使登录更安全 [英] Making login more secure

问题描述

我使用此代码进行管理员登录。只有当用户输入正确的用户名和密码时才应该打开loginhome.php。但之后，我意识到这根本不安全。任何人都可以直接进入mywebsite / loginhome.php而无需登录。注销后，可以使用后退按钮打开loginhome.php。

I have used this code for admin login. loginhome.php should be opened only when a user enter correct username and password. But then, i realized this is not secure at all. anybody could directly go to mywebsite/loginhome.php without logging in. and after logout, the loginhome.php can be opened using back button. How Can i make this more securely?

<?php

$submit=isset($_POST['submit']);
if($submit)
{
    $first=$_POST['first'];
    $password=$_POST['password'];
    $db = new mysqli("localhost", "root","","learndb");
    $sql = "select * from admin where username = '" . $first . "' and password = '". $password . "'";
    $result = $db->query($sql);
    $result=mysqli_num_rows($result);

  if($result>0)
{

     include_once "loginhome.php";

}
else
{
    include_once"errorlogin.php";
}   

如果需要，这里是html表单。

Here is the html form if required.

<form method="post" action="input.php">
Username:<input type="Text" name="first"><br>
password:<input type="password" name="password"><br>
<input type="submit" name="submit" value="LOGIN">
</form>

推荐答案

安全。
首先，在登录页面（例如 login.php ）将用户重定向到 loginhome.php 。

You can use a PHP Session instead to make it more secure. Firstly, redirect users to loginhome.php in the Login Page (eg. login.php).

session_start();
$_SESSION['logged_in'] = true;
header("Location: loginhome.php");

在 loginhome.php 文件中，你可以检查会话，如果没有设置，然后重定向用户回到登录页面。

And in the loginhome.php file, you can check for the session, if not set, then redirect users back to the Login Page.

<?php

 include "include.php";
 session_start();
 if(!$_SESSION['logged_in']){
 session_destroy();
 header("Location: login.php");
}

?>

要注销，请销毁Session。

To logout, destroy the Session.

<?php

session_start();
$_SESSION['logged_in'] = 0;
session_destroy();
header("Location: login.php");

?>

include.php 档案。

<?php
$link = mysqli_connect
("host", "user", "password", "database");
?>

只是提示，您应该加密用户的用户名和密码。希望这有助于！

Just a tip, you should encrypt the users' usernames and passwords. Hope this helps!

这篇关于使登录更安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！