Php 停止绕过登录页面
我将此作为我的登录页:Php 停止绕过登录页面,php,authentication,Php,Authentication,我将此作为我的登录页: <!DOCTYPE html> <!--PHP login System by WEBDEVTRICK (https://webdevtrick.com) --> <html> <head> <meta charset="utf-8"> <title>Login | Webdevtrick.com</title> <link rel="style
<!DOCTYPE html>
<!--PHP login System by WEBDEVTRICK (https://webdevtrick.com) -->
<html>
<head>
<meta charset="utf-8">
<title>Login | Webdevtrick.com</title>
<link rel="stylesheet" href="style.css" />
</head>
<body>
<?php
require('config.php');
session_start();
if (isset($_POST['username'])){
$username = stripslashes($_REQUEST['username']);
$username = mysqli_real_escape_string($link,$username);
$password = stripslashes($_REQUEST['password']);
$password = mysqli_real_escape_string($link,$password);
$query = "SELECT * FROM `users` WHERE username='$username'
and password='".md5($password)."'";
$result = mysqli_query($link,$query) or die(mysql_error());
$rows = mysqli_num_rows($result);
if($rows==1){
$_SESSION['username'] = $username;
header("Location: inventory.php");
}else{
echo "<div class='form'>
<h3>Username/password is incorrect.</h3>
<br/>Click here to <a href='login.php'>Login</a></div>";
}
}else{
?>
<form class="login" action="" method="post" name="login">
<h1 class="login-title">Login | Webdevtrick.com</h1>
<input type="text" class="login-input" name="username" placeholder="Username" autofocus>
<input type="password" class="login-input" name="password" placeholder="Password">
<input type="submit" value="Login" name="submit" class="login-button">
<p class="login-lost">New Here? <a href="registration.php">Register</a></p>
</form>
<?php } ?>
</body>
</html>
登录| Webdevtrick.com
您的脚本易受攻击,不应仅使用会话.start()
,因为它也不安全
相反,你应该使用
简单地说,prepared语句是一种准备MySQL调用的方法,而不存储变量
安全PHP登录示例
<?php
include 'session.php'; // Secure Session Script
if(isset($_POST['username'])){
include 'database.php';
$username=$_POST['username'];
$password=$_POST['password'];
$sql="SELECT * FROM login WHERE Username = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("s",$username); // As much "s" as variables to bind are
$stmt->execute();
$result = $stmt->get_result()->fetch_assoc();
if ($result && password_verify($password, $result['password']))
{
$_SESSION['login']= $username;
header('Location: Success.php');
} else {
header('Location: index.php');
$_SESSION['error'] = 'Invalid Credentials';
exit();
}
} else {
header('Location: index.php');
exit();
}
?>
安全会话
<?php
ini_set('session.use_only_cookies', 1); // Prevents the session ID from appearing in a referer header
session_set_cookie_params(0,'/','localhost',false,true); // Determines the duration of cookies
session_start(); // Start Session
session_regenerate_id(); // Regenerate Session ID
?>
最终Success.php
<?php
include '../functions/s-session.php';
if (!isset($_SESSION['login'])) { // if login is not set then...
header("Location: index.php");
exit();
}
?>
// html page
//html页面
会话启动()代码>应该位于脚本的最顶端。您可能应该实现一种注销方法。这样你就可以测试它了。你的inventory.php
看起来像什么?你确定你已经包括了auth.php
?和password='.md5($password)。“
…哎哟,找到一个更新的、不太坏的教程(使用)!您真的不应该使用PHP来处理密码安全问题。请确保在哈希之前对其使用PHP或其他清理机制。这样做会更改密码并导致不必要的额外编码。
<?php
include '../functions/s-session.php';
if (!isset($_SESSION['login'])) { // if login is not set then...
header("Location: index.php");
exit();
}
?>
// html page