php - Having trouble with web security -
this question exact duplicate of:
the login web page of website not secure, whenever typing username or password on login page in firefox dialog box saying:
the connection not secure. logins entered here compromised.
should try prepared statements, or there issue? sorry broad question, i'm not familiar web security.
here's login page code:
<?php include("connect.php"); include('phpmailer/phpmailer-master/examples/gmail_xoauth.phps'); if (isset($_post['createaccount'])) { $username = $_post['username']; $password = $_post['password']; $email = $_post['email']; if (!connect::query('select username accounts username=:username', array(':username'=>$username))) { if (strlen($username) >= 3 && strlen($username) <= 32) { if (preg_match('/[a-za-z0-9_]+/', $username)) { if (strlen($password) >= 6 && strlen($password) <= 60) { if (filter_var($email, filter_validate_email)) { if (!connect::query('select email accounts email=:email', array(':email'=>$email))) { connect::query('insert accounts values (null, :username, :password, :email, \'0\')', array(':username'=>$username, ':password'=>password_hash($password, password_bcrypt), ':email'=>$email)); gmail_xoauth::sendmail('welcome website!', 'your account has been created!', $email); echo "<h3 class = 'errmessage'>success!</h3>"; } else { echo '<h3 class = "errmessage">email in use!</h3>'; } } else { echo '<h3 class = "errmessage">invalid email!</h3>'; } } else { echo '<h3 class = "errmessage">invalid password, @ least 6 characters!</h3>'; } } else { echo '<h3 class = "errmessage">invalid username, @ least 3 characters</h3>'; } } else { echo '<h3 class = "errmessage">invalid username</h3>'; } } else { echo '<h3 class = "errmessage">user exists!</h3>'; } } if (isset($_post['login'])) { $username = $_post['username']; $password = $_post['password']; if (connect::query('select username accounts username=:username', array(':username'=>$username))) { if (password_verify($password, connect::query('select password accounts username=:username', array(':username'=>$username))[0]['password'])) { $cstrong = true; $token = bin2hex(openssl_random_pseudo_bytes(64, $cstrong)); $user_id = connect::query('select id accounts username=:username', array(':username'=>$username))[0]['id']; connect::query('insert users values (null, :token, :user_id)', array(':token'=>sha1($token), ':user_id'=>$user_id)); setcookie("snid", $token, time() + 60 * 60 * 24 * 7, '/', null, null, true); setcookie("snid_", '1', time() + 60 * 60 * 24 * 3, '/', null, null, true); setcookie("username", $username, time()+3600); header("location: home.php"); } else { echo '<h3 class = "errmessage">incorrect password!try again</h3><br><br><br>'; } } else { echo '<h3 class = "errmessage">user not registered!try again</h3><br><br><br>'; } } ?>
here's connect.php file:
<?php class connect { private static function db() { $pdo = new pdo('mysql:host=localhost;dbname=database_name;charset = utf8','username','password'); $pdo->setattribute(pdo::attr_errmode, pdo::errmode_exception); return $pdo; } public static function query($query,$params = array()) { $statement = self :: db()->prepare($query); $statement->execute($params); if(explode(' ',$query)[0] == 'select') { $data = $statement->fetchall(); return $data; } } } ?>
this due having password field on non ssl page meaning page served on http
not https
. can learn more firefox side of here , mozilla's note developers here. can fixed adding ssl certificate server.
some certificates cost money can let's encrypt free certificates. main difference between paid certs , let's encrypt certs length of validity. @ time of writing 3 months there tools automate renewal.
Comments
Post a Comment