Secure PHP authorization method
: -
: , , .. . , ( , - ). , , .
1. ()
— (a-z0-9)
—
—
—
Cookie
—
—
()
MySQL
users
user_id (int(11))
user_login (Varchar(30))
user_password (varchar(32))
user_hash (varchar(32))
user_ip (int(10)) 0
( md5 )
, , , , user_hash. IP ( , - Proxy, - IP … ). hash.
, ?
1. - , , , , . , , ( , , ) , IP .
2. , ( , IP ).
2.
register.php
login.php
check.php
, <a href=«captcha.ru target=»_blank">.
, cookies, , / .. .
: , , .. . , ( , - ). , , .
1. ()
— (a-z0-9)
—
—
—
Cookie
—
—
()
MySQL
users
user_id (int(11))
user_login (Varchar(30))
user_password (varchar(32))
user_hash (varchar(32))
user_ip (int(10)) 0
( md5 )
, , , , user_hash. IP ( , - Proxy, - IP … ). hash.
, ?
1. - , , , , . , , ( , , ) , IP .
2. , ( , IP ).
2.
-- <br>
-- `users` <br>
-- <br>
CREATE TABLE `users` ( <br>
`user_id` int(11) unsigned NOT NULL auto_increment, <br>
`user_login` varchar(30) NOT NULL, <br>
`user_password` varchar(32) NOT NULL, <br>
`user_hash` varchar(32) NOT NULL, <br>
`user_ip` int(10) unsigned NOT NULL default '0', <br>
PRIMARY KEY (`user_id`) <br>
) ENGINE=MyISAM DEFAULT CHARSET=cp1251 AUTO_INCREMENT=1 ; <br>
register.php
<?
//
#
mysql_connect("localhost", "myhost", "myhost");
mysql_select_db("testtable");
if(isset($_POST['submit']))
{
$err = array();
#
if(!preg_match("/^[a-zA-Z0-9]+$/",$_POST['login']))
{
$err[] = " ";
}
if(strlen($_POST['login']) < 3 or strlen($_POST['login']) > 30)
{
$err[] = " 3- 30";
}
# ,
$query = mysql_query("SELECT COUNT(user_id) FROM users WHERE user_login='".mysql_real_escape_string($_POST['login'])."'");
if(mysql_result($query, 0) > 0)
{
$err[] = " ";
}
# ,
if(count($err) == 0)
{
$login = $_POST['login'];
#
$password = md5(md5(trim($_POST['password'])));
mysql_query("INSERT INTO users SET user_login='".$login."', user_password='".$password."'");
header("Location: login.php"); exit();
}
else
{
print "<b> :</b><br>";
foreach($err AS $error)
{
print $error."<br>";
}
}
}
?>
<form method="POST">
<input name="login" type="text"><br>
<input name="password" type="password"><br>
<input name="submit" type="submit" value="">
</form>
login.php
<?
//
#
function generateCode($length=6) {
$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHI JKLMNOPRQSTUVWXYZ0123456789";
$code = "";
$clen = strlen($chars) - 1;
while (strlen($code) < $length) {
$code .= $chars[mt_rand(0,$clen)];
}
return $code;
}
#
mysql_connect("localhost", "myhost", "myhost");
mysql_select_db("testtable");
if(isset($_POST['submit']))
{
# ,
$query = mysql_query("SELECT user_id, user_password FROM users WHERE user_login='".mysql_real_escape_string($_POST['login'])."' LIMIT 1");
$data = mysql_fetch_assoc($query);
#
if($data['user_password'] === md5(md5($_POST['password'])))
{
#
$hash = md5(generateCode(10));
if(!@$_POST['not_attach_ip'])
{
# IP
# IP
$insip = ", user_ip=INET_ATON('".$_SERVER['REMOTE_ADDR']."')";
}
# IP
mysql_query("UPDATE users SET user_hash='".$hash."' ".$insip." WHERE user_id='".$data['user_id']."'");
#
setcookie("id", $data['user_id'], time()+60*60*24*30);
setcookie("hash", $hash, time()+60*60*24*30);
#
header("Location: check.php"); exit();
}
else
{
print " /";
}
}
?>
<form method="POST">
<input name="login" type="text"><br>
<input name="password" type="password"><br>
IP( ) <input type="checkbox" name="not_attach_ip"><br>
<input name="submit" type="submit" value="">
</form>
check.php
<?
//
#
mysql_connect("localhost", "myhost", "myhost");
mysql_select_db("testtable");
if (isset($_COOKIE['id']) and isset($_COOKIE['hash']))
{
$query = mysql_query("SELECT *,INET_NTOA(user_ip) FROM users WHERE user_id = '".intval($_COOKIE['id'])."' LIMIT 1");
$userdata = mysql_fetch_assoc($query);
if(($userdata['user_hash'] !== $_COOKIE['hash']) or ($userdata['user_id'] !== $_COOKIE['id'])<br> or (($userdata['user_ip'] !== $_SERVER['REMOTE_ADDR']) and ($userdata['user_ip'] !== "0")))
{
setcookie("id", "", time() - 3600*24*30*12, "/");
setcookie("hash", "", time() - 3600*24*30*12, "/");
print ", - ";
}
else
{
print ", ".$userdata['user_login'].". !";
}
}
else
{
print " ";
}
?>
, <a href=«captcha.ru target=»_blank">.
, cookies, , / .. .
')
Source: https://habr.com/ru/post/13726/
All Articles