我想确保我的用户是安全的。我已经搜索了最近3个小时创建这个系统,但老实说我不确定。你能看一下这段代码,看看我是否在任何地方泄露了用户数据?回声用于调试目的。
class remember {
public static $cookieSeperator = ' | ';
public function generate() {
global $conn;
global $random;
$userID = $_SESSION['user_id'];
$bytes = 24; //192 bit
//Random generation code
$token = $random->generateId('users', 'user_rtoken'); //Same as $prehash, but checks if there is a token already like this in the database
$prehash = bin2hex(openssl_random_pseudo_bytes($bytes));
$hash = hash('sha256', $prehash);
echo $token . "<br />";
echo $prehash . "<br />";
echo $hash . "<br />";
if (isset($_COOKIE['user_remember'])) {
echo $_COOKIE['user_remember'];
}
//Cookie Code
setcookie('user_remember', $token . self::$cookieSeperator . $prehash, time()+(86400*30)); //86400 = 1
//DB code
$sql = "UPDATE users SET user_rtoken='$token', user_rhash='$hash' WHERE user_id='$userID';";
$result = mysqli_query($conn, $sql);
}
public function check() {
global $conn;
if (isset($_COOKIE['user_remember'])) {
$cookie = explode(self::$cookieSeperator, $_COOKIE['user_remember']);
$token = $cookie[0];
$validator = $cookie[1];
$sql = "SELECT user_rtoken,user_rhash FROM users WHERE user_rtoken='$token'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck > 0) {
if ($row = mysqli_fetch_assoc($result)) {
if (hash('sha256', $cookie[1]) === $row['user_rhash']) {
echo '0w0';
}
}
}
}
}
}