我有以下登录脚本,我已尽力确保它的安全,但有一个人破解了我的脚本并向我发送了一封他能够登录的电子邮件,他还向我发送了我的数据库信息,例如管理员密码等。
登录.php
<?
@session_start();
include("../global.inc.php");
if(isset($_POST['submit']))
{
include("../classes/class.admin.php");
$objAdmin = new admin();
$verifyAdmin=$objAdmin->verifyAdmin(mysql_real_escape_string($_POST['username']),(mysql_real_escape_string($_POST['password'])));
if($verifyAdmin==1)
{
$_SESSION['my_admin']="admin";
header("location:index.php");
}
else
{
$errMsg="Invalid Username or Password.";
}
}
?>
<form name="frm" method="post" action="">
<table width="300" border="0" cellspacing="0" cellpadding="0">
<tr>
<td class="blackheader" > Admin Panel</td>
</tr>
<tr>
<td valign="top" class="adminborder"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td> </td>
<td style="color:#FF0000; font-size:11px; font-family:Arial, Helvetica, sans-serif;"><?=$errMsg;?></td>
</tr>
<tr>
<td width="31%" height="28" align="left" valign="middle" class="admintxt">Username:</td>
<td><input type="text" name="username" class="txtfield1" size="28"></td>
</tr>
<tr>
<td height="28" align="left" valign="middle" class="admintxt">Password:</td>
<td><input type="password" name="password" class="txtfield1" size="28"></td>
</tr>
<tr>
<td></td>
<td height="22" align="left" valign="middle"><input type="submit" name="submit" value="Login" class="submit_button">
我的头文件中有以下代码来检查用户是否已登录
<?php
session_start();
if(!isset($_SESSION['my_admin']))
{
header("location: login.php");
}
?>
下面是检查管理员登录密码的类
class admin extends dbClass
{
function verifyAdmin($username, $password)
{
$select="select username,password from ".TABLE_ADMIN." where username='".$username."' and password='".$password."'";
$query=$this->query($select,1);
$numRows=count($query);
return $numRows;
}
}