我做了一個登錄腳本爲我的網站,需要一些反饋,無論是安全與否和如何改善它+幾個問題:安全登錄腳本
<?php
session_start();
$user = "root";
$host = "localhost";
$pass = "";
$db = "test_db";
$cxn = mysqli_connect($host, $user, $pass, $db) or die ("Couldn't connect to the server. Please try again.");
if(isset($_POST['submit'])) {
$username = mysql_real_escape_string(strip_tags(trim($_POST['username'])));
$password = mysql_real_escape_string(strip_tags(trim($_POST['password'])));
$message = "";
$stmt = $cxn->prepare('SELECT * FROM users WHERE username = ?');
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
if(password_verify($password, $row['password'])) {
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location:index.php");
} else {
$message = "The username or password is incorrect.";
}
}
}
>
?另外,我只是學習有關會議,並有幾個問題:
- 在用戶登錄成功後,我需要他們的用戶名,以顯示任何其他頁面上。我如何使會話安全?
- 如何使「註銷」功能結束會話?
這已經不安全了。您沒有使用參數化查詢。 –
有幾個問題屬於這裏,但詢問如何改進這個屬於[代碼評論](http://codereview.stackexchange.com/)IMO –
@BrendanLong,爲什麼是1而不是's'? –