Nieuw loginsysteem, beveiliging?
Ik ben bezig met mijn eigen loginsysteem en wil deze vrij uitgebreid maar vooral zo veilig mogelijk maken.
Nu heb ik aan aantal regeltjes code geschreven, nog niet bar veel, maar ik zou wel eens willen weten of er nog dingen zijn waar ik op moet letten of dingen die veiliger kunnen volgens jullie.
Vergeef me als ik dit hier niet hoor te plaatsen, ik ben in verband met ziekte een aantal jaren niet actief geweest hier en de hele website is anders sinds de laatste keer dat ik hier was ;) p.s. mijn PHP-kennis is ook zeer roestig.
Anyway, ik waardeer het zeer als jullie een blik willen werpen. Alvast bedankt.
index.php
Code (php)
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
<?php
ini_set('display_errors',1);
error_reporting(E_ALL);
require_once("include/class.registration.php");
$registration = new Registration;
echo $registration->NewRegistration('Serellyn', '[email protected]', 'randompass');
?>
ini_set('display_errors',1);
error_reporting(E_ALL);
require_once("include/class.registration.php");
$registration = new Registration;
echo $registration->NewRegistration('Serellyn', '[email protected]', 'randompass');
?>
class.registration.php
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<?php
error_reporting(E_ALL);
/*
* The functions password_hash and password_verify were introduced in PHP version 5.5
* and will not run on a lower version. This check looks at your PHP version, if it's
* a lower version that PHP 5.5 it will include a compatibility script.
*/
if(phpversion() < 5.5) {
require_once("security/password.php");
}
ini_set('display_errors',1);
require_once("class.database.php");
class Registration {
private $username;
private $email;
private $password;
private $ipAddress;
public function NewRegistration($username, $email, $password) {
$this->username = $username;
$this->email = $email;
$this->password = $password;
$this->ipAddress = $this->GetIpAddress();
$this->password = password_hash($this->password, PASSWORD_BCRYPT);
$database = new Database;
$database->OpenConnection();
return $database->RegisterUser($this->username, $this->email, $this->password, $this->ipAddress);
}
private function GetIpAddress(){
foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
if (array_key_exists($key, $_SERVER) === true){
foreach (explode(',', $_SERVER[$key]) as $ip){
$ip = trim($ip); // just to be safe
return $ip;
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
return $ip;
}
}
}
}
}
private function ValidatePassword() {
if(password_verify('randompass', $this->password)) {
return 'Password correct';
} else {
return 'Password incorrect';
}
}
public function DebugData() {
echo 'Username: ' . $this->username . '<br/>';
echo 'Password: ' . $this->password . '<br/>';
echo 'IP: ' . $this->ipAddress . '<br/>';
echo '::: ' . $this->ValidatePassword();
}
}
?>
error_reporting(E_ALL);
/*
* The functions password_hash and password_verify were introduced in PHP version 5.5
* and will not run on a lower version. This check looks at your PHP version, if it's
* a lower version that PHP 5.5 it will include a compatibility script.
*/
if(phpversion() < 5.5) {
require_once("security/password.php");
}
ini_set('display_errors',1);
require_once("class.database.php");
class Registration {
private $username;
private $email;
private $password;
private $ipAddress;
public function NewRegistration($username, $email, $password) {
$this->username = $username;
$this->email = $email;
$this->password = $password;
$this->ipAddress = $this->GetIpAddress();
$this->password = password_hash($this->password, PASSWORD_BCRYPT);
$database = new Database;
$database->OpenConnection();
return $database->RegisterUser($this->username, $this->email, $this->password, $this->ipAddress);
}
private function GetIpAddress(){
foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
if (array_key_exists($key, $_SERVER) === true){
foreach (explode(',', $_SERVER[$key]) as $ip){
$ip = trim($ip); // just to be safe
return $ip;
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6 | FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
return $ip;
}
}
}
}
}
private function ValidatePassword() {
if(password_verify('randompass', $this->password)) {
return 'Password correct';
} else {
return 'Password incorrect';
}
}
public function DebugData() {
echo 'Username: ' . $this->username . '<br/>';
echo 'Password: ' . $this->password . '<br/>';
echo 'IP: ' . $this->ipAddress . '<br/>';
echo '::: ' . $this->ValidatePassword();
}
}
?>
class.database.php
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php
ini_set('display_errors',1);
error_reporting(E_ALL);
require_once("configuration/database_configuration.php");
class Database {
protected $mysqli;
/* Open the connection with the database */
public function OpenConnection() {
$this->mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if($this->mysqli->connect_error) {
die('Connection Error (' . $this->mysqli->connect_errno . ') ' . $this->mysqli->connect_error );
} else {
echo 'Connection Succeeded';
}
}
public function RegisterUser($username, $email, $password, $ipAddress) {
$query = "INSERT INTO users (username, email, password, ip_address)
VALUES ('" . $this->mysqli->real_escape_string($username) . "',
'" . $this->mysqli->real_escape_string($email) . "',
'" . $this->mysqli->real_escape_string($password) . "',
'" . $this->mysqli->real_escape_string($ipAddress) . "')";
if($result = $this->mysqli->query($query)) {
return 'Register success';
} else {
return 'Register failed: ' . $this->mysqli->error . ' QUERY: ' . $query;
}
}
/* Close the connection with the database */
public function CloseConnection() {
if($this->mysqli) {
$this->mysqli->close();
echo 'Connection Closed';
} else {
echo 'Connection does not exist';
}
}
}
?>
ini_set('display_errors',1);
error_reporting(E_ALL);
require_once("configuration/database_configuration.php");
class Database {
protected $mysqli;
/* Open the connection with the database */
public function OpenConnection() {
$this->mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if($this->mysqli->connect_error) {
die('Connection Error (' . $this->mysqli->connect_errno . ') ' . $this->mysqli->connect_error );
} else {
echo 'Connection Succeeded';
}
}
public function RegisterUser($username, $email, $password, $ipAddress) {
$query = "INSERT INTO users (username, email, password, ip_address)
VALUES ('" . $this->mysqli->real_escape_string($username) . "',
'" . $this->mysqli->real_escape_string($email) . "',
'" . $this->mysqli->real_escape_string($password) . "',
'" . $this->mysqli->real_escape_string($ipAddress) . "')";
if($result = $this->mysqli->query($query)) {
return 'Register success';
} else {
return 'Register failed: ' . $this->mysqli->error . ' QUERY: ' . $query;
}
}
/* Close the connection with the database */
public function CloseConnection() {
if($this->mysqli) {
$this->mysqli->close();
echo 'Connection Closed';
} else {
echo 'Connection does not exist';
}
}
}
?>
Gewijzigd op 20/12/2014 21:52:53 door Ernst Jacobs
Er zijn nog geen reacties op dit bericht.