0

我有这段 html 代码:

<form action="register.php" method="post">
       Email: <input type="text" name="email" /><br />
       Username: <input type="text" name="username" /><br />
       Password: <input type="password" name="p" id="password" /><br />
       <input type="button" value="Register" onclick="formhash(this.form, this.form.password);" />
</form>

按下注册按钮后,将调用加密并立即加密密码。我认为这将是一种非常好的和安全的方法,但是我似乎无法检查名为“p”的 passworld 字段是否为空,因为如果用户在注册时将该字段留空,则加密会加密空字段,因此它不再是空的。我需要一种方法来检查用户是否将“p”字段留空,因为不可能使用 0 个字符创建密码。

我知道这个问题可以通过 javascript 解决,但是我需要一种安全的方法来检查该字段是否为空,因此我想获得一个 PHP 解决方案。

register.php:

<script type="text/javascript" src="sha512.js"></script>
<script type="text/javascript" src="forms.js"></script>

<?php
include 'db_connect.php';

//Just to check that the p field is encrypted already at this point. 
echo $_POST['p'];

// The username
$username = $_POST['username'];
// The email
$email = $_POST['email'];
// The hashed password from the form
$password = $_POST['p']; 
// Create a random salt
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
// Create salted password (Careful not to over season)
$password = hash('sha512', $password.$random_salt);

// Add your insert to database script here. 
// Make sure you use prepared statements!
if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt) VALUES (?, ?, ?, ?)")) {    
   $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt); 
   // Execute the prepared query.
   $insert_stmt->execute();
}
?>
4

2 回答 2

3

如果有人监控您的流量,他们仍然可以获得该密码。它只是从原始字符串更改为哈希。这不是安全功能!

如果您担心有人截取数据,请使用 https。

删除您的客户端哈希:

<form action="register.php" method="post">
       Email: <input type="text" name="email" /><br />
       Username: <input type="text" name="username" /><br />
       Password: <input type="password" name="p" id="password" /><br />
       <input type="submit" name="submit" value="Register" />
</form>

注意:password_hash 是 PHP 5.5 中的新功能,如果您的版本较旧,请尝试此用户空间实现

将您的 PHP 代码更改为:

<?php
include 'db_connect.php';

if (!isset($_POST['p']) || (10 > strlen($_POST['p']))) {
    //password too short!
}

if (!isset($_POST['username']) || (3 > strlen($_POST['username']))) {
    //username too short!
}

// The username
$username = $_POST['username'];
// The email
$email = $_POST['email']
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    //not a valid email (mostly)
}
// The unaltered password from the form
$password = $_POST['p']; 

// Create salted password (Careful not to over season)
$password = password_hash($password, PASSWORD_BCRYPT);

// Add your insert to database script here. 
// Make sure you use prepared statements!
if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password) VALUES (?, ?, ?)")) {    
   $insert_stmt->bind_param('sss', $username, $email, $password); 
   // Execute the prepared query.
   $insert_stmt->execute();
}

使用它来验证登录/身份验证的密码:

password_verify($password, $passwordFromDb)
于 2013-09-30T18:20:57.437 回答
0

有一个javascript函数在点击注册按钮时验证表单:

使用它来检查密码字段是否有任何输入:

if (document.getElementById('Password').value.length!=0) {
   //encrypt and submit form
} else {
   //return to form and display error to user
}

旁注,始终使用 SSL 提交密码,强制用户在发送之前对其密码进行哈希处理,然后再次对其进行哈希处理可能会过度,并且不会阻止任何人在攻击中重用密码或哈希值。

于 2013-09-30T18:20:22.087 回答