Я просто создаю скрипт для обработки процесса входа в систему. Я хотел бы провести хорошую дискуссию о том, как я могу улучшить свой сценарий, чтобы обезопасить, упростить и сохранить свое программирование СУХИМЫМ. Это не «тип ответа на вопрос, требующий ответа», а скорее обсуждение. Любое руководство и совет являются наиболее ценными.
Мой логин.php
<?php
class Login {
private $db = null;
private $ip = null;
private $uid = null;
private $date = null;
function Login() {
$this->db = db_connect();
$this->ip = $_SERVER['REMOTE_ADDR'];
$this->uid = 0;
$this->date = date('Y-m-d');
}
function checkLogin($username, $password) {
$username = sanitize($username, SQL);
$password = sha1($password);
if ($this->db) {
$query = "SELECT * FROM user WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query);
$var = mysql_fetch_object($result);
if (is_object($var)) {
$this->storeSession($var, true, 'USER');
return true;
} else {
$this->sessionDefault();
return false;
}
}
}
function sessionDefault() {
$_SESSION['username'] = null;
$_SESSION['session'] = null;
$_SESSION['uid'] = 0;
$_SESSION['logged'] = false;
}
function storeSession(&$login, $init = true, $credit = 'USER') {
$_SESSION['username'] = $login->username;
$username = $login->username;
$_SESSION['uid'] = $login->id;
$uid = $login->uid;
$_SESSION['ip'] = $this->ip;
$ip = $this->ip;
$_SESSION['session'] = session_id();
$sid = session_id();
if ($this->db) {
$query = "INSERT INTO session VALUES ('$username','$sid','$ip','$this->date','USER')";
$result = mysql_query($query) or die(mysql_error());
}
}
function checkAuthorized($session, $ip, $admin = false) {
$session = sanitize($session, SQL);
$ip = fsanitize_ip($ip);
if ($this->db) {
$query = "SELECT * FROM session WHERE " .
"(session='$session') AND (ip='$ip') ";
$result = mysql_query($query);
$var = mysql_fetch_object($result);
if (is_object($var)) {
if ($var->credit == 'USER')
return 'USER';
else
return 'ADMIN';
} else
return false;
}
}
/*
*
* This function used to logout
* @param: $session will receive session_id()
* @return: Will return boolean
*
*/
function logout($session) {
$username = $_SESSION['username'];
unset($_SESSION);
session_destroy();
if ($this->db) {
$query = "DELETE FROM session WHERE session='$session'";
$result = mysql_query($query);
if ($result)
return true;
else
return false;
}
}
}
?>
Мой логинform.php
<?php
session_start();
include ('connection.php');
include ('sanitize.php');
include ('login.php');
/* Create object based on Login Class */
$auth = new Login();
/* Fetch session ID and insert into $session */
$session=session_id();
/* Fetch IP of client. This is repeated code */
$ip = $_SERVER['REMOTE_ADDR'];
/* Below will check session authentication */
$logincheck=$auth->checkAuthorized($session, $ip);
if ($logincheck) // Condition if session already there prevent viewing login form
{
header("Location:user.php"); // redirect to user page
}
?>
<!DOCTYPE html>
<head>
<script type="text/javascript">
function loginShow(show)
{
if(show==true)
{
document.getElementById(login-div).style.display = ""
}
else
{
document.getElementById(login-div).style.display = "none"
}
}
</script>
<style>
div#login
{
width : 400px;
height: 150px;
margin: 20% auto;
border:thin dotted gray;
}
input[type=text], input[type=password]
{
text-align: center;
width:250px;
}
input[type=submit]
{
width:80px;
}
div#login p
{
margin:5px auto;
text-align: center;
}
</style>
</head>
<html>
<body>
<div id="logindiv">
<div id="login">
<form method="POST" name="login" action="loginform.php" id="login">
<p>Username</p>
<p><input type="text" id="username" name="username"/></p>
<p>Password</p>
<p><input type="password" id="password" name="password"/></p>
<p><input type="submit" name="logged" id="logged" value="Login"/></p>
</form>
</div>
</div>
</body>
</html>
<?php
// Form processing engine goes here!
if ($_POST) {
extract($_POST);
$login = new Login();
$status = $login->checkLogin($username, $password);
if (!$status) {
echo "<script>loginShow('true')</script>";
} else {
header("Location:user.php");
exit();
}
} else {
echo "<script>loginShow(true)</script>";
}
?>
my authorize.php
<?php
session_start();
$session=session_id();
$ip = $_SERVER['REMOTE_ADDR'];
/* Create object based on Login Class */
$login = new Login();
/* Below will check and authenticate session and ip is valid */
$logincheck = $login->checkAuthorized($session, $ip);
if (!$logincheck) // Condition if login is not authentic or no session
{
header("Location:loginform.php"); // redirect to login form
}
else // Condition if session is valid and good
{
echo "<center>";
echo "<h1>Session already valid. No need to login</h1>";
echo "<a href='logout.php'>LOGOUT</a>";
echo "</center>";
}
?>
my logout.php
<?php
session_start();
$session=session_id();
$ip = $_SERVER['REMOTE_ADDR'];
include ('connection.php');
include ('sanitize.php');
require('login.php');
require('authorize.php');
$logout = new Login();
$logstatus = $logout->logout($session);
if ($logstatus)
{
echo "<center>";
echo "<h1>SESSION SUCCESSFULLY CLEARED</h1>";
echo "<a href='loginform.php'>LOGIN</a>";
echo "</center>";
}
else
{
echo "<center>";
echo "<h1>SESSION FAILED TO DELETE FROM DATABASE</h1>";
echo "<a href='logout.php'>RETRY</a>";
echo "</center>";
}
?>