php - Having trouble with web security -


this question exact duplicate of:

the login web page of website not secure, whenever typing username or password on login page in firefox dialog box saying:

the connection not secure. logins entered here compromised.

should try prepared statements, or there issue? sorry broad question, i'm not familiar web security.

here's login page code:

<?php  include("connect.php");  include('phpmailer/phpmailer-master/examples/gmail_xoauth.phps');    if (isset($_post['createaccount'])) {         $username = $_post['username'];         $password = $_post['password'];         $email = $_post['email'];         if (!connect::query('select username accounts username=:username', array(':username'=>$username))) {                 if (strlen($username) >= 3 && strlen($username) <= 32) {                         if (preg_match('/[a-za-z0-9_]+/', $username)) {                                 if (strlen($password) >= 6 && strlen($password) <= 60) {                                 if (filter_var($email, filter_validate_email)) {                                 if (!connect::query('select email accounts email=:email', array(':email'=>$email))) {                                          connect::query('insert accounts values (null, :username, :password, :email, \'0\')', array(':username'=>$username, ':password'=>password_hash($password, password_bcrypt), ':email'=>$email));                                         gmail_xoauth::sendmail('welcome website!', 'your account has been created!', $email);                                         echo "<h3 class = 'errmessage'>success!</h3>";                                   } else {                                         echo '<h3 class = "errmessage">email in use!</h3>';                                 }                         } else {                                         echo '<h3 class = "errmessage">invalid email!</h3>';                                 }                         } else {                                 echo '<h3 class = "errmessage">invalid password, @ least 6 characters!</h3>';                         }                         } else {                                 echo '<h3 class = "errmessage">invalid username, @ least 3 characters</h3>';                         }                 } else {                         echo '<h3 class = "errmessage">invalid username</h3>';                 }         } else {                 echo '<h3 class = "errmessage">user exists!</h3>';         }     }      if (isset($_post['login'])) {         $username = $_post['username'];         $password = $_post['password'];         if (connect::query('select username accounts username=:username', array(':username'=>$username))) {                 if (password_verify($password, connect::query('select password accounts username=:username', array(':username'=>$username))[0]['password'])) {                         $cstrong = true;                         $token = bin2hex(openssl_random_pseudo_bytes(64, $cstrong));                         $user_id = connect::query('select id accounts username=:username', array(':username'=>$username))[0]['id'];                         connect::query('insert users values (null, :token, :user_id)', array(':token'=>sha1($token), ':user_id'=>$user_id));                         setcookie("snid", $token, time() + 60 * 60 * 24 * 7, '/', null, null, true);                         setcookie("snid_", '1', time() + 60 * 60 * 24 * 3, '/', null, null, true);         setcookie("username", $username, time()+3600);         header("location: home.php");                  } else {                         echo '<h3 class = "errmessage">incorrect password!try again</h3><br><br><br>';                 }         } else {                 echo '<h3 class = "errmessage">user not registered!try again</h3><br><br><br>';         }       }  ?>  

here's connect.php file:

<?php class connect {     private static function db()     {         $pdo = new pdo('mysql:host=localhost;dbname=database_name;charset = utf8','username','password');          $pdo->setattribute(pdo::attr_errmode, pdo::errmode_exception);      return $pdo; }      public static function query($query,$params = array())     {          $statement = self :: db()->prepare($query);         $statement->execute($params);         if(explode(' ',$query)[0] == 'select')         {             $data = $statement->fetchall();             return $data;         }      }  }  ?> 

this due having password field on non ssl page meaning page served on http not https. can learn more firefox side of here , mozilla's note developers here. can fixed adding ssl certificate server.

some certificates cost money can let's encrypt free certificates. main difference between paid certs , let's encrypt certs length of validity. @ time of writing 3 months there tools automate renewal.


Comments

Popular posts from this blog

php - Vagrant up error - Uncaught Reflection Exception: Class DOMDocument does not exist -

vue.js - Create hooks for automated testing -

Add new key value to json node in java -