[英]PHP login, is it secure?
我希望有人可以看看我的第一个PHP登录脚本,并对我可能做错了什么以及它是否确实安全提出了一些建设性的批评。 谢谢。
我不确定我是否正确使用了密码重新哈希。
if (isset($_POST['submit'], $_POST['username'], $_POST['password']))
{
$username = null;
if (isset($_POST['username'])) $username = strip_tags(trim($_POST['username']));
$password = null;
if (isset($_POST['password'])) $password = strip_tags(trim($_POST['password']));
$sql = "SELECT * FROM login WHERE username=?";
$get = $connect->prepare($sql);
$get->execute(array(
$username
)); // Execute the query
if ($get->rowCount() === 1)
{
$row = $get->fetch(PDO::FETCH_ASSOC); // Fetch the result
$db_username = $row['username'];
$db_password = $row['password'];
if ((password_verify($password, $db_password)) && (strlen($username) >= 5) && (strlen($username) <= 10) && (strlen($password) >= 5) && (strlen($password) <= 12))
{
if (password_needs_rehash($password, PASSWORD_DEFAULT))
{
$hash = password_hash($password, PASSWORD_DEFAULT);
$sql = "SELECT * FROM login WHERE username=?";
$get = $connect->prepare($sql); // Use prepare to prevent SQL injection
$sql = "UPDATE login SET password=? WHERE username=?";
$statement = $connect->prepare($sql);
$statement->execute(array(
$hash,
$username
));
}
$_SESSION['auth'] = $db_username;
session_regenerate_id(true);
$sql = "UPDATE login SET last_login=?, ip=? WHERE username=?";
$statement = $connect->prepare($sql);
$statement->execute(array(
$dt,
$ip,
$username
));
$sql2 = "INSERT INTO LOG (username,lastlogin,ip) VALUES (:username,:lastlogin,:ip)";
$statement = $connect->prepare($sql2);
$statement->execute(array(':username'=>$username,
':lastlogin'=>$dt,
':ip'=>$ip
));
reloadPage();
}
else
{
$loginmsg = 'Wrong Username / Password';
}
}
else
{
$loginmsg = 'Wrong Username / Password';
}
}
1号缺陷
$username = null;
if (isset($_POST['username'])) $username = strip_tags(trim($_POST['username']));
$password = null;
if (isset($_POST['password'])) $password = strip_tags(trim($_POST['password']));
尝试
$username = null;
if (isset($_POST['username']))
{
$username = strip_tags(trim($_POST['username']));
}
$password = null;
if (isset($_POST['password']))
{
$password = strip_tags(trim($_POST['password']));
}
2号缺陷
始终将algo contants
与password_hash()
一起使用,以获得更好的用法。
if (password_needs_rehash($password, PASSWORD_DEFAULT))
{
$cons = array('cost' => 12);
$hash = password_hash($password, PASSWORD_DEFAULT, $cons);
$sql = "SELECT * FROM login WHERE username=?";
其他所有人对我来说都还可以。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.