-4

我想清理我的登录脚本并帮助我的数据库安全。我是一个基本的编码员,从教程中学到了我所拥有的东西,所以我想我的脚本需要一些保护,有什么建议吗?

<?php

session_start();

$email = strtolower( trim($_POST['email']));
$pass = $_POST['password'];

if ($email&&$pass){

require_once("dbconnect.php");

$query = mysql_query("SELECT * FROM users WHERE username='$email'");
$numrows = mysql_num_rows($query);
if ($numrows!=0){   
//code to login
    while ($row = mysql_fetch_assoc($query)){
        $dbusername = $row['username'];        //USERNAME IS NAME OF COLUMN IN DB
        $dbpassword = $row['password'];
        $activated = $row['activated'];

        if ($activated=='0')
            die("Your account has not been activated.(Remember to check in your email spam folder)");
    }

    //check to see if they match
    if ($email==$dbusername&&md5($pass)==$dbpassword){
        //echo "You have succesfully logged-in! <a href='start.php'>Click</a> here to enter." ;
        $_SESSION['username']=$email;
        header( 'Location: http://website' ) ;
    }
    else{
        echo "The password you entered is incorrect";   
    }
}
else
    die("Sorry, the email you have entered is incorrect");

}

else
    die("Please enter your email and password");


?>
4

2 回答 2

2

看,我给你重写了!这使用 PDO 和准备好的语句,以最优雅的方式(即 not mysql_real_escape_string)修补 SQL 注入漏洞,并且还使用 bcrypt 对密码进行哈希处理,这比没有盐的 MD5 好得多。

<?php
session_start();

if(isset($_POST['email']) && isset($_POST['password'])) {
    require_once 'dbconnect.php';

    $email = strtolower(trim($_POST['email']));
    $password = $_POST['password'];

    $query = $link->prepare('SELECT * FROM users WHERE username = :email LIMIT 1');
    $query->execute(array(':email' => $email));
    $row = $query->fetch();

    if($row) {
        if(!$row->activated) {
            die('Your account has not been activated. (Remember to check in your e-mail spam folder!)');
        }

        if($row->username === $email && crypt($password, $row->password) === $row->password) {
            $_SESSION['username'] = $email;
            header('Location: http://website'); # If this isn't a relative URL, try using one.
            exit();
        }
    }

    die('Invalid e-mail and/or password. Please try again.');
}
?>

但是,您需要对数据库、注册代码和数据库连接代码进行一些更改。

于 2012-09-12T04:09:47.887 回答
0

首先,我将通过更改来修复 SQL 注入漏洞:

$email = strtolower( trim($_POST['email']));
$pass = $_POST['password'];

if ($email&&$pass){

    require_once("dbconnect.php");


require_once("dbconnect.php");

$email = mysql_real_escape_string(strtolower( trim($_POST['email'])));
$pass = $_POST['password'];

if ($email&&$pass){

您可以做的下一件事是通过更改来防止“会话劫持”

if ($email==$dbusername&&md5($pass)==$dbpassword){
    //echo "You have succesfully logged-in! <a href='start.php'>Click</a> here to enter." ;
    $_SESSION['username']=$email;


if ($email==$dbusername&&md5($pass)==$dbpassword){
    //echo "You have succesfully logged-in! <a href='start.php'>Click</a> here to enter." ;
    session_regenerate_id();
    $_SESSION['username']=$email;

我不确定这个登录脚本在哪里使用(内部或外部),但如果它在外部使用,您可以将用户 IP 地址添加为会话变量,并在每次用户返回时检查。我也会使用 crypt() 函数而不是 md5() 因为 md5() 不建议用于散列密码(这可能取决于您拥有多少用户以及是否要重置每个人的密码)。我使用PHPass 类 除了安全性之外,您还可以使用 MySQLi(又名 MySQL 改进版)而不是原始 MySQL 代码,因为它已被弃用。但是更改为 MySQLi 取决于您的 PHP 是否支持 MySQLi。

于 2012-09-12T04:07:33.773 回答