只是爲了知識的緣故,我想知道如何使用PHP登錄註銷認證的Dreamweaver內置功能?Dreamweaver PHP登錄註銷的安全性如何?
安全嗎?
我總是使用會話,文章和許多東西來構建登錄系統,但是當我使用Dreamweaver時,它非常簡單並且似乎很安全。仍然需要專家的意見,我應該開始使用它還是傳統的更好。我沒有發現任何限制,只是想知道天氣是否足夠安全。
這裏是一個Dreamweaver提供的代碼: -
這是我的登錄表單
<form action="<?php echo $loginFormAction; ?>" method="POST" target="_self">
<input name="ecsuser" class="form-login" title="Username" value="" size="30"
maxlength="2048" />
<input name="ecspass" type="password" class="form-login" title="Password"
value="" size="30" maxlength="2048" />
<?php if(!empty($ERRORMESSAGE)) echo '<div style="color:#FFF;
font-weight:bold;">'.$ERRORMESSAGE.'</div>'; ?>
<input name="" type="submit" value="" />
</form>
這是我的錯誤處理代碼。
<?php
if (isset($_GET['ERRORMESSAGE']))
{
if($_GET['ERRORMESSAGE'] == 1)
{
global $ERRORMESSAGE;
$ERRORMESSAGE = "Sorry! The username or password is incorrect,
Please try again.";
}
}
?>
這是我進一步的代碼
// Database Connection Include
<?php require_once('Connections/ecs.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
session_start();
}
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
if (isset($_POST['ecsuser'])) {
$loginUsername=$_POST['ecsuser'];
$password=md5($_POST['ecspass']);
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "index.php";
$MM_redirectLoginFailed = "login.php?ERRORMESSAGE=1";
$MM_redirecttoReferrer = false;
mysql_select_db($database_ecs, $ecs);
$LoginRS__query=sprintf("SELECT username, password FROM student WHERE username=%s AND password=%s",
GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));
$LoginRS = mysql_query($LoginRS__query, $ecs) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = "";
if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
header("Location: " . $MM_redirectLoginSuccess);
}
else {
header("Location: ". $MM_redirectLoginFailed);
}
}
?>
另外,我想知道,有什麼我們需要建立一個有效的登錄系統的所有其他安全措施並且上面的代碼是完美的,沒有任何安全問題。
如果鏈接和示例代碼提供這將是非常有幫助,在此先感謝:) – 2012-03-13 07:52:09
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Password_Storage – zuallauz 2012-03-13 08:10:26