doutui9606 2018-09-15 08:19
浏览 37

这个PHP登录部分安全吗?

I´m just trying to learn something of php and I have two questions. I want to make user roles based system, for the begining I just simply added a role for each user (admin, user, etc.), which is saved directly in users table in mysql? I mean my user table has columns id, nick, password, role. Is this OK, or even safe?

Second question is if it is safe to check user permisions like 

// Check if the user is logged in, if not then redirect him to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
    header("location: login.php");
    exit;
}
// Check if the user has admin role, if not then load up page which tells u - You dont have perm to use this site
elseif($_SESSION["role"] !== "admin"){
    include "noperm.php";
    exit;
}

Can I do this, or there's still possibility that role user, or ununregistered user can access this page (e.c. user management site)?

</div>
  • 写回答

1条回答 默认 最新

  • doupu0619 2018-09-15 08:33
    关注

    Yes and no, for example when a user login in a php website, the username and password or whatever credential who him use will be sended open, or encrypted in a websites with md5 sha-2 and other algorithms, in short answer if the algorithm( encryption ) is weak the decryption will be easy for a attacker, and the user will be hacked, and is much more big the risk when is a connection with HTTP protocol, because HTTP is completely open compared to HTTPS, because HTTPS use a certificate with the client and the website, and all information is sended with a double encryption, encryption1 the algorithm of the php, encryption2 the certificate SSL, but includes the SSL Certificate can be spoofed if a organization produce a certificate similar with the same domain of the website attacked.

    NOTE: The reallity is, It depend of how much the person secure the web site, and how much strong make the client the password...

    CREATE YOU OWN ALGORITHM:

    <?php
    // ENCRYPTION //
    $passwordOfTheUSER = "JonnyDeep74";
    $encryptedPassword = str_replace('o', 'UXK', $passwordOfTheUSER);
    $encryptedPassword = str_replace('a', 'PEA', $encryptedPassword);
    $encryptedPassword = str_replace('e', 'MIC', $encryptedPassword);
    echo "encrypted: $encryptedPassword, ";

    // DECRYPTION //
    $decryptedPassword = str_replace('UXK', 'o', $encryptedPassword);
    $decryptedPassword = str_replace('PEA', 'a', $decryptedPassword);
    $decryptedPassword = str_replace('MIC', 'e', $decryptedPassword);
    echo "decrypted: $decryptedPassword.";
?>
    评论

报告相同问题?

悬赏问题

  • ¥15 关于#hadoop#的问题
  • ¥15 (标签-Python|关键词-socket)
  • ¥15 keil里为什么main.c定义的函数在it.c调用不了
  • ¥50 切换TabTip键盘的输入法
  • ¥15 可否在不同线程中调用封装数据库操作的类
  • ¥15 微带串馈天线阵列每个阵元宽度计算
  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据