Is it secure?

不.我看到一些问题:

1)首先，存在一个XSS漏洞.当您像这样回显$_SERVER['PHP_SELF']时，需要使用htmlspecialchars()对其进行转义.如果您不这样做，则攻击者可以制作链接，单击该链接将窃取会话cookie，该会话cookie可用于在没有用户名和密码的情况下登录. 请参阅: PHP_SELF和XSS

1) First of all there is an XSS vulnerability. When you echo $_SERVER['PHP_SELF'] like that, it needs to be escaped with htmlspecialchars(). If you don't do this, an attacker can craft link which when clicked, will steal session cookies which can be used to become logged in without a username and password. See: PHP_SELF and XSS

2)GetSQLValueString有问题.如果mysql_real_escape_string()不存在，它将回退到mysql_escape_string().您永远不应退回到mysql_escape_string().如果mysql_real_escape_string()不可用，并且您依靠它来避免SQL注入，则您的应用程序应停止. 在知道数据类型之前，该函数还会对数据进行转义.如果您使用的是intval()，floatval()，doubleval()，则无需先执行mysql_real_escape_string().

2) GetSQLValueString has problems. It is falling back to mysql_escape_string() if mysql_real_escape_string() does not exist. You should never fall back to mysql_escape_string(). If mysql_real_escape_string() is not available and you're relying on it to avoid SQL Injection, your application should stop. This function is also doing an escape on the data, before it knows what datatype it is. If you're using intval(), floatval(), doubleval(), you don't need to do a mysql_real_escape_string() first.

我建议将其更改为使用MySQLi或PDO参数化查询，这些查询将自动为您处理转义.

I suggest changing this to use MySQLi or PDO parameterised queries which will automatically handle the escaping for you.

MySQLi: http://php.net/manual/en/mysqli.prepare .php PDO: http://us2.php.net/manual/en/book. pdo.php

MySQLi: http://php.net/manual/en/mysqli.prepare.php PDO: http://us2.php.net/manual/en/book.pdo.php

3)成功登录后，似乎正在尝试(但失败)重定向到上一页.除非您对URL进行了硬编码或已经验证了用户提供的URL，否则切勿重定向.如果不这样做，则很容易受到公开重定向/网络钓鱼的攻击. 看来有人可能试图通过在if处添加false来解决此问题:if (isset($_SESSION['PrevUrl']) && false) {，该语句永远不会评估为true，因此毫无意义地保留它.

3) It appears to be trying (and failing) to redirect to the previous page on successful login. You should never redirect unless you have hardcoded the URL or you have validated the user supplied URL, if you don't do this you could be vulnerable to open redirect/phishing attacks. It looks like someone might have tried to fix this by adding false to the if here: if (isset($_SESSION['PrevUrl']) && false) {, this statement will never evaluate to true and so it is pointless keeping it.

4).看看这一行:

$LoginRS = mysql_query($LoginRS__query, $ecs) or die(mysql_error());

如果执行此查询时出现任何MySQL错误，则应用程序将打印出完整的MySQL错误，然后停止.这对尝试执行SQL Injection攻击的任何人都将非常有帮助.即使您已经确保使用SQL注入，这仍然会告诉您数据库结构的各个方面. 您应该使用trigger_error()或执行自己的错误日志记录，但切勿在生产/实时/公共系统中向用户显示该错误.

If there is any MySQL error when this query executes, the application is going to print out the full MySQL error and then stop. This will be extremely helpful to anyone trying to perform SQL Injection attacks. Even if you've secured for SQL Injection, this is still going to tell the world parts of your database structure. You should use trigger_error() or do your own error logging, but never show it to the user in a production/live/public system.

5).最后，可以在登录/注销表单上执行XSRF攻击.提交诸如登录/注销之类的操作时，应使用反XSRF令牌. 请参阅: http://en.wikipedia.org/wiki/Cross-site_request_forgery

5). Finally, it is possible to perform XSRF attacks on the login/out form. You should use an anti-XSRF token when submitting actions like login/logout. See: http://en.wikipedia.org/wiki/Cross-site_request_forgery