我在php中编写了以下脚本的代码,因此android APP可以登录,获取信息并将数据保存在我们的网络托管中。 Android-App将Json发布到我的地址:
url:https://myserver123.com/api/login.php
脚本检查用户名和密码,该用户名和密码是SHA256哈希值,如果匹配,则将为用户将来在应用程序中的操作生成令牌。
问题
这是一种安全的方法吗?我是否缺少一些后门?还是我可以改善的东西?
login.php脚本:
<?php
$getJson = file_get_contents('php://input');
$j2 = json_decode($getJson, true);
if (count($j2)>0) {
if (isset($j2['user_name'])) {
$user_name=$j2['user_name'];
} else {
echo "MmMmMm... I think you're missing the user_name.";
exit();
}
if (isset($j2['pass'])) {
$pass=$j2['pass'];
} else {
echo "MmMmMm... I think you're missing the pass.";
exit();
}
require_once("../includes/db_connect.php");
$varDate =date("Y-m-d");
$varTime= date("H:i:s");
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASS);
mysqli_select_db($link, DB_NAME);
mysqli_set_charset($link, "utf8");
$result = mysqli_query($link, 'SELECT user_id from users where active=1 and user_name="' .$user_name .'" and user_password="'.$pass.'"');
if ( mysqli_num_rows($result) > 0) {
while($row = mysqli_fetch_array($result)){
$user_id=$row[0];
}
$token = hash('sha256',$varTime);
$db_connection = new PDO('mysql:host='. DB_HOST .';dbname='. DB_NAME . ';charset=utf8', DB_USER, DB_PASS);
$query = $db_connection->prepare("UPDATE users
SET token = :user_token
WHERE user_id = :id");
$query->bindValue(":user_token", $token);
$query->bindValue(":id", $user_id);
$query->execute();
$response=[];
http_response_code(200);
$response['status']=200;
$response['status-msg']='OK.';
$response['token']=$token;
$response['user_id']=$user_id;
} else {
$response=[];
http_response_code(403);
$response['status']=403;
$response['status-msg']='Unmatching login data. Wrong or Inactive User.';
$response['data']='FAIL';
}
} else {
$response=[];
http_response_code(403);
$response['status']=403;
$response['status-msg']='No DATA.';
$response['data']='FAIL';
}
$json_response=json_encode($response, JSON_UNESCAPED_SLASHES);
echo $json_response;
是,使用bindValue方法足够安全但似乎您尝试连接数据库两次$link中的第一名$db_connection中的第二名祝你好运