dongsi2317 2017-08-15 13:48
浏览 56
已采纳

在php中这样做是否安全?

I am new to php, and I want to know if it is safe to do it like this...
I currently have a login system to protect a few pages.

  1. Is it possible for a hacker to change the value of $logged_in?
  2. Is this safe?
  3. If it isn't. what is the best way to do it?

Files:
- not_logged_in.php
- test.php
- login.php
- logout.php
- protected_page_1
- protected_page_2
- unprotected_page_1

Code:

not_logged_in.php:

<html>
    You are not logged in!
</html>


test.php:

<?php

$logged_in = false;

function protect_page() {
    if($logged_in == false) {
        header('Location: index.php');
        exit();
    }
}


?>


login.php:

<?php

include "test.php";
$logged_in = true;

?>


logout.php:

<?php

include "test.php";
$logged_in = false;

?>


protected_page_1.php:

<?php

include "test.php";
protect_page();


?>


<html>

    Content

</html>


protected_page_2:

<?php

include "test.php";
protect_page();


?>


<html>

    Content

</html>


unprotected_page_1:

<html>

    Content

</html>

I completely understand that the login.php page just logs in and you don't have to give in a password, but that is just for testing currently...

Thanks for reading!

  • 写回答

2条回答 默认 最新

  • dqsvnsad79721 2017-08-15 14:19
    关注

    I think the way of using this $logged_in variable is too loose.

    I suggest to make use of sessions.

    session.php:

    <?php
session_start();  // start on top of your page before any output

if(!isset($_SESSION['loggedin'])) {
  $_SESSION['loggedin'] = false;
}

function loggedin()
{
   return $_SESSION['loggedin'];
}

?>

    and in any page with protected content.

    <?php
    include 'session.php';

    if(!logged_in()) {
       include 'login.php';
       exit();
    }
    // some info
?>

    login.php will have a form to log in. (and to $_SESSION['loggedin'] = true; every page could include session.php.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度