好吧..所以要开始我只有Php 5.3所以我不能使用bcrypt,我不熟悉盐但是如果有人可以帮助我,我完全愿意这样做。我也想知道这个脚本对于sql注入是坏还是坏。我最大的问题是当我使用像crypt这样的东西并尝试让我的密码匹配时,它不会。我已经在这方面工作了好几天,似乎无法找到解决我问题的正确方法。代码尚未完成,但能够运行。我只是在wamp上这样做,所以我不知道如果这是一个问题?但我无法想象它是。
注册。 PHP
if ((strlen($username)) < 6 || (preg_match("/[^\w-.]/", $username)) ) {
header('Location: Register.php?fail=1');
die();
}
if ((strlen($password)) < 8) {
header('Location: Register.php?fail=2');
die();
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
header('Location: Register.php?fail=3');
die();
}
/*
TRIED METHODS
$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$salt = base64_encode($salt);
$salt = str_replace('+', '.', $salt);
$hash = crypt('rasmuslerdorf', '$2y$10$'.$salt.'$');
$password = $hash;
echo "<script>alert('$password');</script>";
$salt = '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors';
$digest = crypt($password, $salt);
if (crypt($password, $digest) == $digest){
echo "<script>alert('logged in');</script>";
}else{
header('Location: Login.php?fail=3');
die();
}
*/
//PDO CONNECTION
function pdo_connect() {
try {
$db = new PDO("mysql:host=localhost;dbname=XXX", "XXX", "XXX");
return $db;
} catch (PDOException $e) {
//echo $e->getMessage();
//return false;
header('Location: Register.php?fail=6');
}
}
//CHECK IF USERNAME EXISTS
function usernameCheck($username) {
$con = pdo_connect();
$ustmt = $con->prepare("SELECT u_users FROM users WHERE u_users = :name");
$ustmt->bindParam(':name', $username);
$ustmt->execute();
if($ustmt->rowCount() > 0){
header('Location: Register.php?fail=4');
die();
}
$con = null;
}
echo usernameCheck($username);
//CHECK IF EMAIL EXISTS
function emailCheck($email) {
$con = pdo_connect();
$estmt = $con->prepare("SELECT u_email FROM users WHERE u_email = :name");
$estmt->bindParam(':name', $email);
$estmt->execute();
if($estmt->rowCount() > 0){
header('Location: Register.php?fail=5');
die();
}
$con = null;
}
echo emailCheck($email);
//INSERT EMAIL TO NEWSLETTER
function emailnewsletterCheck($email) {
$con = pdo_connect();
$nstmt = $con->prepare("SELECT n_email FROM newsletter WHERE n_email = :email");
$nstmt->bindParam(':email', $email);
$nstmt->execute();
if($nstmt->rowCount() < 1){
$addstmt = $con->prepare('INSERT INTO newsletter (n_email) VALUES (:email)');
$addstmt->bindParam(':email', $email);
$addstmt->execute();
}
$con = null;
}
echo emailnewsletterCheck($email);
//INSERT
function insert($username,$password,$email,$type) {
$con = pdo_connect();
$password = md5($password);
$istmt = $con->prepare('INSERT INTO users (u_users, u_private, u_email, u_type) VALUES (:username, :password, :email, :type)');
$istmt->execute(array(
':username' => $username,
':password' => $password,
':email' => $email,
':type' => $type
));
$con = null;
header('Location: Login.php?success=1');
}
echo insert($username,$password,$email,$type);
}//end submit
?>
<?php
$page_title = "NS : Web Development : Register";
$page_desc = "Register with us for great deals on website development.";
$services = 0;
include_once 'header.php';
?>
<script type="text/javascript">
// This function checks if the username field is at least 6 characters long.
