Witam prosze o opinie na temat skryptu logowania ... jak oceniacie jego bezpieczeństwo jako tylko i wyłącznie dostęp do pewnych danych na stronie przez jednego użytkownika powiedzmy admina bez ról itd ... Tylko nie bijcie :]
//Auth.php
<?php class Auth { public function __construct() { $db = Db::getInstance(); $this->_dbh = $db->getConnection(); } public function getLogin($user, $pass) { if ((!empty($user)) && (!empty($pass))) { $sth = $this->_dbh->prepare('SELECT * FROM users WHERE user = :user'); $sth->bindParam(':user', $user, PDO::PARAM_STR); $sth->execute(); $result = $sth->fetch(); if (password_verify($pass, $result['pass'])) { session_regenerate_id(); $_SESSION['is_login'] = true; $_SESSION['user_ip'] = $_SERVER['REMOTE_ADDR']; $_SESSION['user_date'] = $_SERVER['HTTP_USER_AGENT']; } else { echo 'nie poprawne dane błąd!'; } } } public function is_login() { if (isset($_SESSION['is_login']) && isset($_SESSION['is_login'])===true && isset($_SESSION['user_ip']) && isset($_SESSION['user_date'])) { if ($_SERVER['REMOTE_ADDR'] == $_SESSION['user_ip'] && $_SERVER['HTTP_USER_AGENT'] == $_SESSION['user_date']) { session_regenerate_id(); // echo session_id().'<br>'; return true; } else { return false; } } else { return false; } } } ?>
//Db.php
<?php class Db { private $_connection; private static $_instance; //The single instance private $_host = 'localhost'; private $_port = 8080; private $_username = 'root'; private $_password = ''; private $_database = 'testmilion'; /* Get an instance of the Database @return Instance */ public static function getInstance() { if (!self::$_instance) { // If no instance then make one self::$_instance = new self(); } return self::$_instance; } // Constructor private function __construct() { try { $this->_connection = new PDO("mysql:host=$this->_host;dbname=$this->_database", $this->_username, $this->_password); $this->_connection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $this->_connection->setAttribute( PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC ); $this->_connection->query('SET CHARACTER SET utf8'); $this->_connection->query('SET NAMES utf8'); /*** echo a message saying we have connected ***/ // echo 'Connected to database'; } catch (PDOException $e) { $e->getMessage(); die('<h1 style="color:red">Bład-przepraszmy za niedogodności </h1>'); } } // Magic method clone is empty to prevent duplication of connection private function __clone() { } // Get mysql pdo connection public function getConnection() { return $this->_connection; } } ?>
//index.php
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Document</title><link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet"></head><body><?php session_start(); require_once 'Db.php'; require_once 'Auth.php'; $auth = new Auth; if ((isset($_POST['user'])) && (isset($_POST['pass']))) { $auth->getLogin($_POST['user'], $_POST['pass']); } if ($auth::is_login()===true) { echo 'zalogowany!!!!!!!!!!!!!!!!'; }else{ echo 'nie zalogowany'; } ?><div class="container-fluid ligh-bg2 table-1"><div class="container table-cell height-100"><div id="loginbox" class="mainbox col-lg-4 col-lg-offset-4 col-md-6 col-md-offset-3 col-sm-6 col-sm-offset-3 pd-zero"><div class="panel panel-info "><div class="panel-heading"><div class="panel-title">Panel logowania</div></div><div style="padding-top:30px" class="panel-body"><form id="loginform" class="form-horizontal" role="form" method="post"><div style="margin-bottom: 25px" class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span><input id="login-username" type="text" class="form-control" name="user" value="" placeholder="username or email"></div><div style="margin-bottom: 25px" class="input-group"><span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span><input id="login-password" type="password" class="form-control" name="pass" placeholder="password"></div><div style="margin-top:10px" class="form-group"><!-- Button --><div class="col-sm-12 controls"><input type="submit" class="blok-link line-height-20" value="zaloguj"></div></div></form></div></div></div></div></div><a class="blok-link" href="?action=logout" style="line-height: 100px">WYLOGUJ</a><?php if (isset($_GET['action'])=='logout') { session_unset(); session_destroy(); } ?></body></html>
w bazie wiadomo jest prosta tabela z kolumnami user i pass w postaci bcrypt