大声笑你的代码太复杂了,我提供了我制作的脚本!
使用 STMT 意味着没有 SQL 注入
如何加密您的密码(正确的方法!!!)
function Encrypt($text) {
$cost = 12;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2a$%02d$", $cost) . $salt;
$altered_text = crypt($text, $salt);
return $altered_text;
}
// Then use the code below to use the function
$password = Encrypt($password);
在您的登录中,请使用蛮力保护
这是蛮力保护代码
function BruteForce($user_id, $link) {
$now = time();
$timespan = $now - (2 * 60 * 60);
if ($stmt = $link->prepare("SELECT time FROM login_attempts WHERE user_id = ? AND time > '$timespan'")) {
$stmt->bind_param('i', $user_id);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows > 5) {
return true;
} else {
return false;
}
$stmt->close();
}
}
然后使用下面的sql语句
CREATE TABLE `login_attempts` (
`user_id` INT(11) NOT NULL,
`time` VARCHAR(30) NOT NULL
) ENGINE=InnoDB
然后存储尝试
function StoreAttempt($user_id, $link) {
$now = time();
$stmt = $link->prepare("INSERT INTO login_attempts (user_id, time) VALUES (?, ?)");
$stmt->bind_param("ss", $a, $b);
$a = $user_id;
$b = $now;
$stmt->execute();
$stmt->close();
}
然后在行动中使用它
// user_id = the users id after you get the users id
// link = the database connection
if (BruteForce($user_id, $link) === true) {
// Too many login attempts
} else {
// Store Attempt
StoreAttempt($user_id, $link);
}
我建议您使用安全会话而不是普通会话
使用下面的代码
function SecureSession() {
$session_name = 'SecureSession';
$secure = true;
$httponly = true;
if (ini_set('session.use_only_cookies', 1) === FALSE) {
die("Could not initiate a safe session (ini_set)");
}
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name);
session_start();
session_regenerate_id(true);
}
现在开始会议
SessionSecure();
如果您打算使用 PHP SELF
在下面使用此代码
function SanitizeUrl($url) {
if ('' == $url) {
return $url;
}
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = (string) $url;
$count = 1;
while ($count) {
$url = str_replace($strip, '', $url, $count);
}
$url = str_replace(';//', '://', $url);
$url = htmlentities($url);
$url = str_replace('&', '&', $url);
$url = str_replace("'", ''', $url);
if ($url[0] !== '/') {
return '';
} else {
return $url;
}
}
上面的功能是针对 PHP SELF ex 的保护
然后使用它
SanitizeUrl($_SERVER['PHP_SELF']);
现在为实际的登录功能
我建议在您的登录名中使用电子邮件然后使用用户名,主要是因为您的电子邮件不是唯一的!
function Login($email, $password, $link) {
if (empty($username) || empty($password)) {
// A field is empty
return false;
} else {
$sql = "SELECT `id`,`username`,`password` FROM `users` WHERE `email` = ?";
if ($stmt = $link->prepare($sql)) {
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1) {
$stmt->bind_result($db_id, $db_username, $db_password);
$stmt->fetch();
if (BruteForce($db_id, $link) === false) {
$password = Encrypt($password);
if ($password == $db_password) {
// LOGGED IN, SET SESSION VARS
return true;
} else {
// Store Attempt
StoreAttempt($user_id, $link);
return false;
}
} else {
return false
}
} else {
return false;
}
} else {
return false;
}
}
}
然后在行动中使用它
SessionSecure();
if (isset($_POST['DoLogin'])) {
$email = $_POST['login-email'];
$password = $_POST['login-password'];
if (Login($email, $password, $link) === true) {
// Logged in Redirect now!
} else {
// Login failed
}
}
随意使用此代码!!!:)