我有一个 Codeigniter 应用程序,它是我公司用来发送给员工的旧电话目录的扩展。因此,对于想要打印出来的人,他们让我创建了一种“打印”方法,它比简单的 HTML 到纸张更强大。该应用程序让用户下载 PDF。但是,他们也不希望 PDF 易于阅读,因此他们让我使用用户密码保护 PDF。这一切在可怕的安全世界中运行良好(将原始密码存储在数据库中)......
现在虽然我已经实现了 PHPass 来散列所有密码,但这破坏了 PDF 生成部分。在 Codeigniter 中使用$this->pdf->SetProtection时,我唯一可以传入的是哈希。这当然与下载 PDF 后用户尝试输入的内容不匹配。
在检查 PDF 中提供的内容之前,有没有人成功地修改了 PDF 处理密码的方式?到目前为止,我想出的唯一解决方案是要求他们在下载之前再次输入密码,但我真的很想避免这个额外的步骤。如果您需要更多继续,请告诉我。谢谢!
What you are trying to do is impossible. The purpose of hashing is to prevent exactly what you are doing. Hashes are a one-way algorithm meaning that once the password has been hashed by PHPass you can't obtain the original password without a dictionary attack or a hash table.
There are a few alternatives however to allow you to implement this, all with varying levels of security.
New Password
The most secure is as you said to have the user enter a new password when they download the PDF which is passed to TCPDF.
Cache the Password
Another alternative which is slightly less secure is to cache the user's plain-text password in the Codeigniter or PHP session on login. You can then use the password stored in the session later on when you need to add a password to the PDF. Personally I would use the PHP session and not Codeigniter because Codeigniter stores its session userdata in a plain-text json array in the sessions table of the database while PHP does not.
function loginHasCompleted() { $_SESSION['password'] = $_POST['password']; }
Encrypt the Password
You can also encrypt the password in the database instead of hashing it. By encrypting it with something like AES-256, you can decrypt the password again to use it in the PDF generation. This does pose some security concerns however because if an attacker obtained the AES key used to encrypt the passwords said attacker would be able to decrypt all of the passwords as if they were plain text. It's more secure than plain-text passwords as the attacker would need to obtain both the database and the hard coded key in the source code, but it is still a concern.