0
有麻煩我的網站的登錄網頁不安全,每當輸入Firefox中的登錄頁面上輸入用戶名或密碼,我得到一個對話框說:與網絡安全
連接是不安全的。此處輸入的登錄信息可能會受到影響。
我應該嘗試準備好的語句,還是有另一個問題?對不起,這是一個廣泛的問題,但我並不太熟悉網絡安全。
這裏是我的登錄頁面代碼:
<?php
include("connect.php");
include('PHPMailer/PHPMailer-master/examples/gmail_xoauth.phps');
if (isset($_POST['createaccount'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
if (!connect::query('SELECT username FROM accounts WHERE username=:username', array(':username'=>$username))) {
if (strlen($username) >= 3 && strlen($username) <= 32) {
if (preg_match('/[a-zA-Z0-9_]+/', $username)) {
if (strlen($password) >= 6 && strlen($password) <= 60) {
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
if (!connect::query('SELECT email FROM accounts WHERE email=:email', array(':email'=>$email))) {
connect::query('INSERT INTO accounts VALUES (null, :username, :password, :email, \'0\')', array(':username'=>$username, ':password'=>password_hash($password, PASSWORD_BCRYPT), ':email'=>$email));
gmail_xoauth::sendMail('Welcome to the Website!', 'Your account has been created!', $email);
echo "<h3 class = 'errmessage'>Success!</h3>";
} else {
echo '<h3 class = "errmessage">Email already in use!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid email!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid password, at least 6 characters!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid username, at least 3 characters</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid username</h3>';
}
} else {
echo '<h3 class = "errmessage">User already exists!</h3>';
}
}
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (connect::query('SELECT username FROM accounts WHERE username=:username', array(':username'=>$username))) {
if (password_verify($password, connect::query('SELECT password FROM accounts WHERE username=:username', array(':username'=>$username))[0]['password'])) {
$cstrong = True;
$token = bin2hex(openssl_random_pseudo_bytes(64, $cstrong));
$user_id = connect::query('SELECT id FROM accounts WHERE username=:username', array(':username'=>$username))[0]['id'];
connect::query('INSERT INTO users VALUES (null, :token, :user_id)', array(':token'=>sha1($token), ':user_id'=>$user_id));
setcookie("SNID", $token, time() + 60 * 60 * 24 * 7, '/', NULL, NULL, TRUE);
setcookie("SNID_", '1', time() + 60 * 60 * 24 * 3, '/', NULL, NULL, TRUE);
setcookie("username", $username, time()+3600);
header("Location: home.php");
} else {
echo '<h3 class = "errmessage">Incorrect Password!Try again</h3><br><br><br>';
}
} else {
echo '<h3 class = "errmessage">User not registered!Try again</h3><br><br><br>';
}
}
?>
這裏的connect.php文件:
<?php
class connect
{
private static function db()
{
$pdo = new PDO('mysql:host=localhost;dbname=database_name;charset = utf8','username','password');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
return $pdo;
}
public static function query($query,$params = array())
{
$statement = self :: db()->prepare($query);
$statement->execute($params);
if(explode(' ',$query)[0] == 'SELECT')
{
$data = $statement->fetchAll();
return $data;
}
}
}
?>
其指的是不使用https(ssl)。它與你的代碼無關 – rtfm
好吧我會研究那 – Bubba
除了給出的答案,還有其他因素可以考慮,如文件/腳本/圖像包含,如果它們是硬編碼的http也會導致問題://'引用。儘管它不直接回答這個問題,但它確實有意義。 –