dongqie2355 2012-03-22 17:06
浏览 43
已采纳

Dreamweaver登录有多安全?

When we use dreamweaver to create an auto-generated Login Logout - How secure it is?

while doing this dreamweaver creates 3 folders:-

_mmServerScripts
_notes
Connections

and adds this on the login.php page:-

<?php require_once('../Connections/da.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "../index.php";
  $MM_redirectLoginFailed = "index.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_da, $da);

  $LoginRS__query=sprintf("SELECT user_id, user_password FROM users WHERE user_id=%s AND user_password=%s",
    GetSQLValueString($loginUsername, "int"), GetSQLValueString($password, "text")); 

  $LoginRS = mysql_query($LoginRS__query, $da) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";

    if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;       

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];  
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form name="login" action="<?php echo $loginFormAction; ?>" method="POST" target="_self">
<input name="username" type="text" />
<input name="password" type="password" />
<input name="login_button" type="submit" />
</form>
</body>
</html>

Also it uses the mysql_pconnect for mysql connection:-

<?php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostname_da = "localhost";
$database_da = "database";
$username_da = "root";
$password_da = "password";
$dacreint = mysql_connect($hostname_da, $username_da, $password_da) or trigger_error(mysql_error(),E_USER_ERROR); 
?>

Is it 100% efficient and secure? And if not can we do some modifications to it to make it as secure as possible... Because this really makes things fast.

  • 写回答

2条回答 默认 最新

  • dqwh1203 2012-03-22 17:13
    关注

    Edit: The accepted answer to the dupe of this question (by the same author? Why?) points out two vulnerabilities that I missed: PHP_SELF is vulnerable to XSS, and falling back to mysql_escape_string() shouldn't be necessary (although that is not a real world concern either way.) rather than steal the points from MrCode, I encourage everyone to closevote this, and upvote MrCode's better answer :)

    It's not very beautiful code, but security- and efficiency-wise, it looks pretty okay. It takes into consideration that magic quotes are phased out in PHP 6, it seems to escape all incoming form data properly, and tests for the presence of variables before accessing them.

    The only thing that looks like it could cause problems is the superfluous line break here:

    <?php require_once('../Connections/da.php'); ?>   <---- here
<?php

    that will mess with the header redirect in certain situations. I would get rid of it and just do

    <?php require_once('../Connections/da.php'); 
      if (!function_exists("GetSQLValueString")) {

    also, instead of 

      .... or die(mysql_error());

    one could use

      ....  or trigger_error(mysql_error(), E_USER_ERROR);

    to prevent SQL error messages from being shown in production environments.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥30 这是哪个作者做的宝宝起名网站
  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!