PHP登录脚本？

Question

我正在创建一个小型会员网站。我已经创建了一个登录脚本，并想知道这是否能够避免常见攻击，还有什么我可以做的更安全。没有信用卡信息存储在系统中，这是由一个单独的商人处理。

的login.php

<?php 
session_start(); 

$notifications = array(); 

if(!empty($_POST['login'])) { 

    if(empty($_POST['email']) || empty($_POST['password'])) { 
     $notifications[] = 'Login failed! Please provide a username and password.'; 
    } 

    if(count($notifications) == 0) { 
     try { 
      $dbh = new PDO('mysql:dbname=lf_database;host=127.0.0.1', 'root', 'root'); 

      $sql = "SELECT email, verified FROM users WHERE email = :email AND password = :password"; 
      $sth = $dbh->prepare($sql); 
      $sth->execute(array(
       ':email' => $_POST['email'], 
       ':password' => md5($_POST['password']) 
      )); 

      $result = $sth->fetch(PDO::FETCH_ASSOC); 

      if($result) { 
       // Set session details and redirect user to members page 
       session_regenerate_id(); 
       $_SESSION['logged_in'] = true; 
       $_SESSION['verified'] = $result['verified']; 
       $_SESSION['created'] = time(); 
       $_SESSION['ua'] = md5($_SERVER['HTTP_USER_AGENT']) . 'fable3'; 

       header('Location: members.php'); 
      } else { 
       $notifications[] = "Username or Password incorrect."; 
      } 
     } catch (PDOException $e) { 
      echo 'We\'re having database issues at the moment. Don\'t worry, we\'re getting it sorted!'; 
     } 
    } 

} elseif(!empty($_POST['forgot_password'])) { 
    // Not yet implemented 
} 

?> 


<!DOCTYPE html> 
<html lang="en"> 
<head> 
<meta charset="utf-8"> 
<title>Members Login</title> 
<link rel="stylesheet" type="text/css" href="css/reset.css"> 
<!--[if IE]> 
    <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script> 
<![endif]--> 
</head> 

<body id="home"> 

<h1>Members Login</h1> 

<?php if(count($notifications) > 0) : ?> 
    <ul> 
     <?php foreach($notifications as $notification) : ?> 
      <li><?php print $notification ?></li> 
     <?php endforeach; ?> 
    </ul> 
<?php endif; ?> 

<form method="POST" action=""> 
    <fieldset> 
     <legend>Login</legend> 
     <input type="email" name="email" placeholder="Email Address" required> 
     <input type="password" name="password" placeholder="Password" required> 
     <input type="submit" name="login" value="Login"> 
    </fieldset> 
</form> 
<a href="#">Need Account? Sign Up</a> 

<form method="POST" action=""> 
    <fieldset> 
     <legend>Forgot Your Password?</legend> 
     <input type="email" name="forgot_password_email" placeholder="Email Address" required> 
     <input type="submit" name="forgot_password" value="Request New Password"> 
    </fieldset> 
</form> 

</body> 
</html> 

Members.php

<?php 
session_start(); 

$verified = false; 

// Is the user logged in? 
if(!isset($_SESSION['logged_in'])) { 
    session_destroy(); 
    header('Location: login.php'); 
} 

// Is the previous session valid? 
if ($_SESSION['ua'] != md5($_SERVER['HTTP_USER_AGENT']) . 'fable3') { 
    session_destroy(); 
    header('Location: login.php'); 
} 

// Is the user verified? 
if(isset($_SESSION['verified'])) { 
    if($_SESSION['verified']) { 
     $verified = true; 
    } 
} 

    // Expire session here after 2 hours (user will be watching a movie, no point expiring before hand) 
?> 
<h1>Logged In!</h1> 

<h2>Debug:</h2> 
<pre><?php print_r($_SESSION); ?></pre> 

<a href="logout.php">Logout</a> 

Answer 1

error_reporting(0)，只是可以肯定，把register_globals关闭。并且session_destroy()不足以“销毁”会话。您必须使用$_SESSION = array()清空$_SESSION超全球，然后取消超全球$_COOKIE中的会话Cookie。