[英]Simple single user login page
Let's assume I wanted to make a super simple page with restricted access in php for a single user. 假设我想为单个用户制作一个超级简单的页面,并在php中限制访问。 Provided that the authorized user knows the directory and the url of the page, could he just pass manually a username and password (that he would know) through the
get
method in the url bar, and check it automatically against the script, in which the values of the username and password would be hardcoded in? 如果授权用户知道页面的目录和网址,他是否可以通过网址栏中的
get
方法手动传递用户名和密码(他会知道),然后根据脚本自动检查用户名和密码,用户名和密码的值将被硬编码? The script has an if statement
that if not true, wouldn't display the content. 该脚本有一个
if statement
,如果不为true,则不会显示内容。 What flaws could there be? 会有什么缺陷?
The url 网址
http://example.com/admin.php?user=admin&password=1324
admin.php admin.php的
<?php if($_GET['user'] == 'admin' && $_GET['password'] == '1324')){
// display content here
}else{
echo "You're not authorized to visit this page";
} ?>
Scenario 2: the post
method 方案2:
post
方法
Similar to the above scenario, in this one the authorized user would type the username, password in a form, which would be processed at the actual admin.php
file. 与以上情形类似,在这种情况下,授权用户将以一种形式键入用户名和密码,该形式将在实际的
admin.php
文件中进行处理。 A similar if statement
would be used, with the $_POST[]
superglobals this time to check the input. 将使用类似的
if statement
,这次使用$_POST[]
超全局变量来检查输入。
<?php if($_POST['user'] == 'admin' && $_POST['password'] == '1324'){
// display content here
}else{
echo "You're not authorized to visit this page";
} ?>
Both have their flaws. 两者都有缺点。
If you use method 1, you'll end up with the variables passed to the header being saved in the page history, meaning anyone with access to the PC can just search through and find them, giving themselves access in the process. 如果使用方法1,最终将传递给页眉的变量保存在页面历史记录中,这意味着有权访问PC的任何人都可以搜索并找到它们,从而在过程中获得访问权。 Search engines can also pick up on and save the link, leaving it open to the world.
搜索引擎还可以选择并保存链接,从而将其向全世界公开。
If you use method 2, you'll need to re-send the POST data every single time you visit a secure page, meaning you end up with a mess of buttons and forms where links could have sufficed. 如果您使用方法2,则每次访问安全页面时都需要重新发送POST数据,这意味着您最终会看到一堆乱七八糟的按钮和表格,其中的链接本来就足够了。 It does however remove the problems of the first method.
但是,它确实消除了第一种方法的问题。
A better method to both of these would be the usage of the $_SESSION variable. 更好的方法是使用$ _SESSION变量。 This basically allows data to be stored server side, while giving the user a 'key' which can be used to control access to the data - this key is stored in cookies, by default.
这基本上允许将数据存储在服务器端,同时为用户提供一个“键”,该键可用于控制对数据的访问-默认情况下,此键存储在cookie中。
An example usage would be: 一个示例用法是:
//Say the user is "admin", and the password is "1234"
//This data could be used to 'log in' via post.
//First of all we start the session, and check to see if the user is logged in
//If the user has the session active, they'll have a cookie on their PC which links to it
session_start();
if ($_SESSION['login']==true || ($_POST['user']=="admin" && $_POST['pass']=="1234")) {
//If they already have a session, give them access.
//If not, check for posted UN & PW and if correct, give access.
$_SESSION['login']=true; //Set login to true in case they got in via UN & PW
//Do stuff for when logged in
}
else { //Not already logged in, not sent a password
//Give the user a login form redirecting to this page.
}
The benefits of this are: 这样做的好处是:
Yes it can, with GET
, POST
has to pass from a form. 是的,可以,通过
GET
, POST
必须从表单传递。 It's not a safe way because of many reasons. 由于多种原因,这不是一种安全的方法。
But yes, for your needs it can be passed with GET
. 但是,是的,可以根据您的需要通过
GET
进行传递。 With a single URL he can jump in restricted area. 使用单个URL,他可以跳转到禁区。
BTW when you check for username and password: 顺便说一句,当您检查用户名和密码时:
if($_GET['user'] == 'admin' && $_GET['password'] == '1324' && $_GET['password'] != '' && $_GET['username'] != '')
you can exclude the last part because you are already verifying against data 您可以排除最后一部分,因为您已经在根据数据进行验证
if($_GET['user'] == 'admin' && $_GET['password'] == '1324')
Something like this 像这样
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
$expectdUsername = 'username';
$expectedPassword = 'secret';
if($_SERVER['PHP_AUTH_USER'] != $expectdUsername ||
$_SERVER['PHP_AUTH_PW'] != $expectedPassword) {
echo 'Invalid username/password';
exit;
}
//Add a cookie, set a flag on session or something
//display the page
}
It can be called by 可以通过
http://username:secret@thepage.com HTTP://用户名:secret@thepage.com
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.