Home > Article > Backend Development > php your verification code security code? _PHP Tutorial
验证码的作用主要有防止暴力破解,防止恶意灌水,防止自动提交等,在这里我就不多说了。验证码的类型也有数字、字母等,甚至厉害点的还有中文的。但是不管你的验证码多么厉害,只要你在表单验证中存在如下的失误,你的验证码就形同虚设!
验证码的一般思路,就是每次登陆的地方访问一个脚本文件,该文件生成含验证码的图片并将值写入到Session里,提交的时候验证登陆的脚本就会判断提交的验证码是否与Session里的一致。
问题出现了,在登陆密码错误之后,我们不去访问生成验证图片的文件,那么如果Session中的验证码没有被清空,此时验证码就是跟上次的一样,辛辛苦苦构建的验证码机制就形同虚设了。
下面我们先来看一段有问题的代码:
登陆部分:
<td>管理员姓名:td>
<td><input type="text" name="username" />td>
tr>
<tr>
<td>管理员密码:td>
<td><input type="password" name="password" />td>
tr>
<tr>
<td>验证码:td>
<td><input type="text" name="captcha" onkeyup="pressCaptcha(this)" />td>
tr>
<tr>
<td colspan="2" align="right">
<img src="index.php?act=captcha&1628020115" width="145" height="20" alt="CAPTCHA" border="1" onclick= this.src="index.php?act=captcha&"+Math.random() style="cursor: pointer;" title="看不清?点击更换另一个验证码。" />
td>
tr>
?>
//-- Verify login information
/*------------ ------------------------------------------ */
if ($_REQUEST['act'] == 'signin' )
{
include('../includes/cls_captcha.php');
/ * Check whether the verification code is correct */
$validator = new captcha();
if (!$validator->check_word($_POST['captcha']))
{
sys_msg($_LANG['captcha_error'], 1);
}
/* 检查密码是否正确 */
$sql = "SELECT user_id, user_name, password, action_list FROM " .$ecs->table('admin_user').
" WHERE user_name='$_POST[username]' AND password='" .md5($_POST['password']). "'";
$row = $db->GetRow($sql);
if ($row)
{
// 登录成功
set_admin_session($row['user_id'], $row['user_name'], $row['action_list']);
// 更新最后登录时间和IP
$db->Execute("UPDATE " .$ecs->table('admin_user').
" SET last_time='" .date('Y-m-d H:i:s', time()). "', last_ip='" .real_ip(). "'".
" WHERE user_id=$_SESSION[admin_id]") OR die($db->ErrorMsg());
if (isset($_POST['remember']))
{
setcookie('ECSCP[admin_id]', $row[0], time() + 3600 * 24 * 360);
setcookie('ECSCP[admin_pass]', md5( $row['password'] . $_CFG[ 'hash_code']), time() + 3600 * 24 * 360);
}
>'location:./'); } else { $_LANG[
'login_faild'
], 1); }}?>The problem lies in the above code. After checking the password error, the verification code is not updated, so we can change the login page The verification code image part is removed, and as long as you use the URL to access the verification code page, you can only submit the user name, password, and the verification code you just obtained to achieve brute force cracking. Using this method, you can also implement water injection, ticket fraud, etc. You can look at the pictures below to enhance your intuitive understanding.
=700) window.open('http://www.bkjia.com/uploads/allimg/131016/05251961K-0.gif');" src="http: //www.bkjia.com/uploads/allimg/131016/05251961K-0.gif" onload="if(this.width>'700')this.width='700';if(this.height>'700' )this.height='700';" border=0>
Solution: We need to update the verification code after checking for password errors. For messages and other types, we also need to update the verification code after the submission is successful. Safety is like this. We always want to make our programs safer, but generally, we always stick to conventional thinking and cannot jump out, which leads to many "unconventional" problems in our programs. "Loopholes", or "defects", in short, are not perfect. In addition to pointing out the above problem, I write this article and hope that everyone can take action and re-examine their own programs with an "unconventional" perspective. Post more small problems that you have not noticed before, so that everyone can improve together
http://www.bkjia.com/PHPjc/317687.htmlThe main functions of the verification code are to prevent brute force cracking, malicious watering, automatic submission, etc. I won’t explain it here. Too much to say. The types of verification codes also include numbers, letters, etc., which are even more powerful...