我网站的登录网页不安全,每当在firefox的登录页面输入用户名或密码时,我都会看到一个对话框:
连接不安全。在此处输入的登录信息可能会受到影响。
我应该尝试准备好的陈述,还是有其他问题?对不起,这是一个广泛的问题,但我不太熟悉网络安全。
这是我的登录页面代码:
<?php
include("connect.php");
include('PHPMailer/PHPMailer-master/examples/gmail_xoauth.phps');
if (isset($_POST['createaccount'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
if (!connect::query('SELECT username FROM accounts WHERE username=:username', array(':username'=>$username))) {
if (strlen($username) >= 3 && strlen($username) <= 32) {
if (preg_match('/[a-zA-Z0-9_]+/', $username)) {
if (strlen($password) >= 6 && strlen($password) <= 60) {
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
if (!connect::query('SELECT email FROM accounts WHERE email=:email', array(':email'=>$email))) {
connect::query('INSERT INTO accounts VALUES (null, :username, :password, :email, \'0\')', array(':username'=>$username, ':password'=>password_hash($password, PASSWORD_BCRYPT), ':email'=>$email));
gmail_xoauth::sendMail('Welcome to the Website!', 'Your account has been created!', $email);
echo "<h3 class = 'errmessage'>Success!</h3>";
} else {
echo '<h3 class = "errmessage">Email already in use!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid email!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid password, at least 6 characters!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid username, at least 3 characters</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid username</h3>';
}
} else {
echo '<h3 class = "errmessage">User already exists!</h3>';
}
}
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (connect::query('SELECT username FROM accounts WHERE username=:username', array(':username'=>$username))) {
if (password_verify($password, connect::query('SELECT password FROM accounts WHERE username=:username', array(':username'=>$username))[0]['password'])) {
$cstrong = True;
$token = bin2hex(openssl_random_pseudo_bytes(64, $cstrong));
$user_id = connect::query('SELECT id FROM accounts WHERE username=:username', array(':username'=>$username))[0]['id'];
connect::query('INSERT INTO users VALUES (null, :token, :user_id)', array(':token'=>sha1($token), ':user_id'=>$user_id));
setcookie("SNID", $token, time() + 60 * 60 * 24 * 7, '/', NULL, NULL, TRUE);
setcookie("SNID_", '1', time() + 60 * 60 * 24 * 3, '/', NULL, NULL, TRUE);
setcookie("username", $username, time()+3600);
header("Location: home.php");
} else {
echo '<h3 class = "errmessage">Incorrect Password!Try again</h3><br><br><br>';
}
} else {
echo '<h3 class = "errmessage">User not registered!Try again</h3><br><br><br>';
}
}
?>
这是connect.php文件:
<?php
class connect
{
private static function db()
{
$pdo = new PDO('mysql:host=localhost;dbname=database_name;charset = utf8','username','password');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
return $pdo;
}
public static function query($query,$params = array())
{
$statement = self :: db()->prepare($query);
$statement->execute($params);
if(explode(' ',$query)[0] == 'SELECT')
{
$data = $statement->fetchAll();
return $data;
}
}
}
?>
答案 0 :(得分:2)
这是因为您在非TLS页面上设置了密码字段,这意味着您的网页将通过http而不是https投放。您可以了解有关here和Mozilla's note to developers here的Firefox方面的更多信息。可以通过向服务器添加SSL证书来解决此问题。
某些证书需要花钱,但您可以查看Let's Encrypt免费证书。付费证书和Let加密证书之间的主要区别在于有效期的长短。在撰写本文时,它们只有3个月的好处,但有一些工具可以自动进行续订。
答案 1 :(得分:1)
Firefox在未使用HTTPS提供的页面上为表单元素添加了此警告,它确定这些表单是针对敏感信息的。这在Firefox 52中生效。有关详细信息,请参阅this Mozilla blog post和this Mozilla support page。