这个php登录系统安全吗?
这个登录页面是否安全,正在研究 sql 注入,如果是的话,他们是否存在漏洞,我该如何管理它?
我之前将用户详细信息加密到一个文件中并存储在本地。我也用localhost,想着换个域。将用户详细信息存储在文件中是否存在任何问题?
请无视html
<?php
session_start();
?>
<html>
<body>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
<input type="text" name="Username"value="">
<?php if ($_SERVER["REQUEST_METHOD"] == "POST"){
$user = $_REQUEST['Username'];
} ?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
<input type="password" name="Password"value="">
<?php if ($_SERVER["REQUEST_METHOD"] == "POST"){
$password = $_REQUEST['Password'];
}
if (isset($_POST['submit'])) {
$file = $user.".txt";
if (file_exists($file)){
$contents = file_get_contents($file);
$ciphering = "AES-128-CTR";
$iv_length = openssl_cipher_iv_length($ciphering);
$options = 0;
$decryption_iv = '#secret#';
$decryption_key = "#key#";
$decryption= openssl_decrypt ($contents, $ciphering,
$decryption_key, $options, $decryption_iv);
if($decryption==$password){
echo("details match");
setcookie("username", $user,time()+2000);
$_SESSION["logged_in"] = true;
$_SESSION["username"] = $user;
header("Location:/login/new folder/findchat.php?username");
exit();
}
else{
echo('Complete im not a robot');
}
}
else{echo("pasword or username is not valid");}
}
?>
<input type="submit"value="submit"name="submit">
</body>
</html>
抱歉我的拼写错误,谢谢
慕斯王1回答
-
料青山看我应如是
哇,这太可怕了。有很多漏洞。乍一看,这些是让我眼前一亮的:<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">这很容易受到 XSS 攻击,就像这样:http://example.com/badlogin.php/"><script>alert("xss")</script>$file = $user.".txt";if (file_exists($file)){ $contents = file_get_contents($file);琐碎的目录遍历。$decryption= openssl_decrypt ($contents, $ciphering, $decryption_key, $options, $decryption_iv); if($decryption==$password){您应该散列密码,而不是加密它们。您唯一没有的漏洞是 SQL 注入,那是因为您没有使用任何 SQL。
随时随地看视频慕课网APP
PHP