The login web page of my website is not secure, whenever typing a username or password on the login page in firefox I get a dialog box saying this : The connection is not secure. Logins entered here could be compromised. Should I try prepared statements, or is there another issue? Sorry this is a broad question, but I'm not all too familiar with web security.
Here's my login page code:
<?php
include("connect.php");
include('PHPMailer/PHPMailer-master/examples/gmail_xoauth.phps');
if (isset($_POST['createaccount'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
if (!connect::query('SELECT username FROM accounts WHERE username=:username', array(':username'=>$username))) {
if (strlen($username) >= 3 && strlen($username) <= 32) {
if (preg_match('/[a-zA-Z0-9_]+/', $username)) {
if (strlen($password) >= 6 && strlen($password) <= 60) {
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
if (!connect::query('SELECT email FROM accounts WHERE email=:email', array(':email'=>$email))) {
connect::query('INSERT INTO accounts VALUES (null, :username, :password, :email, \'0\')', array(':username'=>$username, ':password'=>password_hash($password, PASSWORD_BCRYPT), ':email'=>$email));
gmail_xoauth::sendMail('Welcome to the Website!', 'Your account has been created!', $email);
echo "<h3 class = 'errmessage'>Success!</h3>";
} else {
echo '<h3 class = "errmessage">Email already in use!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid email!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid password, at least 6 characters!</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid username, at least 3 characters</h3>';
}
} else {
echo '<h3 class = "errmessage">Invalid username</h3>';
}
} else {
echo '<h3 class = "errmessage">User already exists!</h3>';
}
}
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (connect::query('SELECT username FROM accounts WHERE username=:username', array(':username'=>$username))) {
if (password_verify($password, connect::query('SELECT password FROM accounts WHERE username=:username', array(':username'=>$username))[0]['password'])) {
$cstrong = True;
$token = bin2hex(openssl_random_pseudo_bytes(64, $cstrong));
$user_id = connect::query('SELECT id FROM accounts WHERE username=:username', array(':username'=>$username))[0]['id'];
connect::query('INSERT INTO users VALUES (null, :token, :user_id)', array(':token'=>sha1($token), ':user_id'=>$user_id));
setcookie("SNID", $token, time() + 60 * 60 * 24 * 7, '/', NULL, NULL, TRUE);
setcookie("SNID_", '1', time() + 60 * 60 * 24 * 3, '/', NULL, NULL, TRUE);
setcookie("username", $username, time()+3600);
header("Location: home.php");
} else {
echo '<h3 class = "errmessage">Incorrect Password!Try again</h3><br><br><br>';
}
} else {
echo '<h3 class = "errmessage">User not registered!Try again</h3><br><br><br>';
}
}
?>
Here's the connect.php file:
<?php
class connect
{
private static function db()
{
$pdo = new PDO('mysql:host=localhost;dbname=database_name;charset = utf8','username','password');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
return $pdo;
}
public static function query($query,$params = array())
{
$statement = self :: db()->prepare($query);
$statement->execute($params);
if(explode(' ',$query)[0] == 'SELECT')
{
$data = $statement->fetchAll();
return $data;
}
}
}
?>
Aucun commentaire:
Enregistrer un commentaire