2

我看到很少有攻击者在我的网站上进行攻击,我从一位用户那里得知这是由于我没有对我的login page. 人们可以尝试多次登录。我想知道如何防止这种情况以及他们用来做什么?所以我可以尝试检查我的网站。请告诉我好的解决方案。

我正在使用语言php

HTML

<form action="login.php" method="post">
    <div class="row">
        <span id="other-info-font" class="label">Username:<br />or email:</span>
    <span class="formw"><input type="text" name="username" value="<?php echo $username; ?>" size="25" /></span>
    </div>
    <div class="row">
        <span id="other-info-font" class="label">Password:</span>
    <span class="formw"><input type="password" name="password" value="<?php echo $password; ?>" size="25" /></span>
   </div>
    <div class="lo-button">
         <input class="white" type="submit" value="Login" name="submit-login" />
    </div>                      
</form>

PHP

require_once 'include/global.php';

$error = "";
$username = "";
$password = "";


//check to see if they've submitted the login form
if(isset($_POST['submit-login'])) { 

    $username = $_POST['username'];
    $password = $_POST['password'];

    $LoginTool = new Tools();
    if($LoginTool->login($username, $password)){
        //successful login, redirect them to a page
        header("Location: index.php");
    }else{
        $error = "Incorrect username or password. Please try again.";
    }
}
4

1 回答 1

1

您可以做的第一件事是创建“虚拟”登录输入字段,然后将您的真实用户名/密码字段重命名为不太预期的名称。然后,您的登录逻辑将引用变量的新名称。

您可以做的第二件事是在登录失败时实现延迟。虽然攻击者可以在注意到他们的尝试需要一段时间后简单地刷新页面。

您可能要考虑的第三件事是创建 IP 黑名单表。实际上,我前段时间曾问过一个关于此的问题,但总而言之,它旨在自动拒绝来自 IP 地址的登录尝试,因为这些 IP 地址登录尝试失败太快。

您的代码可能如下所示:

require_once 'include/global.php';

$error = "";
$username = "";
$password = "";

//check to see if they've submitted the login form
if(isset($_POST['submit-login']) 
       && isset($_POST['emanresu']) 
       && strlen($_POST['emanresu']) > 0)
{
    $username = $_POST['emanresu'];
    $password = $_POST['drowssap'];

    $LoginTool = new Tools();
    if($LoginTool->login($username, $password))
    {
        //successful login, redirect them to a page
        sleep(1);
        header("Location: index.php");
        exit();
    }
    else
    {
        sleep(4);
        $error = "Incorrect username or password. Please try again.";
    }
}
else if(isset($_POST['username']) && strlen($_POST['username']) > 0)
{
    // Either autocomplete filled in a username in the wrong place or 
    //   a tool automatically scanned for 'username' and filled it in.
    //   In either case, sleep for four seconds.
    sleep(4);
    $error = "Sorry, there was a problem with the login attempt. Please try again.";
}

...

<form action="login.php" method="post">
    <div style="display:none"><input type="text" name="username" /><input type="text" name="password" /></div>
    <div class="row">
        <span id="other-info-font" class="label">Username:<br />or email:</span>
    <span class="formw"><input type="text" name="emanresu" value="" size="25" /></span>
    </div>
    <div class="row">
        <span id="other-info-font" class="label">Password:</span>
    <span class="formw"><input type="password" name="drowssap" value="" size="25" /></span>
   </div>
    <div class="lo-button">
         <input class="white" type="submit" value="Login" name="submit-login" />
    </div>
</form>
于 2013-06-10T03:33:54.473 回答