Witam, chciałbym się dowiedzieć czy skrypt logowania jest odpowiednio bezpieczny. Proszę o Ewentualne uwagi co można byłoby poprawić lub zmienić.
<?php
session_start();
if (!isset($_POST['login']) && (!isset($_POST['password']))) {
header("Location: ../log-in");
exit();
} else {
require_once("connect.php");
mysqli_report(MYSQLI_REPORT_STRICT);
try {
$connect = @new mysqli($host, $db_user, $db_password, $db_name);
if ($connect->connect_errno) {
throw @new Exception($connect->error);
} else {
$login = $_POST['login'];
$login = filter_var($login, FILTER_SANITIZE_STRING);
$password = $_POST['password'];
$password = hash('sha512', $password);
if ($stmt = mysqli_prepare($connect, "SELECT id FROM users WHERE login=? AND password=?")) {
$params = array("$login","$password");
mysqli_stmt_bind_param($stmt, "ss", $login, $password);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $id);
mysqli_stmt_fetch($stmt);
mysqli_stmt_close($stmt);
if (isset($id)) {
$_SESSION['log_in'] = true;
header("Location: ../user-acc");
} else {
$_SESSION['log_in_error'] = "błedne dane logowania";
header("Location: ../log-in");
}
} else {
throw @new Exception($connect->error);
}
mysqli_close($connect);
}
} catch(Exception $error) {
echo $error;
}
}
?>