duaj39673 2012-08-09 10:18
浏览 93
已采纳

PHP登录系统。 安全?

I am building a small cms system. The user can login and edit, delete or create a new item in the database.

My question is. Is this login system safe enough?

<?php 
session_start(); ?>
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>.....</title>
</head>

<body>
<?php

    include 'koder.inc.php';


if(!isset($_POST['forsoeg'])){
    $forsoeg = 0;
    $check_user='0';
    $check_pass='0';
} else {
    $forsoeg = $_POST['forsoeg'];
    $check_user = $_POST['username'];
    $check_pass = $_POST['password']; }

    if($check_user != $username || $check_pass != $password)     {
        if($forsoeg >3){
            exit("<p>Wrong password or username <br /><br />
            <a href='admin_logon.php'>back to login</a></p>");}


            $forsoeg ++;  

            ?>
<h1>Login</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="form">
  <p>
    <label for="username">username:</label>
    <br />
    <input title="username:" type="text" name="username"  />
  </p>
  <p>
    <label for="password">Password:</label>
    <br />
    <input title="Skriv dit password" type="text" name="password"  />
  </p>
  <p>
    <input class="knap" type="submit" name="Send" value="Login" />
  </p>
  <input type="hidden" name="forsoeg" value="<?php echo $forsoeg; ?>"  />
</form>
<?php

    } else {
        $_SESSION['logon']="ok";

        echo "Login ok..<br />
        <a href='administration.php'>Go to admin page</a>"; } ?>
</body>
</html>

I then include the fil koder.inc.php

<?php 

 $username = "test";
 $password = "123456";


?>

And on the pages that need a valid user i start the page with 

<?php 
session_start(); ?>
  • 写回答

3条回答 默认 最新

  • doushanmo7024 2012-08-09 10:36
    关注

    If you're going for a multi user setup, you should migrate from a plain text file, and use a database instead.

    For storing passwords in the database you would need to first encrypt it, using PBKDF2 etc. then add a salt, and encrypt it again. The salt has to be random, it is safe to keep this in the database stored in plaintext along with the password.

    To verify a log in, you would pull the password from the database, and match it with an encrypted version of the password stored in the $_POST variable.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?
  • ¥20 怎么用dlib库的算法识别小麦病虫害
  • ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
  • ¥15 java写代码遇到问题,求帮助
  • ¥15 uniapp uview http 如何实现统一的请求异常信息提示?
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?