function checkUsernameForLength(whatYouTyped) {
var fieldset = whatYouTyped.parentNode.parentNode.parentNode;
var txt = whatYouTyped.value;
if (txt.length > 5) {
$("span.hint").hide();
}
}
// If the password is at least 4 characters long
function checkPassword(whatYouTyped) {
var fieldset = whatYouTyped.parentNode.parentNode.parentNode;
var txt = whatYouTyped.value;
if (txt.length > 7) {
$("span.hint").hide();
}
}
// This function checks the email address blah@blah.blah
function checkEmail(whatYouTyped) {
var fieldset = whatYouTyped.parentNode.parentNode.parentNode;
var txt = whatYouTyped.value;
if (/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/.test(txt)) {
$("span.hint").hide();
}
}
// this part is for the form field hints to display
// only on the condition that the text input has focus.otherwise, it stays hidden.
function addLoadEvent(func) {
var oldonload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
oldonload();
func();
}
}
}
function prepareInputsForHints() {
var inputs = document.getElementsByTagName("input");
for (var i=0; i<inputs.length; i++){
inputs[i].onfocus = function () {
this.parentNode.getElementsByTagName("span")[0].style.display = "inline";
}
inputs[i].onblur = function () {
this.parentNode.getElementsByTagName("span")[0].style.display = "none";
}
}
}
addLoadEvent(prepareInputsForHints);
</script>
<div class="jumbotron">
<div class="container">
<h1>Register for <font color="fb1576">great</font> opportunities</h1>
<p>Get full quotes, package <font color="fb1576">deals</font>, news and updates on the latest themes and scripts, and even <font color="fb1576">win</font> free prizes<font color="fb1576">!</font>
</div>
</div>
<div class="container">
<!-- row of columns -->
<div class="row">
<?php
if ( isset($_GET['fail']) && $_GET['fail'] == 1 ){
echo "<div class='alert alert-danger'>Username must be at least 6 characters in length and can only contain characters matching (a-z) (A-Z) (0-9) and '_' Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 2 ){
echo "<div class='alert alert-danger'>Password must be at least 8 characters in length and cannot exceed 25. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 3 ){
echo "<div class='alert alert-danger'>E-mail is not valid. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 4 ){
echo "<div class='alert alert-danger'>Username you chose already exists. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 5 ){
echo "<div class='alert alert-danger'>E-mail you entered is already in use. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 6 ){
echo "<div class='alert alert-danger'>Something went wrong, we couldn't submit your registration. Please try again later. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
?>
<form name="basicform" id="basicform" method="POST">
<fieldset>
<div class="input-group">
<label for="username">Choose a Username:</label><br>
<input type="text" id="username" name="username" onkeyup="checkUsernameForLength(this);" required class="form-control" maxlength="25" pattern=".{6,}"/>
<span class="hint">Usernames must be a least 6 characters in length and cannot exceed 25. Characters must match (a-z) (A-Z) (0-9) and '_'</span>
</div>
</fieldset>
<fieldset>
<div class="input-group">
<label for="password">Enter a password:</label><br>
<input type="password" id="password" name="password" onkeyup="checkPassword(this);" required class="form-control" maxlength="25" pattern=".{7,}"/>
<span class="hint">The password can be any combination of <strong>characters</strong>, and must be at least 8 characters in length and cannot exceed 25.</span>
</div>
</fieldset>
<fieldset>
<div class="input-group">
<label for="email">Enter your email address:</label><br>
<input type="text" id="email" name="email" onkeyup="checkEmail(this);" required class="form-control" maxlength="30" />
<span class="hint">Please enter your real email address (ie: you@emailprovider.com)</span>
</div>
</fieldset>
<fieldset>
<label for="type">Pick your position of registration:</label><br>
<select name="type">
<option name="type" value="Client">I am a client looking for work to be done</option>
<option name="type" value="Employer">I am an employer looking for a potential hire</option>
<option name="type" value="Employee">I am an employee looking to be hired</option>
