我只是想让你们运行我的登录脚本,看看我是否应该采取其他安全措施。
我知道我需要将我的数据库常量移动到配置文件,但除此之外还有一些错误处理,还需要添加哪些其他检查以确保此脚本是安全的?
<?php
ob_start();
session_start();
require 'phpDatabaseClass.php';
define('DBhost', 'localhost');
define('DBusername', 'root');
define('DBpassword', 'root');
define('DBname', 'campbellCustomCoatings');
if(isset($_POST['submit']))
{
if((!empty($_POST['username'])) && (!empty($_POST['password'])))
{
//creates the db object and the constructor automatically creates the db connection
$db = new phpDatabaseClass();
//sets the username and password to variables and sanitizes them
$username = $_POST['username'];
$password = $_POST['password'];
//sets the username to only alphanumeric characters
$username = preg_replace('/[^A-Za-z0-9]/', '', $_POST['username']);
//if the username and password are valid
if($db->validateLogin($username, $password))
{
$_SESSION['loggedIn'] = $username;
header('Location: uploadImages.php');
}
}
}
?>
和我的phpDatabaseClass
<?php
/********************************************
* Created by Tom Caflisch
*
* Class to connect and query a mysql database
*
*********************************************/
class phpDatabaseClass {
private $mysqli;
/****************************
* Constructor function which makes the connection to the database
****************************/
public function __construct()
{
$this->mysqli = new mysqli(DBhost, DBusername, DBpassword, DBname);
}
/****************************
* Function which checks to see if the username and password validate
*
* $username is the username that the user entered in the form
* $password is the password that the user entered in the form
*
****************************/
public function validateLogin($username, $password)
{
//if magic quotes are turned on, remove the slashes
if(get_magic_quotes_gpc())
{
$username = stripslashes($username);
$password = stripslashes($password);
}
$username = $this->mysqli->real_escape_string($username);
$password = $this->mysqli->real_escape_string($password);
$password = md5($password);
//the query
$sql = 'select * from users
where username = \''.$username.'\'
and password = \''.$password.'\'';
$results = $this->mysqli->query($sql);
//if something is wrong with the query
if($results === false)
{
echo 'Whoa you trying to hack this thing?';
}
else
{
echo $results->num_rows;
if(($results->num_rows) == 1)
{
while($row = $results->fetch_row())
{
//if the username and password match return true else return false
if($username == $row[1] && $password == $row[2])
{
return true;
}
else
{
return false;
}
}
}
}
//return false;
}
}
?>
答案 0 :(得分:3)
我不会将MD5用于哈希密码,考虑使用像sha1或whirlpool这样的东西,也可以加密密码。
我觉得这个链接非常有用:http://www.richardlord.net/blog/php-password-security它描述了如何加密密码等等。
答案 1 :(得分:2)
另外,为什么要警告用户您的脚本是否已经找到潜在的漏洞利用?只是表现得无效登录。他们浪费在你已经想到的事情上的时间越多,他们花在你没有的东西上的花费就越少。