Quantcast
Channel: Forum Pasja Informatyki - Najnowsze pytania bez odpowiedzi
Viewing all articles
Browse latest Browse all 21942

Opinia o skrypcie logowania

$
0
0

Witam prosze o opinie na temat skryptu logowania ... jak oceniacie jego bezpieczeństwo jako tylko i wyłącznie dostęp do pewnych danych na stronie przez jednego użytkownika powiedzmy admina bez ról itd ... Tylko nie bijcie :]

//Auth.php

<?php
class Auth {

    public function __construct() {
        $db = Db::getInstance();
        $this->_dbh = $db->getConnection();
    }

    public function getLogin($user, $pass) {

        if ((!empty($user)) && (!empty($pass))) {

            $sth = $this->_dbh->prepare('SELECT * FROM users WHERE user = :user');
            $sth->bindParam(':user', $user, PDO::PARAM_STR);
            $sth->execute();
            $result = $sth->fetch();
            if (password_verify($pass, $result['pass'])) {
                session_regenerate_id();
                $_SESSION['is_login'] = true;
                $_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR'];
                $_SESSION['user_date'] = $_SERVER['HTTP_USER_AGENT'];

            } else {
                echo 'nie poprawne dane błąd!';
            }

        }

    }


    public function is_login() {
        if (isset($_SESSION['is_login']) && isset($_SESSION['is_login'])===true && isset($_SESSION['user_ip']) && isset($_SESSION['user_date'])) {

            if ($_SERVER['REMOTE_ADDR'] == $_SESSION['user_ip'] && $_SERVER['HTTP_USER_AGENT'] == $_SESSION['user_date']) {
                session_regenerate_id();
                // echo session_id().'<br>';
                return true;
            } else {
                return false;
            }
        } else {
            return false;
        }
    }

}
?>

//Db.php

<?php

class Db
{
    private $_connection;
    private static $_instance; //The single instance
    private $_host = 'localhost';
    private $_port = 8080;
    private $_username = 'root';
    private $_password = '';
    private $_database = 'testmilion';
    /*
    Get an instance of the Database
    @return Instance
    */
    public static function getInstance()
    {
        if (!self::$_instance) { // If no instance then make one
            self::$_instance = new self();
        }
        return self::$_instance;
    }
    // Constructor
    private function __construct()
    {
        try {
            $this->_connection  = new PDO("mysql:host=$this->_host;dbname=$this->_database", $this->_username, $this->_password);
            $this->_connection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            $this->_connection->setAttribute( PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC );
            $this->_connection->query('SET CHARACTER SET utf8');
            $this->_connection->query('SET NAMES utf8');
            /*** echo a message saying we have connected ***/
            // echo 'Connected to database';
        } catch (PDOException $e) {
            $e->getMessage();
            die('<h1 style="color:red">Bład-przepraszmy za niedogodności </h1>');
        }
    }
    // Magic method clone is empty to prevent duplication of connection
    private function __clone()
    {
    }
    // Get mysql pdo connection
    public function getConnection()
    {
        return $this->_connection;
    }
}

 ?>

//index.php

<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Document</title><link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet"></head><body><?php
        session_start();

        require_once 'Db.php';
        require_once 'Auth.php';
        $auth = new Auth;
        if ((isset($_POST['user'])) && (isset($_POST['pass']))) {
            $auth->getLogin($_POST['user'], $_POST['pass']);
        }


        if ($auth::is_login()===true) {
        echo 'zalogowany!!!!!!!!!!!!!!!!';
        }else{
        echo 'nie zalogowany';
        }
        ?><div class="container-fluid ligh-bg2 table-1"><div class="container table-cell height-100"><div id="loginbox"  class="mainbox col-lg-4 col-lg-offset-4 col-md-6 col-md-offset-3 col-sm-6 col-sm-offset-3 pd-zero"><div class="panel panel-info "><div class="panel-heading"><div class="panel-title">Panel logowania</div></div><div style="padding-top:30px" class="panel-body"><form id="loginform" class="form-horizontal" role="form" method="post"><div style="margin-bottom: 25px" class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span><input id="login-username" type="text" class="form-control" name="user" value="" placeholder="username or email"></div><div style="margin-bottom: 25px" class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span><input id="login-password" type="password" class="form-control" name="pass" placeholder="password"></div><div style="margin-top:10px" class="form-group"><!-- Button --><div class="col-sm-12 controls"><input type="submit" class="blok-link line-height-20" value="zaloguj"></div></div></form></div></div></div></div></div><a class="blok-link" href="?action=logout" style="line-height: 100px">WYLOGUJ</a><?php
        if (isset($_GET['action'])=='logout') {
        session_unset();
        session_destroy();
        }
        ?></body></html>

w bazie wiadomo jest prosta tabela z kolumnami user i pass w postaci bcrypt


Viewing all articles
Browse latest Browse all 21942