Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/php/229.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Php Codeigniter安全登录系统_Php_Codeigniter_Login - Fatal编程技术网
Fatal编程技术网
  • php/
  • Php Codeigniter安全登录系统

Php Codeigniter安全登录系统

php codeigniter login

Php Codeigniter安全登录系统,php,codeigniter,login,Php,Codeigniter,Login,我在项目中使用了codeigniter作为php框架。有人说它在登录过程中是如此脆弱,他可以很容易地不用密码登录。我刚刚在密码中使用了md5哈希来实现安全登录。我知道这还不够。在这方面,有谁能给我推荐更成功的流程吗?这是我的登录控制器 <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); class Admin_login extends CI_Controller { public fun

我在项目中使用了codeigniter作为php框架。有人说它在登录过程中是如此脆弱,他可以很容易地不用密码登录。我刚刚在密码中使用了md5哈希来实现安全登录。我知道这还不够。在这方面,有谁能给我推荐更成功的流程吗?这是我的登录控制器

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class Admin_login extends CI_Controller {

public function __construct()
{
    session_start();
    parent::__construct();
    $this->load->helper('form');
    $this->load->helper('url');        
    $this->load->model('admin_model', 'Admin_model', true);
}

public function index(){
        if(is_loggedin())
        {
            get_access_controller();
        }
        else
        {
            $this->load->view('login_admin', '');
        }
    }  

   function login_check()
        {
            $data['username']  = $_POST['username'];
            $data['password']  = md5($_POST['password']);            
            $adminInfo = $this->Admin_model->login_check($data); 

        if($adminInfo)
        {                
            $_SESSION['admin_id']           = $adminInfo['admin_id'];
            $_SESSION['admin_name']         = $adminInfo['admin_name'];
            $_SESSION['school_id']         = $adminInfo['school_id'];
            $_SESSION['is_superadmin']     = $adminInfo['is_superadmin'];
            $_SESSION['is_loggedin']        = 1;

            message('Loggedin successfully');
            get_access_controller();
        }
        exception('invalid login information');
        redirect('admin_login');exit;
    }

    function logout()
    {
       unset($_SESSION['admin_id'],$_SESSION['admin_name'],$_SESSION['school_id'],$_SESSION['is_loggedin'],$_SESSION['is_superadmin']); 
       message('Successfully logout');
       redirect('admin_login');exit;
    }
}
对于密码散列,请查看PHP密码API,例如,如果您的PHP版本与之匹配,请参阅password_hash()和password_verify()

然后,您必须转义从客户端获得的值,如密码、登录名:在这里,您不需要保护输入值,您将面临SQL注入。

由于您执行的查询未经任何验证,因此可能容易受到攻击。您可以使用查询绑定来提高安全性

$sql = "SELECT * FROM tbl_admin WHERE email = ?1 AND password = ?2 AND status = 1 LIMIT 1";
$query = $this->db->query($sql, ($user, $password));

$sql = "SELECT * FROM tbl_admin WHERE email = ?1 AND password = ?2 AND status = 1 LIMIT 1";
$query = $this->db->query($sql, ($user, $password));