Dreamweaver PHP登录注销的安全性如何? [英] How secure Dreamweaver PHP login logout is?

问题描述

仅出于知识方面的考虑，我想知道使用PHP登录注销身份验证的Dreamweaver内置功能有多好?

just for knowledge sake, i wanna know that how good is to use a Dreamweaver in-built feature of PHP login logout authentication?

安全吗?

我总是使用会话，帖子和许多其他东西来构建登录系统，但是当我使用Dreamweaver时，它非常简单，而且似乎很安全.仍然需要专家的建议，我应该开始使用它还是传统的更好.我没有发现任何限制，只是想知道天气是否足够安全.

I always use sessions, posts and so many things to build a login system, however when i used the Dreamweaver one, it was quite simple and seems to be secure. Still need expert advice, should i start using it or the traditional one is better. I don't find any limitation, just want to know that weather it is secure enough or not.

这是Dreamweaver提供的代码:-

Here is the code which Dreamweaver provides:-

这是我的登录表格

<form action="<?php echo $loginFormAction; ?>" method="POST" target="_self">
    <input name="ecsuser" class="form-login" title="Username" value="" size="30"
    maxlength="2048" />

    <input name="ecspass" type="password" class="form-login" title="Password" 
    value="" size="30" maxlength="2048" />

    <?php if(!empty($ERRORMESSAGE)) echo '<div style="color:#FFF; 
    font-weight:bold;">'.$ERRORMESSAGE.'</div>'; ?>

    <input name="" type="submit" value="" />
</form>

---

这是我的错误处理代码.

---

This is my Error Handling code.

<?php
if (isset($_GET['ERRORMESSAGE']))
{
    if($_GET['ERRORMESSAGE'] == 1)
    {
    global $ERRORMESSAGE;
    $ERRORMESSAGE = "Sorry! The username or password is incorrect, 
            Please try again.";
    }
}
?>

---

这是我的进一步代码

---

This is my further code

// Database Connection Include
<?php require_once('Connections/ecs.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['ecsuser'])) {
  $loginUsername=$_POST['ecsuser'];
  $password=md5($_POST['ecspass']);
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "index.php";
  $MM_redirectLoginFailed = "login.php?ERRORMESSAGE=1";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_ecs, $ecs);

  $LoginRS__query=sprintf("SELECT username, password FROM student WHERE username=%s AND password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 

  $LoginRS = mysql_query($LoginRS__query, $ecs) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";

    if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;       

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];  
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

此外，我想知道，我们需要采取哪些其他安全措施来构建高效的登录系统，并且上面的代码是否100％完美，而且没有安全问题.

Also, i want to know, what all other security measures we need to take for building an efficient Login system and does the above code is 100% perfect with no security issue.

推荐答案

Is it secure?

不.我看到一些问题:

1)首先，存在一个XSS漏洞.当您像这样回显$_SERVER['PHP_SELF']时，需要使用htmlspecialchars()对其进行转义.如果您不这样做，则攻击者可以制作链接，单击该链接将窃取会话cookie，该会话cookie可用于在没有用户名和密码的情况下登录. 请参阅: PHP_SELF和XSS

1) First of all there is an XSS vulnerability. When you echo $_SERVER['PHP_SELF'] like that, it needs to be escaped with htmlspecialchars(). If you don't do this, an attacker can craft link which when clicked, will steal session cookies which can be used to become logged in without a username and password. See: PHP_SELF and XSS

2)GetSQLValueString有问题.如果mysql_real_escape_string()不存在，它将回退到mysql_escape_string().您永远不应退回到mysql_escape_string().如果mysql_real_escape_string()不可用，并且您依靠它来避免SQL注入，则您的应用程序应停止. 在知道数据类型之前，该函数还会对数据进行转义.如果您使用的是intval()，floatval()，doubleval()，则无需先执行mysql_real_escape_string().

2) GetSQLValueString has problems. It is falling back to mysql_escape_string() if mysql_real_escape_string() does not exist. You should never fall back to mysql_escape_string(). If mysql_real_escape_string() is not available and you're relying on it to avoid SQL Injection, your application should stop. This function is also doing an escape on the data, before it knows what datatype it is. If you're using intval(), floatval(), doubleval(), you don't need to do a mysql_real_escape_string() first.

我建议将其更改为使用MySQLi或PDO参数化查询，这些查询将自动为您处理转义.

I suggest changing this to use MySQLi or PDO parameterised queries which will automatically handle the escaping for you.

MySQLi: http://php.net/manual/en/mysqli.prepare .php PDO: http://us2.php.net/manual/en/book. pdo.php

MySQLi: http://php.net/manual/en/mysqli.prepare.php PDO: http://us2.php.net/manual/en/book.pdo.php

3)成功登录后，似乎正在尝试(但失败)重定向到上一页.除非您对URL进行了硬编码或已经验证了用户提供的URL，否则切勿重定向.如果不这样做，则很容易受到公开重定向/网络钓鱼的攻击. 看来有人可能试图通过在if处添加false来解决此问题:if (isset($_SESSION['PrevUrl']) && false) {，该语句永远不会评估为true，因此毫无意义地保留它.

3) It appears to be trying (and failing) to redirect to the previous page on successful login. You should never redirect unless you have hardcoded the URL or you have validated the user supplied URL, if you don't do this you could be vulnerable to open redirect/phishing attacks. It looks like someone might have tried to fix this by adding false to the if here: if (isset($_SESSION['PrevUrl']) && false) {, this statement will never evaluate to true and so it is pointless keeping it.

4).看看这一行:

$LoginRS = mysql_query($LoginRS__query, $ecs) or die(mysql_error());

如果执行此查询时出现任何MySQL错误，则应用程序将打印出完整的MySQL错误，然后停止.这对尝试执行SQL Injection攻击的任何人都将非常有帮助.即使您已经确保使用SQL注入，这仍然会告诉您数据库结构的各个方面. 您应该使用trigger_error()或执行自己的错误日志记录，但切勿在生产/实时/公共系统中向用户显示该错误.

If there is any MySQL error when this query executes, the application is going to print out the full MySQL error and then stop. This will be extremely helpful to anyone trying to perform SQL Injection attacks. Even if you've secured for SQL Injection, this is still going to tell the world parts of your database structure. You should use trigger_error() or do your own error logging, but never show it to the user in a production/live/public system.

5).最后，可以在登录/注销表单上执行XSRF攻击.提交诸如登录/注销之类的操作时，应使用反XSRF令牌. 请参阅: http://en.wikipedia.org/wiki/Cross-site_request_forgery

5). Finally, it is possible to perform XSRF attacks on the login/out form. You should use an anti-XSRF token when submitting actions like login/logout. See: http://en.wikipedia.org/wiki/Cross-site_request_forgery

这篇关于Dreamweaver PHP登录注销的安全性如何?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！