我做了一个登录脚本为我的网站,需要一些反馈,无论是安全与否和如何改善它+几个问题:安全登录脚本
<?php
session_start();
$user = "root";
$host = "localhost";
$pass = "";
$db = "test_db";
$cxn = mysqli_connect($host, $user, $pass, $db) or die ("Couldn't connect to the server. Please try again.");
if(isset($_POST['submit'])) {
$username = mysql_real_escape_string(strip_tags(trim($_POST['username'])));
$password = mysql_real_escape_string(strip_tags(trim($_POST['password'])));
$message = "";
$stmt = $cxn->prepare('SELECT * FROM users WHERE username = ?');
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
if(password_verify($password, $row['password'])) {
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location:index.php");
} else {
$message = "The username or password is incorrect.";
}
}
}
>
?另外,我只是学习有关会议,并有几个问题:
- 在用户登录成功后,我需要他们的用户名,以显示任何其他页面上。我如何使会话安全?
- 如何使“注销”功能结束会话?
这已经不安全了。您没有使用参数化查询。 –
有几个问题属于这里,但询问如何改进这个属于[代码评论](http://codereview.stackexchange.com/)IMO –
@BrendanLong,为什么是1而不是's'? –