</select>
</fieldset>
<fieldset>
<button type="submit" class="btn btn-primary" name="submit" value="submit">Register Now</button>
</fieldset>
</form>
</div>
<!-- //row of columns -->
<?php
include_once 'footer.php';
?>
登录。 PHP
$username = $_POST['username'];
$password = $_POST['password'];
//before we even bother connecting to the db start validating
if ( (empty($username)) || (empty($password)) ) {
header('Location: Login.php?fail=1');
die();
}
if ( ((strlen($username)) >25) || ((strlen($password)) >25) ) {
header('Location: Login.php?fail=2');
die();
}
if ( (preg_match("/[^\w-.]/", $username)) ) {
header('Location: Login.php?fail=3');
die();
}
/*
TRIED METHODS
$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$salt = base64_encode($salt);
$salt = str_replace('+', '.', $salt);
$hash = crypt('rasmuslerdorf', '$2y$10$'.$salt.'$');
$password = $hash;
echo "<script>alert('$password');</script>";
$salt = '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors';
$digest = crypt($password, $salt);
if (crypt($password, $digest) == $digest){
echo "<script>alert('logged in');</script>";
}else{
header('Location: Login.php?fail=3');
die();
}
*/
//PDO CONNECTION
function pdo_connect() {
try {
$db = new PDO("mysql:host=localhost;dbname=XXX", "XXX", "XXX");
return $db;
} catch (PDOException $e) {
//echo $e->getMessage();
//return false;
header('Location: Register.php?fail=6');
}
}
//CHECK IF USERNAME EXISTS
function checkLogin($username,$password) {
$con = pdo_connect();
//$getlogin = $con->query
$getlogin = $con->prepare("SELECT u_users,u_private FROM users WHERE u_users = :username AND u_private = :password");
$getlogin->bindValue(':username', $username, PDO::PARAM_STR);
$getlogin->bindValue(':password', $password, PDO::PARAM_STR);
$getlogin->execute();
if($getlogin->rowCount() > 0){
echo "<script>alert('yes');</script>";
}
$con = null;
}
echo checkLogin($username,$password);
echo "<script>alert('success');</script>";
}
?>
<?php
$page_title = "NS : Web Development : Register";
$page_desc = "Register with us for great deals on website development.";
$services = 0;
include_once 'header.php';
?>
<div class="jumbotron">
<div class="container">
<h1><font color="fb1576">Members</font> log in</h1>
<p> Not yet a member? <a href="Register.php"><font color="fb1576">Sign up today!</font></a>
</div>
</div>
<div class="container">
<?php
if ( isset($_GET['success']) && $_GET['success'] == 1 ){
echo "<div class='alert alert-success'>Registration successful. Please log in.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 1 ){
echo "<div class='alert alert-danger'>Username or Password cannot be left blank.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 2 ){
echo "<div class='alert alert-danger'>Sorry, this is not a valid Username or Password.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 3 ){
echo "<div class='alert alert-danger'>Username or Password incorrect, please try again.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 5 ){
echo "<div class='alert alert-danger'>E-mail you entered is already in use. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 6 ){
echo "<div class='alert alert-danger'>Something went wrong. Please try again later. </div>";
}
?>
<form class="form-signin" role="form" method="POST">
<h2 class="form-signin-heading">Please sign in</h2>
<p>
<input type="text" class="form-control" placeholder="Username" name="username" required autofocus>
</p>
<br>
<p>
<input type="password" class="form-control" placeholder="Password" name="password" required>
</p>
<label class="checkbox">
<input type="checkbox" value="remember-me"> Remember me
</label>
<button class="btn btn-lg btn-primary btn-block" type="submit" name="submit" value="submit">Sign in</button>
</form>
<?php
include_once 'footer.php';
?>
我真的需要得到它,以便在启动时对我的服务器安全,并且可以安全地登录用户。
答案 0 :(得分:0)
使用PHP版本5.3,可以,并且应该使用BCrypt。
对于PHP 5.5及更高版本,建议使用新密码函数password_hash()和password_verify():
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
对于PHP 5.3.7及更高版本,存在compatibility pack,因此您可以完全相同的方式使用上述函数。
对于早于5.3.7的PHP版本,您可以使用兼容包并将crypt参数从"$2y$%02d$"更改为"$2a$%02d$",这也会生成BCrypt哈希。这是旧版本的最佳功能,当您更新到较新的PHP版本时,哈希将兼容。
如果要验证密码,则无法直接在SQL语句中执行此操作。在第一步中,您必须从数据库中获取存储的密码哈希(使用用户名),然后您可以在函数password_verify()中使用此哈希。 password_verify()函数需要从存储的哈希中提取salt。