PHP登录系统硬编码的用户名和密码 [英] PHP Login system hard coded username and password
问题描述
我必须做一个基本的登录系统来保护页面,而且我无权访问数据库,所以我将用户名和密码硬编码存储在php页面中.
I had to do a basic login system to protect a page, and I have no access to database so i store the username and password hard coded in php page.
我的问题是,此登录系统可以再次发起攻击吗?我需要保持大约1个月.
My question is, can this login system hold againts an attack? I need it to hold about 1 month.
任何改善的建议都会有所帮助.该代码不在laravel中,即使它看起来像这样.用户名和密码当然会更改为更强的名称.
Any sugestions to improve will be helpefull. The code is not in laravel, even if it might look like. The username and password, will be changed to something stronger of course.
谢谢.
<?php
class UserController {
private $username;
private $password;
private $isLoggedIn = false;
// Credentials
public function credentials() {
$credentials = array(
array(
"username" => "telekom",
"password" => "1234"
),
array(
"username" => "telekom2",
"password" => "1234"
)
);
return $credentials;
}
// Basic login
public function login() {
foreach ($this->credentials() as $credential) {
if ($this->username == $credential['username'] && $this->password == $credential['password']) {
Session::put('username', $this->username);
Session::put('password', $this->password);
$this->isLoggedIn = true;
}
}
}
// Get login status
public function isLoggedIn() {
return $this->isLoggedIn;
}
// Logout
public function logout() {
// Delete all sessions
Session::all();
redirect('/telekom/');
}
// Telekom
public function telekom() {
$form = new Form();
if (Input::get('logout') == 1) {
$this->logout();
}
// Post Data from login form
if (Input::has('username') || Input::has('password')) {
if (!$form->isCsrfValid()) {
$form->errors['CSRF'] = "CSRF Token";
} // CSRF protection is on, comment to disable
if (empty($form->errors)) {
$this->username = Input::get('username');
$this->password = Input::get('password');
// Check Login
$this->login();
if (!$this->isLoggedIn()) {
Session::put('login', 'Username and password do not match.');
} else {
redirect('/telekom/');
}
} else {
Session::put('login', '<p class="color-dark-red"><strong>Errors:</strong></p>
<p>' . $form->displayErrors($form->errors) . '</p>');
}
// Check if session has username and password
} elseif (Session::has('username') && Session::has('password')) {
$this->username = Session::get('username', false);
$this->password = Session::get('password', false);
// Check Login
$this->login();
}
}
}// EOF Class User
// Outside class
$user = new UserController();
// Outside class
if (!$user->isLoggedIn()) {
// display login form
} else {
// display protected content
}
?>
推荐答案
我的评论越来越冗长,因此我将其移至此处.我不建议您将用户名和密码放在同一文件中.如果PHP无法处理该页面,它将以纯文本格式转储给用户.即使对于数据库连接(un/pwd几乎必须以纯文本格式存储),大多数人也不会将信息放在同一文件中.
My comments are getting lengthy, so I'll just move them here. I would not recommend you put the username and password in the same file. If PHP ever fails to process the page, it will be dumped as plain text to the user. Even for database connections (where the un/pwd almost have to be stored plain text), most people don't put the information in the same file.
您有两种选择:
-
制作一个单独的PHP文件,该文件设置您的UN/PWD变量,将其放在无法从服务器外部访问的位置,并将其包含在index.php中.在这种情况下,直到您要比较变量并让本地范围尽快将其转储时,我才将文件包括在内.
Make a separate PHP file that sets your UN/PWD variables, put it somewhere that isn't accessible from outside your server, and include it in index.php. In this case, I wouldn't include the file until right when you're going to compare the variables and let the local scope dump it as soon as possible.
由于这是基本的身份验证,因此您可以使用 Apache的内置密码身份验证模块.
Since this is such basic authentication, you could use Apache's built in password authentication module.
这篇关于PHP登录系统硬编码的用户名和密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
