My little program, based on PHP, MySql, Jquery and Ajax, provides login and show data from database. Login.html –> check-login.php –> success-login.php <-> show-data.php
我的小程序基于PHP,MySql,Jquery和Ajax,提供来自数据库的登录和显示数据。 Login.html - > check-login.php - > success-login.php < - > show-data.php
My questions:
我的问题:
- any security concers I should worry about or improve in general.
- 我应该担心或改进的任何安全概念。
- regarding to
$_SESSION
, is it possible that someone adds$_SESSION['mytime']
in a php file on a remote computer, and pretends to be a authorized user?
- 关于$ _SESSION,是否有人可能会在远程计算机上的php文件中添加$ _SESSION ['mytime']并假装成为授权用户?
- I saw a video on Youtube claiming 80% logins can be broken (by proxy and password dictionary), shall I set the maximum time a user can login to prevent it or other suggestions?
- 我在Youtube上看到一个视频声称80%的登录可以被破坏(通过代理和密码字典),我应该设置用户可以登录的最长时间来阻止它或其他建议吗?
- I can format data on either MySQL and php (server side) or javascript (client side), shall I always do it in client side, or for example, if having 10 functions, 8 in client side and 2 in server side and so on.
- 我可以在MySQL和php(服务器端)或javascript(客户端)上格式化数据,我是否总是在客户端进行,或者例如,如果有10个函数,8个在客户端,2个在服务器端等等。
My codes are listed as below:
我的代码如下:
login.html (call check-login.php)
login.html(call check-login.php)
check-login.php
入住的login.php
// connect database by PDO
// if username and password (in md5) are matched
session_start();
$_SESSION['mytime'] = time();
header('location:success-login.php');
success-login.php
成功-的login.php
session_start();
if(!isset($_SESSION['mytime'])) {
header('location:login.html');
exit;
}
//use Jquery and Ajax to fetch data from database in show-data.php
show-data.php
节目-data.php
session_start();
if(!isset($_SESSION['mytime'])) {
header('location:login.html');
exit;
}
//PDO database operation and return data in JSON
2 个解决方案
#1
0
- There are many security concerns like: Five common Web application vulnerabilities
- 存在许多安全问题,例如:五种常见的Web应用程序漏洞
- No it's not possible that the user set/change your
$_SESSION
variable by his self. - 不,用户不可能通过自己设置/更改$ _SESSION变量。
- You can prevent user to chose a simple password or you can put a captcha, after for example five time wrong password entrance. (Yahoo! does it) and so on ...
- 你可以阻止用户选择一个简单的密码,或者你可以放一个验证码,例如五次错误的密码入口。 (雅虎做到了)等等......
- I didn't get what you are exactly looking for.
- 我没有得到你正在寻找的东西。
#2
0
There are a lot of things you should have in mind when you're developing such an application. Depending on the sensitivity of the data you're displaying from the database, you may want to start using HTTPS connections instead of plain HTTP. This is what I would usually do to boost the security:
在开发这样的应用程序时,您应该记住很多事情。根据您从数据库显示的数据的敏感性,您可能希望开始使用HTTPS连接而不是纯HTTP。这是我通常会提高安全性的方法:
- Create encrypted sessions - use mcrypt and store the key needed to decrypt the session on the client's side via a cookie. This way, even if somebody eventually has some access to the path where the sessions are stored on the server, he won't be able to decode the sessions because the keys are stored on the client's side.
- 创建加密会话 - 使用mcrypt并通过cookie存储在客户端解密会话所需的密钥。这样,即使有人最终访问了会话存储在服务器上的路径,他也无法解码会话,因为密钥存储在客户端。
- Do not use any SQL in the URLs and ALWAYS check if the submitted data is valid - i.e. if the record id exists, is the entered data valid and so on.
- 不要在URL中使用任何SQL,并始终检查提交的数据是否有效 - 即,如果记录ID存在,输入的数据是否有效等等。
- Watch out for cross site scripting
- 注意跨站点脚本
- ALWAYS use password encryption and if you have sensitive data - try encrypting that as well.
- 总是使用密码加密,如果你有敏感数据 - 尝试加密。
Regarding your other questions:
关于你的其他问题:
- I am not sure what your question is.
$_SESSION
is stored on the server side. It can be changed only by the scripts which run on that server or manually (if you edit the$_SESSION
file by hand) - 我不确定你的问题是什么。 $ _SESSION存储在服务器端。它只能由在该服务器上运行的脚本或手动更改(如果您手动编辑$ _SESSION文件)
- Use a captcha (reCaptcha) when user fails to login X times. If you'd like you can add a lock - if the user fails to login 5 times the user will be locked and an email with unlock instructions will be sent to the user's email address.
- 当用户无法登录X次时,请使用验证码(reCaptcha)。如果您愿意,可以添加锁定 - 如果用户未能登录5次,则用户将被锁定,并且带有解锁说明的电子邮件将被发送到用户的电子邮件地址。
- I don't know what exactly you mean by
format
(is it parsing, or styling). If I was responding to AJAX requests, I would format the data and output only the data that needs to be displayed. For example, if I'm showing information about a user, I would output hisusername
,first_name
,last_name
,email
but not hispassword
,password_salt
,bank_account
and any other sensitive data. - 我不知道格式究竟是什么意思(是解析还是样式)。如果我响应AJAX请求,我会格式化数据并仅输出需要显示的数据。例如,如果我显示有关用户的信息,我会输出他的用户名,first_name,last_name,电子邮件,但不输出他的密码,password_salt,bank_account和任何其他敏感数据。
- As a followup to point 3 - when you format the data from the server side, it's up to you how to display it. You may do that via JavaScript or you can directly output it as a response to the AJAX request. It's up to you.
