PHP 로그인 스크립트?

Question

소규모 회원 사이트를 만들고 있습니다. 필자는 로그인 스크립트를 만들었고 일반적인 공격으로부터 보안을 유지하는 방법이 무엇인지, 그리고 더 안전하게하기 위해 할 수있는 다른 방법이 있는지 궁금해하고있었습니다. 별도의 판매자가 처리하는 신용 ​​카드 정보는 시스템에 저장되지 않습니다.

Login.php

<?php 
session_start(); 

$notifications = array(); 

if(!empty($_POST['login'])) { 

    if(empty($_POST['email']) || empty($_POST['password'])) { 
     $notifications[] = 'Login failed! Please provide a username and password.'; 
    } 

    if(count($notifications) == 0) { 
     try { 
      $dbh = new PDO('mysql:dbname=lf_database;host=127.0.0.1', 'root', 'root'); 

      $sql = "SELECT email, verified FROM users WHERE email = :email AND password = :password"; 
      $sth = $dbh->prepare($sql); 
      $sth->execute(array(
       ':email' => $_POST['email'], 
       ':password' => md5($_POST['password']) 
      )); 

      $result = $sth->fetch(PDO::FETCH_ASSOC); 

      if($result) { 
       // Set session details and redirect user to members page 
       session_regenerate_id(); 
       $_SESSION['logged_in'] = true; 
       $_SESSION['verified'] = $result['verified']; 
       $_SESSION['created'] = time(); 
       $_SESSION['ua'] = md5($_SERVER['HTTP_USER_AGENT']) . 'fable3'; 

       header('Location: members.php'); 
      } else { 
       $notifications[] = "Username or Password incorrect."; 
      } 
     } catch (PDOException $e) { 
      echo 'We\'re having database issues at the moment. Don\'t worry, we\'re getting it sorted!'; 
     } 
    } 

} elseif(!empty($_POST['forgot_password'])) { 
    // Not yet implemented 
} 

?> 


<!DOCTYPE html> 
<html lang="en"> 
<head> 
<meta charset="utf-8"> 
<title>Members Login</title> 
<link rel="stylesheet" type="text/css" href="css/reset.css"> 
<!--[if IE]> 
    <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script> 
<![endif]--> 
</head> 

<body id="home"> 

<h1>Members Login</h1> 

<?php if(count($notifications) > 0) : ?> 
    <ul> 
     <?php foreach($notifications as $notification) : ?> 
      <li><?php print $notification ?></li> 
     <?php endforeach; ?> 
    </ul> 
<?php endif; ?> 

<form method="POST" action=""> 
    <fieldset> 
     <legend>Login</legend> 
     <input type="email" name="email" placeholder="Email Address" required> 
     <input type="password" name="password" placeholder="Password" required> 
     <input type="submit" name="login" value="Login"> 
    </fieldset> 
</form> 
<a href="#">Need Account? Sign Up</a> 

<form method="POST" action=""> 
    <fieldset> 
     <legend>Forgot Your Password?</legend> 
     <input type="email" name="forgot_password_email" placeholder="Email Address" required> 
     <input type="submit" name="forgot_password" value="Request New Password"> 
    </fieldset> 
</form> 

</body> 
</html> 

Members.php

<?php 
session_start(); 

$verified = false; 

// Is the user logged in? 
if(!isset($_SESSION['logged_in'])) { 
    session_destroy(); 
    header('Location: login.php'); 
} 

// Is the previous session valid? 
if ($_SESSION['ua'] != md5($_SERVER['HTTP_USER_AGENT']) . 'fable3') { 
    session_destroy(); 
    header('Location: login.php'); 
} 

// Is the user verified? 
if(isset($_SESSION['verified'])) { 
    if($_SESSION['verified']) { 
     $verified = true; 
    } 
} 

    // Expire session here after 2 hours (user will be watching a movie, no point expiring before hand) 
?> 
<h1>Logged In!</h1> 

<h2>Debug:</h2> 
<pre><?php print_r($_SESSION); ?></pre> 

<a href="logout.php">Logout</a> 

Answer 1

error_reporting(0) 그냥 확실하게, register_globals 전원을 켜십시오. session_destroy()은 세션을 "파기"하기에 충분하지 않습니다. $_SESSION = array()을 사용하여 $_SESSION 수퍼 글로벌을 비운 다음 $_COOKIE 수퍼 글로벌에서 세션 쿠키를 설정 해제해야합니다.