PHP和MySQL登录安全性疑虑
[英]PHP and mySQL login security doubts
问题描述
I am totally new to PHP and mySQL and I built a small login form for my website. 
我对PHP和mySQL完全mySQL并且为我的网站构建了一个小的登录表单。 As the descriptions on the internet for such a thing are much more extensive, I just want to ask you if this is a secure way to do it, as it was just a few lines and it works: 由于在互联网上对这种事情的描述更加广泛,我只想问您这是否是一种安全的方法,因为它仅需几行就可以了:
First I create a table in phpMyAdmin with username and password (hashed with md5). 首先,我在phpMyAdmin中用用户名和密码(用md5散列)创建一个表。 After that I run the login on the website with the following script, where the $_POST stuff comes from a form. 之后,我使用以下脚本在网站上运行登录名,其中$_POST内容来自表单。
<?php
session_start();
$db = @mysqli_connect("...", "...", "...") or
die("Connection failed!");
mysqli_select_db($db,'...');
if(isset($_POST['username']))
{
$_SESSION['user'] = $_POST['username'];
$_SESSION['password'] = md5($_POST['password']);
$user = $_SESSION['user'];
$password = $_SESSION['password'];
$sql = "SELECT * FROM logins WHERE username = \"$user\"";
$result = $db->query($sql);
$row = $result->fetch_assoc();
if($row["password"] == $password)
{
$_SESSION['logged'] = "loggedin";
}
}
?>
The Logout Script is very easy as well. 注销脚本也非常简单。
<?php
session_start();
session_destroy();
unset($_SESSION['user']);
unset($_SESSION['password']);
header('Location: ../index.php');
?>
Moreover I restrict every private content with 此外,我会限制所有私人内容
<?php
if (isset($_SESSION['logged']))
{
$temp = $_SESSION["user"];
echo "Hello $temp, nice to see you!";
}
?>
or I make a redirection. 或者我进行重定向。
So here are my questions: 所以这是我的问题:
- Is this a secure way to do it? 这是一种安全的方法吗? Can It be hacked easily? 可以很容易地被黑客入侵吗?
- What sense does md5 make if a reverse lookup is possible? 如果可以进行反向查找 ,md5有什么意义?
Thank You! 谢谢!
2 个解决方案
解决方案1
1 已采纳 2016-05-03 18:16:34
You gotta lot of work ahead of you. 您需要做很多工作。 Here are some good places to start. 这里是一些不错的起点。 Take the ideas from here and Google because there is a lot of information out there that you will need to tap into. 请从这里和Google那里获取想法,因为那里需要大量信息。
For how to both server and submit the page see here Is HTTPS as the form's action enough? 有关如何同时服务器和提交页面的信息,请参见此处HTTPS作为表单的操作是否足够?
For how to hash see here (currently my choice) Password Hashing Functions 有关如何哈希的信息,请参见此处(当前由我选择) 密码哈希函数
Lastly read up on form validation and input sanitizing a good SO post is What's the best method for sanitizing user input with PHP? 最后阅读有关表单验证和输入清理好的SO帖子的内容是什么是用PHP清理用户输入的最佳方法?
Also, as one of the comments points out look into Prepared Statements 另外,正如其中一项评论所指出的那样,请查看预准备语句
Hope this helps get you started on your journey. 希望这可以帮助您入门。
解决方案2
0 2016-05-03 17:48:43
You have no security whatsoever, since you are POSTing both the username and the password. 您没有任何安全性,因为您要同时发布用户名和密码。 They are sent over the internet in clear text, unless you are using HTTPS. 除非您使用HTTPS,否则它们以明文形式通过Internet发送。 The MD5 encoding is pretty useless too. MD5编码也非常无用。
A more secure way would be to encode the password BEFORE POSTing it, ideally with an expiring timestamp, so it cannot be reused after x amount of time. 一种更安全的方法是在发布密码之前对密码进行编码,理想情况下,该密码带有过期的时间戳记,因此在x的时间量后不能再次使用。
Also, your sql statement uses a POSTed value without any sanitizing, this exposes your database to sql injection... 另外,您的sql语句使用POSTed值而不进行任何消毒,这会使您的数据库遭受sql注入...
Please don't use your code on any strategic database. 请不要在任何战略数据库上使用您的代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.