duan_2000 2013-11-13 03:01
浏览 36
已采纳

这是管理面板的安全登录系统吗?

This is the code for my website's admin page login

<?php
//simple PHP login script using Session
//start the session * this is important
session_start();

//login script
if(isset($_REQUEST['ch']) && $_REQUEST['ch'] == 'login'){

//give your login credentials here
if($_REQUEST['uname'] == 'my_name' && $_REQUEST['pass'] == 'my_password')
$_SESSION['login_user'] = 1;
else
$_SESSION['login_msg'] = 1;
}

//get the page name where to redirect
if(isset($_REQUEST['pagename']))
$pagename = $_REQUEST['pagename'];

//logout script
if(isset($_REQUEST['ch']) && $_REQUEST['ch'] == 'logout'){
unset($_SESSION['login_user']);
header('Location:login.php');
}
if(isset($_SESSION['login_user'])){
if(isset($_REQUEST['pagename']))
header('Location:'.$pagename.'.php');
else
header('Location:admin.php');
}else{
?>

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Website</title>
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link rel="stylesheet" type="text/css" href="styles.css" media="all" />


</head>
<body>

<form name="login_form" method="post" action="">
<h2 align="center"><strong>Admin Login</strong></h2>

<input type="text" name="uname" id="uname" placeholder="Username">
<input type="password" name="pass" id="pass" placeholder="Password">

<td colspan="2" align="center">
<p style="color:red;">
<?php
//display the error msg if the login credentials are wrong!
if(isset($_SESSION['login_msg'])){
echo 'Wrong username and password !';
unset($_SESSION['login_msg']);
}
?>
</p>

<div align="center" colspan="2"><input type="submit" value="Login"></div>
</tr>
<input type="hidden" name="ch" value="login">
</form>
</body>
</html>

I copied this from a website so i'm not really sure how safe it is. And I'm also not so good with php.

is this safe to use or is it easy to hack? if it's not can anyone tell me what is the best none-MySQL login system?

  • 写回答

1条回答 默认 最新

  • doulu8847 2013-11-13 03:30
    关注

    $_REQUEST, by default, contains the contents of $_GET, $_POST and $_COOKIE.

    But it's only a default, which depends on variables_order ; and not sure you want to work with cookies.

    If I had to choose, I would probably not use $_REQUEST, and I would choose $_GET or $_POST -- depending on what my application should do (i.e. one or the other, but not both) : generally speaking :

    You should use $_GET when someone is requesting data from your application. And you should use $_POST when someone is pushing (inserting or updating ; or deleting) data to your application. Either way, there will not be much of a difference about performances : the difference will be negligible, compared to what the rest of your script will do.

    Also, you may need to check for XSS and CSRF. However, it really depends on the application requirements. I hate to be blunt, but IMHO this does not look like a secure or practical login block of code. Also, may I ask why are you not planning on using a DB? Using stored plain text passwords is not very secure at all.

    The below applies if you plan on using a DB. Your code does not check against a db for multiple users. It mainly checks against a stored password. Therefore, the application practicality would be very limited unless you use a db to support multiple users. Also, if you are going to use a db to store and retrieve values you need to make sure the user inputs a protected against SQL injections. Plus it would be wise to encrypt the passwords by using md5,salt,sha1 or a combination. Many guys use an encryption combination.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 测距传感器数据手册i2c
  • ¥15 RPA正常跑,cmd输入cookies跑不出来
  • ¥15 求帮我调试一下freefem代码
  • ¥15 matlab代码解决,怎么运行
  • ¥15 R语言Rstudio突然无法启动
  • ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
  • ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
  • ¥15 用windows做服务的同志有吗
  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法