0

我正在使用此代码在 PHP 中创建安全登录页面。我从http://girlswhogeek.com/tutorials/2006/creating-a-secure-php-login-page得到它。

<?php
   $username = "user";
   $password = "pass";
   $randomword = "bibblebobblechocolatemousse";

    if (isset($_COOKIE['MyLoginPage'])) {
        if ($_COOKIE['MyLoginPage'] == md5($password.$randomword)) {
?>
    CONTENT HERE
<?php
   exit;
        } else {
         echo "<p>Bad cookie. Clear please clear them out and try to login again.</p>";
         exit;
      }
   }

    if (isset($_GET['p']) && $_GET['p'] == "login") {
      if ($_POST['name'] != $username) {
         echo "<p>Sorry, that username does not match. Use your browser back button to go back and try again.</p>";
         exit;
      } else if ($_POST['pass'] != $password) {
         echo "<p>Sorry, that password does not match. Use your browser back button to go back and try again.</p>";
         exit;
      } else if ($_POST['name'] == $username && $_POST['pass'] == $password) {
         setcookie('MyLoginPage', md5($_POST['pass'].$randomword));
         header("Location: $_SERVER[PHP_SELF]");
      } else {
         echo "<p>Sorry, you could not be logged in at this time. Refresh the page and try again.</p>";
      }
   }
?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>?p=login" method="post">
    <fieldset>
        <label>
            <input type="text" name="name" id="name" /> Name
        </label>
        <br />
        <label>
            <input type="password" name="pass" id="pass" /> Password
        </label>
        <br />
        <input type="submit" id="submit" value="Login" />
   </fieldset>
</form>

它确实很好用,但是,当登录信息出现错误时,它会切换到空白页面并回显一条消息,指出登录信息错误。我想知道是否有办法让它与输入一起回显到页面上的 div。我尝试将相关的回显消息放在一个 div 中,但它没有用。我必须承认,我什至不知道为什么它会变成空白页。

另外,这是最好的方法还是有办法让它更安全?

感谢您提供的任何帮助。

本尼。

4

3 回答 3

2

有2个问题:

  • 您的exit代码中的 停止执行页面,因此在“回显”您的消息后,页面停止
  • 如果要在div中显示,将消息设置在变量中,并在div代码中显示

这是您的代码示例,经过了一些修改(您可能需要调整):

<?php
$message = NULL;
if (isset($_COOKIE['MyLoginPage'])) {
    if ($_COOKIE['MyLoginPage'] == md5($password . $randomword)) {
        ?>
        CONTENT HERE
        <?php
        exit;
    } else {
        $message = "<p>Bad cookie. Clear please clear them out and try to login again.</p>";
    }
}

if (isset($_GET['p']) && $_GET['p'] == "login") {
    if ($_POST['name'] != $username) {
        $message = "<p>Sorry, that username does not match. Use your browser back button to go back and try again.</p>";
    } else if ($_POST['pass'] != $password) {
        $message = "<p>Sorry, that password does not match. Use your browser back button to go back and try again.</p>";
    } else if ($_POST['name'] == $username && $_POST['pass'] == $password) {
        setcookie('MyLoginPage', md5($_POST['pass'] . $randomword));
        header("Location: $_SERVER[PHP_SELF]");
    } else {
        $message = "<p>Sorry, you could not be logged in at this time. Refresh the page and try again.</p>";
    }
}
?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>?p=login" method="post">
    <fieldset>
    <label><input type="text" name="name" id="name" /> Name</label>
        <br />
    <label><input type="password" name="pass" id="pass" /> Password</label>
        <br />
    <input type="submit" id="submit" value="Login" />
    </fieldset>
    <?php
    if (isset($message)) {
        echo "<div>" . $message . "</div>";
    }
    ?>
</form>
于 2013-02-28T01:56:48.623 回答
1

您是否将整个内容(包括<html>标签)放在其中CONTENT HERE

唯一应该去那里的是安全的内容,而不是整个页面。您的样板 html<html><head><title>title</title></head><body> ... </body></html>应该围绕您发布的整个代码块。仅在成功登录后显示的内容CONTENT HERE,因此不应在此处显示任何不安全的内容。

这是我很久以前写的一个PHP page locker的替代实现,可能会让这个更清楚。</shameless plug>

于 2013-02-28T01:59:00.593 回答
0

如果登录失败,您将回显登录结果,但不显示带有它的页面。如果您想在您的网站设计中显示登录失败页面,我建议您将它们发送回登录页面并显示错误消息。例如:

header("Location: http://website.com/loginpage.php?failed=1");

然后在登录页面的代码中:

if ($_GET['failed'] == '1') echo "Failed to login. Please try again.";

这样,如果登录失败,它们将被发送回登录页面并显示错误消息。

于 2013-02-28T01:54:56.427 回答