堆栈内存溢出
  简体   繁体   English

PHP登录系统硬编码的用户名和密码

[英]PHP Login system hard coded username and password

 原文  2015-09-17 13:43:55       php/ security/ authentication/ login-script/ hardcoded

问题描述

I had to do a basic login system to protect a page, and I have no access to database so i store the username and password hard coded in php page. 我必须做一个基本的登录系统来保护页面,而且我无权访问数据库,所以我将用户名和密码硬编码存储在php页面中。

My question is, can this login system hold againts an attack? 我的问题是,此登录系统能否再次发起攻击? I need it to hold about 1 month. 我需要将它保持大约1个月。

Any sugestions to improve will be helpefull. 任何改善的建议都会有所帮助。 The code is not in laravel, even if it might look like. 该代码不在laravel中,即使看起来像这样。 The username and password, will be changed to something stronger of course. 用户名和密码当然会更改为更强的名称。

Thank you in advance. 先感谢您。 

<?php
class UserController {
private $username;
private $password;
private $isLoggedIn = false;

// Credentials
public function credentials() {
    $credentials = array(
        array(
            "username" => "telekom",
            "password" => "1234"
        ),
        array(
            "username" => "telekom2",
            "password" => "1234"
        )
    );
    return $credentials;
}

// Basic login
public function login() {
    foreach ($this->credentials() as $credential) {
        if ($this->username == $credential['username'] && $this->password == $credential['password']) {
            Session::put('username', $this->username);
            Session::put('password', $this->password);
            $this->isLoggedIn = true;
        }
    }
}

// Get login status
public function isLoggedIn() {
    return $this->isLoggedIn;
}

// Logout
public function logout() {
    // Delete all sessions
    Session::all();
    redirect('/telekom/');
}

// Telekom
public function telekom() {
    $form = new Form();
    if (Input::get('logout') == 1) {
        $this->logout();
    }

    // Post Data from login form
    if (Input::has('username') || Input::has('password')) {
        if (!$form->isCsrfValid()) {
            $form->errors['CSRF'] = "CSRF Token";
        } // CSRF protection is on, comment to disable
        if (empty($form->errors)) {
            $this->username = Input::get('username');
            $this->password = Input::get('password');

            // Check Login
            $this->login();
            if (!$this->isLoggedIn()) {
                Session::put('login', 'Username and password do not match.');
            } else {
                redirect('/telekom/');
            }
        } else {
            Session::put('login', '<p class="color-dark-red"><strong>Errors:</strong></p>
                        <p>' . $form->displayErrors($form->errors) . '</p>');
        }
    // Check if session has username and password 
    } elseif (Session::has('username') && Session::has('password')) {
        $this->username = Session::get('username', false);
        $this->password = Session::get('password', false);
        // Check Login 
        $this->login();
    }
}
}// EOF Class User

// Outside class
$user = new UserController();

// Outside class
if (!$user->isLoggedIn()) {
    // display login form
} else {
    // display protected content    
}
?>

3 个解决方案

解决方案1
 1 已采纳  2015-09-17 14:38:29

My comments are getting lengthy, so I'll just move them here. 我的评论越来越冗长,因此我将其移至此处。 I would not recommend you put the username and password in the same file. 我不建议您将用户名和密码放在同一文件中。 If PHP ever fails to process the page, it will be dumped as plain text to the user. 如果PHP无法处理该页面,它将以纯文本格式转储给用户。 Even for database connections (where the un/pwd almost have to be stored plain text), most people don't put the information in the same file. 即使对于数据库连接(un / pwd几乎必须以纯文本格式存储),大多数人也不会将信息放在同一文件中。

You have a couple options: 您有两种选择:

  1. Make a separate PHP file that sets your UN/PWD variables, put it somewhere that isn't accessible from outside your server, and include it in index.php. 创建一个单独的PHP文件,该文件设置您的UN / PWD变量,将其放置在服务器外部无法访问的位置,并将其包含在index.php中。 In this case, I wouldn't include the file until right when you're going to compare the variables and let the local scope dump it as soon as possible. 在这种情况下,直到您要比较变量并让本地范围尽快将其转储时,我才将文件包括在内。

  2. Since this is such basic authentication, you could use Apache's built in password authentication module . 由于这是基本的身份验证,因此可以使用Apache的内置密码身份验证模块

解决方案2
 0  2015-09-17 13:51:46

in my opinion, this solution is safe enough when you don't plan to use it forever. 我认为,当您不打算永远使用它时,此解决方案就足够安全了。 What would I check is setting of your web server - some text editors makes backup copies of edited files, like index.php~, index.php.bkp or so. 我要检查的是您的Web服务器的设置-一些文本编辑器会制作已编辑文件的备份副本,例如index.php〜,index.php.bkp等。 Make sure whether your web server do not serve those files, if any. 确保您的Web服务器是否不提供这些文件(如果有)。

解决方案3
 0  2015-09-22 09:46:21

The problem with temporary solutions is that they've never temporary. 临时解决方案的问题在于它们从来都不是临时的。

Never hard code passwords. 永远不要硬编码密码。 Some of the reasons are: 一些原因是:

  • It is harder to keep source code secret than it is a key. 保留源代码的秘密比密钥更难。
  • Any vulnerabilities in your site that allow reading of source code may reveal the password. 您网站中任何允许阅读源代码的漏洞都可能泄露密码。
  • Passwords from development will end up in production. 来自开发的密码将最终投入生产。
  • It is impossible to change passwords without redeploying. 不重新部署就无法更改密码。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 登录系统密码和用户名 - Login system password and username 在php脚本中加密硬编码密码 - Encrypt hard coded password in php script 使用用户名/密码登录PHP - PHP Login with Username/Password 即使密码或用户名不正确,我的 PHP 登录系统仍然在登录 - My PHP login system still Logging in even if the password or username is incorrect PHP的用户名/密码登录问题 - Username/Password Login Trouble with PHP php中的密码/登录系统 - password/login system in php 用于登录系统的PHP用户名 - PHP Username's for login system 为什么在 php 中硬编码用户名密码安全威胁? - Why is hard coding username password security threat in php? PHP登录系统中的密码拥有 - Password hasing in PHP login system PHP登录功能找不到正确的用户名和密码 - PHP login function not finding correct username and password
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM