dragon2025 2016-10-08 16:18
浏览 92
已采纳

这个php脚本是否可以安全地在我的网站中使用?

I want to protect some content in my site with a password and I am thinking in using this php script

Do you think is a good way to go?

Do you know something better for this task or a way to improve ( if needed) thin one ?

The code to load the content from the database is :

<?php


error_reporting(0);
include("config.php");


if (!isset($_REQUEST["p"])) {

    echo 'document.write("<div id=\"protected_'.intval($_REQUEST["id"]).'\">");';
    echo 'document.write("<form onsubmit=\'return LoadContent(\"'.intval($_REQUEST["id"]).'\",\"protected_'.intval($_REQUEST["id"]).'\",document.getElementById(\"pass_'.intval($_REQUEST["id"]).'\").value); return false;\'\"><input type=\'password\' size=\'30\' placeholder=\'Content is protected! Enter password.\' id=\"pass_'.intval($_REQUEST["id"]).'\"></form>");';
    echo 'document.write("</div>");';

} else {

    $sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE `id`='".intval($_REQUEST["id"])."' AND password='".mysql_real_escape_string($_REQUEST["p"])."'";
    $sql_result = mysql_query ($sql, $connection ) or die ('request "Could not execute SQL query" '.$sql);

    if (mysql_num_rows($sql_result)==1) {
        $row = mysql_fetch_assoc($sql_result);
        echo $row["content"];
    } else {
        echo 'Wrong password';  
    }

}

?>
  • 写回答

1条回答 默认 最新

  • doushan6161 2016-10-08 18:06
    关注

    As I said in comments, you shouldn't be spending anymore time with what you downloaded since it's old and not safe.

    You may be saving passwords in plain text which is definitely not a good idea.

    • It's time to step into the 21st century.

    The mysql_ API is in deprecation and has been deleted from PHP 7.0 entirely.

    You are best to use a prepared statement and password_hash() or the compatibility pack.

    Here are a few references:

    N.B. The use of mysql_real_escape_string() does not fully guarantee protection against a possible SQL injection.

    Consult the following Q&A on the subject:

    Here is a piece of code pulled from one or ircmaxell's answers which uses a (PDO) prepared statement and password_hash().

    Pulled from: https://stackoverflow.com/a/29778421/1415724

    Just use a library. Seriously. They exist for a reason.

    Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

    $dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

    And on login:

    $sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 蓝桥oj3931,请问我错在哪里
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?
  • ¥15 加热介质是液体,换热器壳侧导热系数和总的导热系数怎么算
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)
  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染