duan_2000 2013-11-13 03:01
浏览 36
已采纳

这是管理面板的安全登录系统吗?

This is the code for my website's admin page login

<?php
//simple PHP login script using Session
//start the session * this is important
session_start();

//login script
if(isset($_REQUEST['ch']) && $_REQUEST['ch'] == 'login'){

//give your login credentials here
if($_REQUEST['uname'] == 'my_name' && $_REQUEST['pass'] == 'my_password')
$_SESSION['login_user'] = 1;
else
$_SESSION['login_msg'] = 1;
}

//get the page name where to redirect
if(isset($_REQUEST['pagename']))
$pagename = $_REQUEST['pagename'];

//logout script
if(isset($_REQUEST['ch']) && $_REQUEST['ch'] == 'logout'){
unset($_SESSION['login_user']);
header('Location:login.php');
}
if(isset($_SESSION['login_user'])){
if(isset($_REQUEST['pagename']))
header('Location:'.$pagename.'.php');
else
header('Location:admin.php');
}else{
?>

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Website</title>
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link rel="stylesheet" type="text/css" href="styles.css" media="all" />


</head>
<body>

<form name="login_form" method="post" action="">
<h2 align="center"><strong>Admin Login</strong></h2>

<input type="text" name="uname" id="uname" placeholder="Username">
<input type="password" name="pass" id="pass" placeholder="Password">

<td colspan="2" align="center">
<p style="color:red;">
<?php
//display the error msg if the login credentials are wrong!
if(isset($_SESSION['login_msg'])){
echo 'Wrong username and password !';
unset($_SESSION['login_msg']);
}
?>
</p>

<div align="center" colspan="2"><input type="submit" value="Login"></div>
</tr>
<input type="hidden" name="ch" value="login">
</form>
</body>
</html>

I copied this from a website so i'm not really sure how safe it is. And I'm also not so good with php.

is this safe to use or is it easy to hack? if it's not can anyone tell me what is the best none-MySQL login system?

  • 写回答

1条回答 默认 最新

  • doulu8847 2013-11-13 03:30
    关注

    $_REQUEST, by default, contains the contents of $_GET, $_POST and $_COOKIE.

    But it's only a default, which depends on variables_order ; and not sure you want to work with cookies.

    If I had to choose, I would probably not use $_REQUEST, and I would choose $_GET or $_POST -- depending on what my application should do (i.e. one or the other, but not both) : generally speaking :

    You should use $_GET when someone is requesting data from your application. And you should use $_POST when someone is pushing (inserting or updating ; or deleting) data to your application. Either way, there will not be much of a difference about performances : the difference will be negligible, compared to what the rest of your script will do.

    Also, you may need to check for XSS and CSRF. However, it really depends on the application requirements. I hate to be blunt, but IMHO this does not look like a secure or practical login block of code. Also, may I ask why are you not planning on using a DB? Using stored plain text passwords is not very secure at all.

    The below applies if you plan on using a DB. Your code does not check against a db for multiple users. It mainly checks against a stored password. Therefore, the application practicality would be very limited unless you use a db to support multiple users. Also, if you are going to use a db to store and retrieve values you need to make sure the user inputs a protected against SQL injections. Plus it would be wise to encrypt the passwords by using md5,salt,sha1 or a combination. Many guys use an encryption combination.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 win10权限管理,限制普通用户使用删除功能
  • ¥15 minnio内存占用过大,内存没被回收(Windows环境)
  • ¥65 抖音咸鱼付款链接转码支付宝
  • ¥15 ubuntu22.04上安装ursim-3.15.8.106339遇到的问题
  • ¥15 求螺旋焊缝的图像处理
  • ¥15 blast算法(相关搜索:数据库)
  • ¥15 请问有人会紧聚焦相关的matlab知识嘛?
  • ¥15 网络通信安全解决方案
  • ¥50 yalmip+Gurobi
  • ¥20 win10修改放大文本以及缩放与布局后蓝屏无法正常进入桌面