这个php脚本是否可以安全地在我的网站中使用？

I want to protect some content in my site with a password and I am thinking in using this php script

Do you think is a good way to go?

Do you know something better for this task or a way to improve ( if needed) thin one ?

The code to load the content from the database is :

<?php


error_reporting(0);
include("config.php");


if (!isset($_REQUEST["p"])) {

    echo 'document.write("<div id=\"protected_'.intval($_REQUEST["id"]).'\">");';
    echo 'document.write("<form onsubmit=\'return LoadContent(\"'.intval($_REQUEST["id"]).'\",\"protected_'.intval($_REQUEST["id"]).'\",document.getElementById(\"pass_'.intval($_REQUEST["id"]).'\").value); return false;\'\"><input type=\'password\' size=\'30\' placeholder=\'Content is protected! Enter password.\' id=\"pass_'.intval($_REQUEST["id"]).'\"></form>");';
    echo 'document.write("</div>");';

} else {

    $sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE `id`='".intval($_REQUEST["id"])."' AND password='".mysql_real_escape_string($_REQUEST["p"])."'";
    $sql_result = mysql_query ($sql, $connection ) or die ('request "Could not execute SQL query" '.$sql);

    if (mysql_num_rows($sql_result)==1) {
        $row = mysql_fetch_assoc($sql_result);
        echo $row["content"];
    } else {
        echo 'Wrong password';  
    }

}

?>   

As I said in comments, you shouldn't be spending anymore time with what you downloaded since it's old and not safe.

You may be saving passwords in plain text which is definitely not a good idea.

• It's time to step into the 21st century.

The mysql_ API is in deprecation and has been deleted from PHP 7.0 entirely.

You are best to use a prepared statement and password_hash() or the compatibility pack.

Here are a few references:

• http://php.net/manual/en/book.password.php
• http://php.net/manual/en/function.password-hash.php
• http://php.net/manual/en/pdo.prepared-statements.php
• http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

N.B. The use of mysql_real_escape_string() does not fully guarantee protection against a possible SQL injection.

Consult the following Q&A on the subject:

• SQL injection that gets around mysql_real_escape_string()

Here is a piece of code pulled from one or ircmaxell's answers which uses a (PDO) prepared statement and password_hash().

Pulled from: https://stackoverflow.com/a/29778421/1415724

Just use a library. Seriously. They exist for a reason.

• PHP 5.5+: use password_hash()
• PHP 5.3.7+: use password-compat (a compatibility pack for above)
• All others: use phpass

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}