2
我已经用PHP创建了一个应用程序。我不是OOP开发人员,我知道的一切都是我自己学到的。我有一个登录屏幕和一个文件,将其包含在所有文件的顶部。这些文件检查用户是否被授权,如果会话正常,然后授予访问权限,否则它会重定向到登录页面。Websecurify应该保护的访问页面
我认为这是安全的,但我使用Websecurify(铬附加),它给了我很多安全错误,我必须检查。这些错误来自于用户名/密码认证和会话cookie“保护”的php页面。
Websecurify访问表单,发布数据并为应该保护的页面做了很多事情。我怎样才能保护我的脚本免受抓取和漫游?
另外websecurify关于apache authentication =“应用程序使用了WWW身份验证,这种身份验证通常被认为是不安全的,容易受到一系列攻击。”
这是真的吗?真的,我需要你的意见如何保护我的PHP脚本免受未经授权的访问。
的文件,我包括所有PHP脚本的顶部是这个
session_start();
// set timeout period in seconds
$inactive = 3600;
// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']))
{
$session_life = time() - $_SESSION['timeout'];
if($session_life > $inactive)
{
session_destroy();
header("location:http://localhost/test/login.php");
}
}
$_SESSION['timeout'] = time();
if(!isset($_SESSION['client']))
{
header("location:http://localhost/test/login.php");
}
else
{
// authorize user and store some session vars
}
我的登录页是
<?php
session_start();
if($_GET['a']=="logout") {session_destroy();header("location:login.php");}
if(!isset($_SESSION['attempts'])) {$_SESSION['attempts'] = 0; session_commit();}
session_start();
?>
<?php
include_once("vars.php");
include ('mysql_connect.php');
$username=mysql_real_escape_string($_POST["username"]);
$password=mysql_real_escape_string($_POST["password"]);
if($_SESSION['attempts']==4){
echo "<div class=\"error\">You can try one more time.</div>";
}
if($_SESSION['attempts']>4){
// check if blocked username
$sql="SELECT * FROM isec_block WHERE username = '$username' and status=1";
$sql=mysql_query($sql);
$sql_row = mysql_fetch_array($sql);
$allrows = mysql_num_rows($sql);
$nowdate = strtotime(date('Y-m-d H:i:s'));
if($allrows>0){
$db_date = strtotime($sql_row['time_limit']);
if($db_date < $nowdate){
//unblock user
$sql="UPDATE isec_block SET status=0 WHERE username = '$username'";
$sql=mysql_query($sql);
echo "<div class=\"error\">Notice: Your account is open now.</div>";
$_SESSION['attempts'] = 0; session_commit();
session_start();
}else{
$error=1;
echo "<div class=\"error\">Multiple failed login attempts.</div>";
}
}
// eof check if blocked username
$error=1;
if($_SESSION['attempts']>0) echo "<div class=\"error\">ERROR: Ty again in 30 minutes please.</div>";
$ip = $_SERVER['REMOTE_ADDR'];
if($_SESSION['attempts']==5){
// store error login
$sql="INSERT INTO `isec_log` (username,ip,date,status) VALUES ('".$username."','$ip',NOW(),1)";
$result=mysql_query($sql);
// block username for x time
$timeToBuildStructure = 300; // seconds
$now = time(); // current time (seconds since 1/1/1970)
$finishedBuilding = $now + $timeToBuildStructure;
$newdate = date("Y-m-d H:i:s",$finishedBuilding);
$sql="INSERT INTO isec_block (username,time_limit,status) VALUES ('".$username."','$newdate',1)";
$result=mysql_query($sql);
}
$_SESSION['attempts']= $_SESSION['attempts'] + 1;
}
if($username!=="" && $password!=="" && $error<>1)
{
$sql="SELECT * FROM isec_usertable WHERE username='$username' AND password='$password'";
$result=mysql_query($sql);
$row_result= mysql_fetch_assoc($result);
$authenticated = $row_result['username'];
$authenticatedid = $row_result['id'];
$authenitcatedate = $row_result['Lastvisit'];
$authenticatedtype = $row_result['rights'];
$authenticatestatus = $row_result['status'];
$rows=mysql_num_rows($result);
if ($rows==1 and $authenticatestatus==1){
$_SESSION['client']=$authenticated;
$_SESSION['id']=$authenticatedid;
$_SESSION['ldate'] = $authenitcatedate;
$_SESSION['rights'] = $authenticatedtype;
$_SESSION['client_id'] = $row_result['client'];
$_SESSION['isLoggedIn'] = true;
$_SESSION['imagemanager.filesystem.rootpath'] = "../../../../../UserFiles/".$authenticatedid;
// add visit data
$ip = $_SERVER['REMOTE_ADDR'];
$visitdate="UPDATE `usertable` SET Lastvisit=NOW(), visits=visits+1 WHERE id='$authenticatedid'";
$result=mysql_query($visitdate);
// eof visit date
// store error login
$sql="INSERT INTO isec_log (username,ip,date,status) VALUES ('$username','$ip',NOW(),0)";
$result=mysql_query($sql);
header("location:index.php");
} else {
$_SESSION['attempts']= $_SESSION['attempts'] + 1;
//header("location:login.php?er=1");
echo "<div class=\"error\">ERROR: Wrong passoword or inactive account</div>";
$error=1; }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login</title>
<link href="general_css.css" rel="stylesheet" type="text/css" />
</head>
<body><?php if($_GET['er']==1) {echo "<div class=\"error\">ERROR: Wrong password or inactive account</div>";} ?>
<div id="container">
<div id="logo"><img src="template/isec-logogif.gif" width="285" height="64" /></div>
<?php include_once("header-icons.php");?>
<div id="main">
<div class="actionsblock">
<div class="actionheader">Login</div>
<form id="form1" name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
<table width="100%" border="0" cellspacing="5" cellpadding="5">
<tr>
<td width="17%" class="menublock"><div align="right"><a href="pages/clients-add.php"></a><a href="pages/clients.php"></a>Username</div></td>
<td width="17%" class="menublock"><label>
<input name="username" type="text" class="formfield_client" id="username" value="<?php echo $_POST['username'];?>" />
</label></td>
</tr>
<tr>
<td class="menublock"><div align="right">Password</div></td>
<td class="menublock"><input name="password" type="password" class="formfield_client" id="password" /></td>
</tr>
<tr>
<td class="menublock"><div align="right"><a href="myip.php?ip=<?php echo $_SERVER['REMOTE_ADDR'];?>" target="_blank"><img src="template/dot.gif" alt="ip" width="10" height="9" /></a></div></td>
<td class="menublock"><label>
<input type="submit" name="submit" id="submit" value="Connect" />
</label></td>
</tr>
</table>
</form>
</div>
</div>
</div>
</body>
</html>
<?php
mysql_close($dbc);
?>
您的登录脚本是什么样子的? – afuzzyllama 2012-03-13 13:28:06
我在哪里可以复制粘贴我的登录页面的php代码? – 2012-03-13 14:16:54
只需将其编辑到您的问题。 – afuzzyllama 2012-03-13 14:18:46