库中。你不需要将密码存储在数据库中,这是一个可怕的想法,可能是某人在法庭起诉你的裤子的理由。
有多种加密和散列选项可让您构建这样的系统而无需将密码存储在数据库中,并且使用其中一个是标准过程。任何不这样做的人都会在将来提出问题(谷歌搜索“PSN密码泄露”)。
一个不错的选择是PBKDF2 http://en.wikipedia.org/wiki/PBKDF2
然而,这只是最明显的问题。还有其他一些你没有做得很完美的事情,这真的是你需要学习如何正确地做,或者你根本不应该尝试。即使你正在使用PBKDF2,你仍然需要学习如何正确使用它。
我建议在尝试编写自己的身份验证系统之前,几乎每集都要收听。 http://www.grc.com/securitynow.htm