Question

我还在学习php，而且我遇到了一个我找不到的错误。所以我有一个简单的表格，上面有电子邮件和密码。我使用随机盐键和sha512对密码进行哈希处理，并且密码位于变量“p”后面。

这是html代码：

    <form action="includes/process_login.php" method="post" name="login_form">
        <input placeholder="Email address" type="text" name="email" id="email">
        <input placeholder="Password" type="password" name="password" id="password">
        <button class="button" onclick="formhash(this.form, this.form.password);">Login</button>
    </form>

好的，这是带有函数的js文件：

function formhash(form, password) {
// Create a new element input, this will be our hashed password field. 
var p = document.createElement("input");

// Add the new element to our form. 
form.appendChild(p);
p.name = "p";
p.type = "hidden";
p.value = hex_sha512(password.value);

// Make sure the plaintext password doesn't get sent. 
password.value = "";

// Finally submit the form. 
form.submit();
}

我在这里有查询：

function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible. 
if ($stmt = $mysqli->prepare("SELECT id, password, salt 
    FROM users
   WHERE email = ?
    LIMIT 1")) {
    $stmt->bind_param('s', $email);  // Bind "$email" to parameter.
    $stmt->execute();    // Execute the prepared query.
    $stmt->store_result();

    // get variables from result.
    $stmt->bind_result($user_id, $db_password, $salt);
    $stmt->fetch();

    // hash the password with the unique salt.
    $password = hash('sha512', $password . $salt);

process_login.php文件：

if (isset($_POST['email'], $_POST['p'])) {
    $email = $_POST['email'];
    $password = $_POST['p']; // The hashed password.

    if (login($email, $password, $mysqli) == false) {
        // Login success 
        header('Location: ../desk.php');
    } else {
        // Login failed 
        header('Location: ../index.php?error=1');
    }
} else {
    // The correct POST variables were not sent to this page. 
    echo 'Invalid Request';
}

我认为错误是在process_login.php文件中的某个地方，但我找不到它。对我来说一切似乎都很好，但当我尝试使用一些现有凭证登录时，我看到：“无效请求”，这意味着变量没有发送，这对我来说是一个谜......为什么......

Answer 1

我建议不要使用javascript哈希密码，因为javascript正在客户端执行。因此用户可以操纵输入！

我建议用php（服务器端）散列密码。也许使用md5或其他内容。删除表单中的onClick事件：

<form action="includes/process_login.php" method="post" name="login_form">
    <input placeholder="Email address" type="text" name="email" id="email">
    <input placeholder="Password" type="password" name="password" id="password">
    <button class="button" type="submit">Login</button>
</form>

之后，您只需删除javascript函数formhash即可。然后你必须改变PHP脚本：

<强> process_login.php

if (isset($_POST['email'], $_POST['password'])) {
    $email = $_POST['email'];
    $password = hash('sha512', $_POST['password']); // The hashed password (sha512)

    if (login($email, $password, $mysqli) == false) {
        // Login success 
        header('Location: ../desk.php');
    } else {
        // Login failed 
        header('Location: ../index.php?error=1');
    }
} else {
    // The correct POST variables were not sent to this page. 
    echo 'Invalid Request';
}

Answer 2

您严重滥用哈希函数。当您的函数发送密码哈希时，此哈希有效地成为密码。这是你通过在传输之前散列密码来实现 nothing 。

如果您需要安全登录表单，则应使用TLS（HTTPS）加密与站点的通信。

另一种选择是Secure remote password，但这实在太复杂了。

登录页面，无法正常工作

2 个答案: