我正在使用此代码在PHP中创建一个安全的登录页面。我是从http://girlswhogeek.com/tutorials/2006/creating-a-secure-php-login-page得到的。
<?php
$username = "user";
$password = "pass";
$randomword = "bibblebobblechocolatemousse";
if (isset($_COOKIE['MyLoginPage'])) {
if ($_COOKIE['MyLoginPage'] == md5($password.$randomword)) {
?>
CONTENT HERE
<?php
exit;
} else {
echo "<p>Bad cookie. Clear please clear them out and try to login again.</p>";
exit;
}
}
if (isset($_GET['p']) && $_GET['p'] == "login") {
if ($_POST['name'] != $username) {
echo "<p>Sorry, that username does not match. Use your browser back button to go back and try again.</p>";
exit;
} else if ($_POST['pass'] != $password) {
echo "<p>Sorry, that password does not match. Use your browser back button to go back and try again.</p>";
exit;
} else if ($_POST['name'] == $username && $_POST['pass'] == $password) {
setcookie('MyLoginPage', md5($_POST['pass'].$randomword));
header("Location: $_SERVER[PHP_SELF]");
} else {
echo "<p>Sorry, you could not be logged in at this time. Refresh the page and try again.</p>";
}
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>?p=login" method="post">
<fieldset>
<label>
<input type="text" name="name" id="name" /> Name
</label>
<br />
<label>
<input type="password" name="pass" id="pass" /> Password
</label>
<br />
<input type="submit" id="submit" value="Login" />
</fieldset>
</form>
它工作得非常好,但是,当登录信息出错时,它会切换到空白页面并回显一条消息,说明登录信息有误。我想知道是否有办法让它回显到输入页面上的div。我尝试将相关的echo消息放在div中,但它不起作用。我必须承认,我甚至不知道为什么会出现空白页面。
此外,这是最好的方法,还是有办法让它更安全?
感谢您提供任何帮助。
尼。
答案 0 :(得分:2)
有两个问题:
exit会停止执行页面,因此在“回显”您的邮件后,页面会停止以下是您的代码示例,稍微重新处理(您可能需要调整):
<?php
$message = NULL;
if (isset($_COOKIE['MyLoginPage'])) {
if ($_COOKIE['MyLoginPage'] == md5($password . $randomword)) {
?>
CONTENT HERE
<?php
exit;
} else {
$message = "<p>Bad cookie. Clear please clear them out and try to login again.</p>";
}
}
if (isset($_GET['p']) && $_GET['p'] == "login") {
if ($_POST['name'] != $username) {
$message = "<p>Sorry, that username does not match. Use your browser back button to go back and try again.</p>";
} else if ($_POST['pass'] != $password) {
$message = "<p>Sorry, that password does not match. Use your browser back button to go back and try again.</p>";
} else if ($_POST['name'] == $username && $_POST['pass'] == $password) {
setcookie('MyLoginPage', md5($_POST['pass'] . $randomword));
header("Location: $_SERVER[PHP_SELF]");
} else {
$message = "<p>Sorry, you could not be logged in at this time. Refresh the page and try again.</p>";
}
}
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>?p=login" method="post">
<fieldset>
<label><input type="text" name="name" id="name" /> Name</label>
<br />
<label><input type="password" name="pass" id="pass" /> Password</label>
<br />
<input type="submit" id="submit" value="Login" />
</fieldset>
<?php
if (isset($message)) {
echo "<div>" . $message . "</div>";
}
?>
</form>
答案 1 :(得分:1)
您是否正在使用整个内容,包括<html>标记CONTENT HERE?
唯一应该去的是安全内容,而不是整个页面。您的样板html <html><head><title>title</title></head><body> ... </body></html>应该绕过您发布的整个代码块。 CONTENT HERE的内容仅显示成功登录,因此不应显示任何不安全的内容。
这是我很久以前写过的PHP page locker的另一种实现方式,可能会更清楚。&lt; / shameless plug&gt;
答案 2 :(得分:0)
如果登录结果失败,则会回显登录结果,但不显示带有该页面的页面。如果您想在站点设计中显示登录失败页面,我建议将它们发送回登录页面并显示错误消息。例如:
header("Location: http://website.com/loginpage.php?failed=1");
然后在登录页面的代码中:
if ($_GET['failed'] == '1') echo "Failed to login. Please try again.";
这样,如果登录失败,它们将被发送回登录页面并显示错误消息。