- 作为第3点的后续内容 - 当您从服务器端格式化数据时,由您决定如何显示它。您可以通过JavaScript执行此操作,也可以直接将其作为对AJAX请求的响应输出。随你便。
The code you've provided us is something I wouldn't use because it doesn't check against a valid user. If the user has a session with mytime
variable it assumes the user has is valid. I would store user_id
and password
(encrypted) in the session and then check if those values match in a database. This way, in case the user gets deleted or changes his password, all of his other sessions will become invalid.
您提供给我们的代码是我不会使用的,因为它不会检查有效用户。如果用户具有mytime变量的会话,则假定用户有效。我会在会话中存储user_id和密码(加密),然后检查这些值是否在数据库中匹配。这样,如果用户被删除或更改了他的密码,他的所有其他会话将变为无效。
#1
0
- There are many security concerns like: Five common Web application vulnerabilities
- 存在许多安全问题,例如:五种常见的Web应用程序漏洞
- No it's not possible that the user set/change your
$_SESSION
variable by his self. - 不,用户不可能通过自己设置/更改$ _SESSION变量。
- You can prevent user to chose a simple password or you can put a captcha, after for example five time wrong password entrance. (Yahoo! does it) and so on ...
- 你可以阻止用户选择一个简单的密码,或者你可以放一个验证码,例如五次错误的密码入口。 (雅虎做到了)等等......
- I didn't get what you are exactly looking for.
- 我没有得到你正在寻找的东西。
#2
0
There are a lot of things you should have in mind when you're developing such an application. Depending on the sensitivity of the data you're displaying from the database, you may want to start using HTTPS connections instead of plain HTTP. This is what I would usually do to boost the security:
在开发这样的应用程序时,您应该记住很多事情。根据您从数据库显示的数据的敏感性,您可能希望开始使用HTTPS连接而不是纯HTTP。这是我通常会提高安全性的方法:
- Create encrypted sessions - use mcrypt and store the key needed to decrypt the session on the client's side via a cookie. This way, even if somebody eventually has some access to the path where the sessions are stored on the server, he won't be able to decode the sessions because the keys are stored on the client's side.
- 创建加密会话 - 使用mcrypt并通过cookie存储在客户端解密会话所需的密钥。这样,即使有人最终访问了会话存储在服务器上的路径,他也无法解码会话,因为密钥存储在客户端。
- Do not use any SQL in the URLs and ALWAYS check if the submitted data is valid - i.e. if the record id exists, is the entered data valid and so on.
- 不要在URL中使用任何SQL,并始终检查提交的数据是否有效 - 即,如果记录ID存在,输入的数据是否有效等等。
- Watch out for cross site scripting
- 注意跨站点脚本
- ALWAYS use password encryption and if you have sensitive data - try encrypting that as well.
- 总是使用密码加密,如果你有敏感数据 - 尝试加密。
Regarding your other questions:
关于你的其他问题:
- I am not sure what your question is.
$_SESSION
is stored on the server side. It can be changed only by the scripts which run on that server or manually (if you edit the$_SESSION
file by hand) - 我不确定你的问题是什么。 $ _SESSION存储在服务器端。它只能由在该服务器上运行的脚本或手动更改(如果您手动编辑$ _SESSION文件)
- Use a captcha (reCaptcha) when user fails to login X times. If you'd like you can add a lock - if the user fails to login 5 times the user will be locked and an email with unlock instructions will be sent to the user's email address.
- 当用户无法登录X次时,请使用验证码(reCaptcha)。如果您愿意,可以添加锁定 - 如果用户未能登录5次,则用户将被锁定,并且带有解锁说明的电子邮件将被发送到用户的电子邮件地址。
- I don't know what exactly you mean by
format
(is it parsing, or styling). If I was responding to AJAX requests, I would format the data and output only the data that needs to be displayed. For example, if I'm showing information about a user, I would output hisusername
,first_name
,last_name
,email
but not hispassword
,password_salt
,bank_account
and any other sensitive data. - 我不知道格式究竟是什么意思(是解析还是样式)。如果我响应AJAX请求,我会格式化数据并仅输出需要显示的数据。例如,如果我显示有关用户的信息,我会输出他的用户名,first_name,last_name,电子邮件,但不输出他的密码,password_salt,bank_account和任何其他敏感数据。
- As a followup to point 3 - when you format the data from the server side, it's up to you how to display it. You may do that via JavaScript or you can directly output it as a response to the AJAX request. It's up to you.
- 作为第3点的后续内容 - 当您从服务器端格式化数据时,由您决定如何显示它。您可以通过JavaScript执行此操作,也可以直接将其作为对AJAX请求的响应输出。随你便。
The code you've provided us is something I wouldn't use because it doesn't check against a valid user. If the user has a session with mytime
variable it assumes the user has is valid. I would store user_id
and password
(encrypted) in the session and then check if those values match in a database. This way, in case the user gets deleted or changes his password, all of his other sessions will become invalid.
您提供给我们的代码是我不会使用的,因为它不会检查有效用户。如果用户具有mytime变量的会话,则假定用户有效。我会在会话中存储user_id和密码(加密),然后检查这些值是否在数据库中匹配。这样,如果用户被删除或更改了他的密码,他的所有其他会话将变为无效。