1. 首頁
  2. 問答
  3. 如何改進登錄腳本?

如何改進登錄腳本?

2010-08-22 47 views
1

如何確保我的登錄腳本安全並使其更好,這是我的第一個代碼:如何改進登錄腳本?

幫助是非常感謝。

<?php 

include ('../includes/db_connect.php'); 

$firstname = $_POST['firstname']; 
$lastname = $_POST['lastname']; 
$email = $_POST['email']; 
$mobile = $_POST['mobile']; 
$username = $_POST['username']; 
$password = md5($_POST['password']); 

// lets check to see if the username already exists 

$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'"); 

$username_exist = mysql_num_rows($checkuser); 

if($username_exist > 0){ 
    echo "I'm sorry but the username you specified has already been taken. Please pick another one."; 
    unset($username); 
    header("Location: /registration?registration=false"); 
    exit(); 
} 

// lf no errors present with the username 
// use a query to insert the data into the database. 

$query = "INSERT INTO users (firstname, lastname, email, mobile, username, password) 
VALUES('$firstname', '$lastname','$email', '$mobile','$username', '$password')"; 
mysql_query($query) or die(mysql_error()); 
mysql_close(); 

echo "You have successfully Registered"; 
header("Location: /registration?registration=true"); 
// mail user their information 

//$yoursite = ‘www.blahblah.com’; 
//$webmaster = ‘yourname’; 
//$youremail = ‘youremail’; 
//  
//$subject = "You have successfully registered at $yoursite..."; 
//$message = "Dear $firstname, you are now registered at our web site. 
// To login, simply go to our web page and enter in the following details in the login form: 
// Username: $username 
// Password: $password 
//  
// Please print this information out and store it for future reference. 
//  
// Thanks, 
// $webmaster"; 
//  
//mail($email, $subject, $message, "From: $yoursite <$youremail>\nX-Mailer:PHP/" . phpversion()); 
//  
//echo "Your information has been mailed to your email address."; 

?>

來源

2010-08-22 user342391

+0

詢問關於PHP 37點後的問題。你說這是你的第一個代碼。很奇怪。反正好,不斷嘗試,祝你好運。 – 2010-08-22 20:27:41

+0

但是想說些什麼一旦我的哥哥告訴我,當我還是個孩子時: - 實踐並不能使人完美,完美的實踐使人完美.. :-) – 2010-08-22 20:29:07

回答

2

關注Artefacto關於數據庫中SQL注入和哈希密碼的建議。其他東西...

echo "I'm sorry but the username you specified has already been taken. Please pick another one."; 
unset($username); 
header("Location: /registration?registration=false");

不會工作,因爲你不能回聲然後發送一個頭。必須在輸出之前發送標題。

而且,沒有一點這樣做:

header("Location: /registration?registration=false"); 
echo "I'm sorry but the username you specified has already been taken. Please pick another one."; 
unset($username);

web瀏覽器會馬上重新定向,用戶將無法看到您打印的得心應手消息。

此外,它通常要求對登記表2個密碼字段櫃面用戶輸入有誤,並沒有注意到,因爲所有的文字是*的。你比較2,如果他們不同,你會認爲是錯字,然後再次提問。

來源

2010-08-22 20:29:53 James

+0

此外,不要通過電子郵件發送密碼......它們以純文本形式發送,並且可以被其他人閱讀。 玩得開心用PHP! – James 2010-08-22 20:32:55

1

這不是一個登錄腳本。這是一個註冊腳本。

請參閱PHP手冊中的SQL injection。你的程序容易受到這種攻擊。

此外,不只是or die(mysql_error())。這將公開您可能不想公開的數據庫信息(表名等)。使用適當的錯誤處理。例如,你可以拋出異常並定義一個未捕獲的異常處理程序,它顯示一個「oops」頁並記錄錯誤。

最後,使用比MD5強的散列,比如sha1

來源

2010-08-22 20:10:21 Artefacto

+0

'die(mysql_error())'進行調試。 – Ben 2010-08-22 20:16:15

0

正如@Artefacto所說,這不是一個登錄腳本。 但是,如果你打算做一個登錄腳本,我想給你一個建議。我前一陣子已經這樣做了。

而不是做這樣的事情的:

$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

我這樣做:

$sql = "SELECT * FROM users WHERE username = '$username'"; 
$user = //use the php-sql (query, fetch_row) commands to fetch the user row. 
if (strcmp($user['password'], $password) == 0) { 
    //log in success 
}

通過這樣做,您避免在一個簡單而優雅的方式SQL注入。你們有什麼想法?

來源

2010-08-22 21:51:35 goenning

0

重申一下其他人提及。保護自己(以及切斷)SQL注入非常重要。例如:

$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");

你只是簡單的從$_POST['username']取值,並把它放在變量$username

有些人不是很漂亮,並會嘗試打破你的程序:(所以它總是建議逃脫是從用戶所採取的任何數據,將其放置到一個SQL查詢之前。

例如。 ..
此:

$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");

變爲:

$checkuser = mysql_query("SELECT username FROM users WHERE username='" .mysql_real_escape_string($username). "'");

來源

2010-08-22 22:02:24 David

相關問題

 相關問題