# 2019/10/15 * 底下是一個登入驗證頁面,請說明為何不安全 ```php= <?php $user = ""; $pass = ""; if ($_POST['username']!=$user || $_POST['password']!=$pass) { header("Location: http://abc.com/login"); } ?> <h1>歡迎來到管理員介面<h1> ``` 1.header後的PHP代碼還會被執行,所以需要在header後面放exit ```php= <?php $user = ""; $pass = ""; if ($_POST['username']!=$user || $_POST['password']!=$pass) { header("Location: http://abc.com/login"); } exit; ?> <h1>歡迎來到管理員介面<h1> ``` 2.有方法可以使haeader跳轉失敗,如: location和“:”號有空格 header('Location:'.$url);有输出,包括echo,和在屏幕上的錯誤提醒,以及:include文件的各種輸出 * 使用 session 前要給哪行程式碼 session_start() * 思考修改__使伺服器建立/tmp/sess_flag 檔案 ![](https://i.imgur.com/olivjVf.png) * 截圖證明完成 Cookies ![](https://i.imgur.com/1owKD8F.png)
{"metaMigratedAt":"2023-06-15T00:55:30.485Z","metaMigratedFrom":"Content","title":"2019/10/15","breaks":true,"contributors":"[{\"id\":\"e45f69c7-b953-472a-9061-6451face59d6\",\"add\":855,\"del\":114}]"}
Expand menu