我正在为我的网站开发一个PHP脚本,它自己的网站正在运行。我遇到的问题是网站上的注册是用于纯文本密码。显然这是非常弱的安全性。我希望有人可以帮助我转换它,以便我可以使用哈希密码。 我已经包含了我认为重要的部分注册码。我没有在页面上包含所有代码,因为我认为它不相关,但如果有人认为它会有所帮助,我会提供。
require 'include.inc';
if ($signup) {
if ($signup[repassword] != $signup[password]) {
$err_msg = "Your passwords do not match.";
error($err_msg);
}
if(!preg_match("^[_\.0-9a-z-]+$/i^", $str)) {
$msg = 'Invalid Username! Usernames can consist of letters and numbers only';
}
if(!preg_match("^[_\.0-9a-z-]+$^",$signup[password])) {
$err_msg = "Invalid Password! Passwords can consist of letters and numbers only.";
}
if(!$signup[password] || !$signup[username] || !$signup[email] || !$signup[username])
$err_msg = "Oops! You forgot some important fields!";
if (!$err_msg) {
$usercheck = @mysql_query("INSERT INTO user values(
'NULL','$signup[fname]','$signup[lname]',
'$signup[username]','$signup[password]','$signup[email]', 1, ".$pointInc.", '$signup[referral]', NOW(), 'n', 'y')");
// done, you are entered correctly, Now Enter the points and URL info
$sql = "Select id from user where username='$signup[username]'";
$result = mysql_query( $sql );
if ( $result != false )
{
while ( $data = mysql_fetch_assoc( $result ) )
{
$point_set = $data['id'];
}
} else {
echo mysql_error();
}
// add rerral points
if ($signup[referral]) {
$referralSql="UPDATE points SET points=points+ ".$refPoints . " WHERE userid=".$signup[referral];
$result = mysql_query( $referralSql );
if ( $result != false )
{
} else {
echo mysql_error();
}
}
// add URL
$sql="INSERT INTO url_table ( userid, website, active, datechanged) VALUES ($point_set,'".$signup[site_url]."','n', '".date("Ymd")."')";
$result = mysql_query( $sql );
if ( $result != false )
{
} else {
echo mysql_error();
}
// add points
$sql="INSERT INTO points (userid, username, points) VALUES ($point_set,' ',$signPoints)";
$result = mysql_query( $sql );
if ( $result != false )
{
} else {
echo mysql_error();
}
}
echo mysql_errno().": ".mysql_error()."<br>";
if (!$usercheck) {
$err_msg = "Database error:<br>There was an error entering your account.<br>It is possible that username or Email already exists, please try another one.<br>";
} else {
include ("reg.php");
exit;
}
}
if (!$err_msg) {
// done, you are entered correctly
}
pageHeader($title, $bgColor, $styleSheet);
?>
答案 0 :(得分:2)
基本原则很简单:
1。当用户注册时,不要存储明文密码,而是hash(password)
。
$query = $pdoObject->prepare('INSERT INTO users (UserName, Password) VALUES (:u, :p)');
$query->bindParam(':u', $_POST['username']);
$query->bindParam(':p', hash($_POST['password']));
// Note that we don't store the password, we store the hash of the password. Once this script is done executing, no one involved in the website (except for the original user) will know that the password is
$query->execute();
2。当用户尝试登录时,使用存储在用户数据库中的哈希计算输入密码的哈希值。如果两个哈希匹配,则密码正确。
$query = $pdoObject->prepare('SELECT * FROM users WHERE UserName = :u AND Password = :p');
$query->bindParam(':u', $_POST['username']);
$query->bindParam(':p', hash($_POST['password']));
// We locate the original user by searching for the hash of the password that they typed in
理论如此之多。您应该考虑的一些实际问题:
hash()
函数)是否有可用的散列算法。SQL Injection
的攻击。如果您不这样做,那么用户可以通过输入撇号('
)等字符来搞乱您的网站。答案 1 :(得分:0)
您可以使用md5函数为密码创建哈希,例如:
$password = '12345';
$password = md5($password);
您将此哈希值保存在数据库中,当您检查登录用户和密码时,请执行此操作
$post['password'] = md5($post['password']);
并检查是否等于数据库中保存的哈希值。 我知道md5不是最好的哈希,但很简单并具有良好的安全性
答案 2 :(得分:0)
使用crypt
进行散列密码。
答案 3 :(得分:-1)
将md5用于http://php.net/manual/en/function.md5.php
同时查找uniqid http://php.net/manual/en/function.uniqid.php
在数据库中以纯文本格式存储密码始终是一种不好的做法。检查另一个问题: What are the best practices to encrypt passwords stored in MySql using PhP?
答案 4 :(得分:-1)
有些意见认为md5或SHA-1不易破解,试着给它们加盐..搜索一下。