我正在尝试用登录系统建立一个网站。我在网上读过这些东西。但我发现很难把它们放在一起。我想我错过了很多重要的事情,比如安全。
- mysqli
- 验证电子邮件
- 准备好的语句(我不知道它是什么><)
- 除了在下面的代码中注入之外,还有其他安全风险吗
我是一个自学成才的程序员(刚开始编码几个月,拜托帮助><)
- 我不知道OOP和PDO,所以请使用程序格式T.T
- 对安全不太了解
- 这不是一个项目,我想发布它。所以必须有良好的安全性
- 请帮助改进它,非常感谢
我在问很多问题吗??
<?php
if(isset($_POST['signup-name']) and isset($_POST['signup-password-1']) and isset($_POST['signup-password-2']) and isset($_POST['signup-email-1']) and isset($_POST['signup-email-2']) and isset($_POST['signup-country']) and isset( $_POST['recaptcha_challenge_field']) and isset( $_POST['recaptcha_response_field'])){
if(!empty($_POST['signup-name']) and !empty($_POST['signup-password-1']) and !empty($_POST['signup-password-2']) and !empty($_POST['signup-email-1']) and !empty($_POST['signup-email-2']) and !empty($_POST['signup-country']) and !empty( $_POST['recaptcha_challenge_field']) and !empty( $_POST['recaptcha_response_field'])){
//echo"ok1";
$username = $_POST['signup-name'];
$email1 = $_POST['signup-password-1'];
$email2 = $_POST['signup-password-2'];
$password1 = $_POST['signup-email-1'];
$password2 = $_POST['signup-email-2'];
$country = $_POST['signup-country'];
$recaptcha_challenge_field = $_POST['recaptcha_challenge_field'];
$recaptcha_response_field = $_POST['recaptcha_response_field'];
if($email1==$email2 and $password1==$password2){
include 'db_info.php';
$connect = mysqli_connect("localhost", $db_uusseerrss, $db_ppwwdd) or die(mysql_error("Unable to select database"));
$username = mysqli_real_escape_string($connect, $username);
$email1 = mysqli_real_escape_string($connect, $email1);
$password1 = mysqli_real_escape_string($connect, $password1);
$country = mysqli_real_escape_string($connect, $username);
$bcrypt_option = array('cost'=>12);
$hashed_password = password_hash($password1, PASSWORD_BCRYPT,$bcrypt_option);
echo $hashed_password;
$query = "INSERT INTO user_info (`username`, `email`, `password`, 'country') VALUES( ?, ?, ?, ?)";
echo "ok3";
if ($stmt = mysqli_prepare($connect, $query) ) {
$stmt->bind_param("ssss", $username, $email1, $hashed_password, $country );
$stmt->execute();
echo "ok4";
//redirect to main page
headr(....)
}
}
}
}else{
}
?>
我认为一个简单的解决方案是使用准备好的语句,也是在将用户值插入数据库时应该始终使用的解决方案。准备好的语句允许您告诉数据库期望什么,并将其视为期望,即使恶意用户试图抛出sql注入。基础是一体的吗?每个参数,然后您必须用s、i或whatnot告诉它在bind_param中期望什么。希望这能有所帮助。
$query = "INSERT INTO users (`username`, `email`, `password`, 'country') VALUES( ?, ?, ?, ?)";
if ($stmt = mysqli_prepare($conn, $query) ) {
$stmt->bind_param("ssss", $username, $email1, $hashed_password, $country );
$stmt->execute();
} else {
//I always put some sort of error message here
ob_clean();
header("Location: ".$_SERVER['HTTP_REFERER']);
mysqli_close($conn);
exit();
}
您的代码中存在XSS漏洞。例如,如果访问者在username字段中输入JavaScript代码,当他的名字被显示时,代码就会被执行。您必须使用htmlentities('string message')
来防止页面中出现任何代码注入。
在你的所有用户条目上都这样使用它:
$username = htmlentities($username);