PHP AJAX的登录，是这种方法安全吗？ [英] PHP AJAX login, is this method secure?

问题描述

我刚开始PHP和MySQL需要知道，如果这是安全的。登录信息被传递到下面的PHP文件通过AJAX（jQuery的）。

I have just started PHP and mySQL and need to know if this is "safe". The login information is passed into the following PHP file through AJAX (jQuery).

jQuery的AJAX

jQuery AJAX

$("#login_form").submit(function(){
    $.post("login.php",{user:$('#username').val(),pass:$('#password').val()} ,function(data)

PHP

ob_start();
mysql_connect("-", "-", "-") or die("ERROR. Could not connect to Database."); 
mysql_select_db("-")or die("ERROR. Could not select Database.");

//Get Username and Password, md5 the password then protect from injection.

$pass = md5($pass);
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);

//See if the Username exists.
$user_result=mysql_query("SELECT * FROM users WHERE username='$user'");
$user_count=mysql_num_rows($user_result);

if($user_count==1){
    if($pass_length==0){ echo "userVALID"; }
    else{       
        $pass_result=mysql_query("SELECT * FROM users WHERE username='$user' and password='$pass'");
        $pass_count=mysql_num_rows($pass_result);       
        if($pass_count==1){             
            session_register("user");
            session_register("pass"); 
            echo "passVALID";
        }
        else { echo "passERROR"; }      
    }
}
else { echo "userERROR"; }

ob_end_flush();

我知道这可能不是做事情的最好方法，但它是我认识路！我只是想知道是否有任何重大的安全漏洞。这是更适合我的一个概念，所以我不结合SSL的。

I know this may not be the best way to do things but, it is the way I know! I just want to know if it has any major security flaws. It is more of a concept for me and therefore I am not incorporating SSL.

推荐答案

您应该进行此更改，以防万一的人在他们的密码反斜杠：

You should make this change just in case people have a backslash in their password:

if(get_magic_quotes_gpc()){
   $user = stripslashes($user);
   $pass = stripslashes($pass);
}
$user = mysql_real_escape_string($user);
$pass = sha256($salt.$pass);

首先MD5是非常糟糕的。此外的md5（）和 mysql_real_escape_string（）是多余的。冲突已经在野外被生成。 SHA1（）虽然削弱了还是更加安全，无碰撞已经产生（还）。最好的选择是 SHA256在PHP ，或使用mhash库。

First and foremost md5 is very bad. Also md5() and mysql_real_escape_string() is redundant. Collisions have been generated in the wild. sha1() although weakened is still much more secure and no collisions have been generated (yet). The best choice would be sha256 in php, or using the mhash library.

$pass = md5($pass);

您还需要盐密码。

这篇关于PHP AJAX的登录，是这种方法安全吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！