0

我正在寻找一种简单(或尽可能简单)但安全的方法,用于在将用户密码提交到数据库然后从数据库中检索时对其进行散列和加盐处理。在过去 3 个小时的研究中,实际上有数百种不同的方法,每个人都会说是最好的方法。

我正在寻找一种相对简单的方法来保证用户帐户的安全。显然,安全一词可以有不同的解释,但我只是希望它至少对于潜在的黑客(或任何你称之为悲伤的人)来说很难获得对用户帐户的访问权限。

我很感激我至少应该尝试一些事情,但对于我的目的来说,它们似乎都如此复杂且过于安全。

我尝试使用password_hash(),但似乎我正在运行比 5.5 更早的 PHP 版本。我知道下面的代码存在问题,但这只是我正在从事的个人项目的起点,以便更好地学习 PHP。

目前的登记表

$username = $_POST['username'];
$password = $_POST['password'];

try {   

    $result = $db->prepare("INSERT INTO 
                            user_info 
                            SET 
                            username = :user,
                            pass = :pass
                            ");
    $result->bindParam(':user', $username);
    $result->bindParam(':pass', $password);
    $result->execute();
}

catch (Exception $e) {
    echo "Could not create username";
}

if (isset($_POST['submit'])) { 
    foreach ($_POST as $field) {
        if (empty($field)) {
            $fail = true;
        }
        else {
            $continue = false;
        }
    }
    if ($field == $fail) {
        echo "You must enter a username and/or password";
    }
    else {
        echo "Your account has been successfully created.";
    }
     }

登录逻辑

$username = $_POST['username'];          
$password = $_POST['password'];

try {   

    $result = $db->prepare("SELECT username, pass FROM user_info WHERE username = :user AND BINARY pass = :pass");
    $result->bindParam(':user', $username);
    $result->bindParam(':pass', $password);
    $result->execute();
    $rows = $result->fetch(PDO::FETCH_NUM);
}

catch (Exception $e) {
    echo "Could not retrieve data from database";
    exit();
}

if ($password = $rows) {
    session_start();
    $_SESSION['username'] = $_POST['username'];
    $_SESSION['loggedin'] = true;
    include("inc/redirect.php");

} else {
    if (isset($_POST['login'])) {
        echo "Username or password incorrect (passwords are case sensitive)";
    }
}
4

4 回答 4

1

Use sha1 function http://www.php.net/manual/en/function.sha1.php

It's really simple. Pass the password in input parameter then save it in the database.

When you want to check if password is correct you just have to compare the sha1(password) with the stored value.

Example :

$passwordEncrypted = sha1($password)

save $passwordEncrypted in your database

When the user want to login :

check this condition :

if (sha1($password) ==$passwordEncrypted )

Here is the complete code :

$username = $_POST['username'];

$password = $_POST['password'];
$passwordEncrypted = sha1($password) 

    try {   

        $result = $db->prepare("INSERT INTO 
                                user_info 
                                SET 
                                username = :user,
                                pass = :pass
                                ");
        $result->bindParam(':user', $username);
        $result->bindParam(':pass', $passwordEncrypted);
        $result->execute();
    }

    catch (Exception $e) {
        echo "Could not create username";
    }

    if (isset($_POST['submit'])) { 
        foreach ($_POST as $field) {
            if (empty($field)) {
                $fail = true;
            }
            else {
                $continue = false;
            }
        }
        if ($field == $fail) {
            echo "You must enter a username and/or password";
        }
        else {
            echo "Your account has been successfully created.";
        }
         }
于 2014-06-25T22:34:59.160 回答
0

使用password_hash()您走在正确的轨道上。对于 PHP 版本 5.3.7 - 5.5,您可以使用兼容性包,稍后当您切换到较新的 PHP 版本时,您只需从项目中删除此 php 文件,代码仍将运行。

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

即使对于低于 5.3.7 的 PHP 版本,您也可以使用兼容包‌​。您只需编辑第 55 行并将算法从 更改sprintf("$2y$%02d$", $cost);sprintf("$2a$%02d$", $cost);。这当然不是最佳的,但对于 5.3 和 5.3.7 之间的 PHP,这是您可以做的最好的。

SHA* 或 MD5 等其他算法的问题在于,它们的速度太快了。使用普通硬件可以每秒计算大约3 Giga SHA-1 ,这使得暴力破解太容易了。要测试整个英语词典,您只需要几分之一毫秒。这就是为什么人们应该使用像 BCrypt 或 PBKDF2 这样具有成本因子的哈希算法,它们允许控制计算单个哈希的必要时间。

于 2014-06-26T07:11:11.463 回答
0

看这个问题:

https://stackoverflow.com/questions/3897434/password-security-sha1-sha256-or-sha512

您可以使用hash函数 http://www.php.net/manual/en/function.hash.php

于 2014-06-25T22:29:19.420 回答
0

使用 salt 和 sha256 加密算法

<?php
// create user
$password = $_POST['password'];
$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$pass = hash("sha256", $salt.$password.$salt);
// save salt and password hash into database

// to validate user
// 1 - get salt and password hash from database
// 2 - prepend and append salt to the posted password
// 3 - encrypt with the same algorithm
// 4 - compare with stored password hash.
于 2014-06-25T22:33:47.213 回答