我还在学习php,而且我遇到了一个我找不到的错误。 所以我有一个简单的表格,上面有电子邮件和密码。我使用随机盐键和sha512对密码进行哈希处理,并且密码位于变量“p”后面。
这是html代码:
<form action="includes/process_login.php" method="post" name="login_form">
<input placeholder="Email address" type="text" name="email" id="email">
<input placeholder="Password" type="password" name="password" id="password">
<button class="button" onclick="formhash(this.form, this.form.password);">Login</button>
</form>
好的,这是带有函数的js文件:
function formhash(form, password) {
// Create a new element input, this will be our hashed password field.
var p = document.createElement("input");
// Add the new element to our form.
form.appendChild(p);
p.name = "p";
p.type = "hidden";
p.value = hex_sha512(password.value);
// Make sure the plaintext password doesn't get sent.
password.value = "";
// Finally submit the form.
form.submit();
}
我在这里有查询:
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, password, salt
FROM users
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
process_login.php文件:
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if (login($email, $password, $mysqli) == false) {
// Login success
header('Location: ../desk.php');
} else {
// Login failed
header('Location: ../index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
我认为错误是在process_login.php文件中的某个地方,但我找不到它。对我来说一切似乎都很好,但当我尝试使用一些现有凭证登录时,我看到:“无效请求”,这意味着变量没有发送,这对我来说是一个谜......为什么......
答案 0 :(得分:0)
我建议不要使用javascript哈希密码,因为javascript正在客户端执行。因此用户可以操纵输入!
我建议用php(服务器端)散列密码。也许使用md5
或其他内容。
删除表单中的onClick
事件:
<form action="includes/process_login.php" method="post" name="login_form">
<input placeholder="Email address" type="text" name="email" id="email">
<input placeholder="Password" type="password" name="password" id="password">
<button class="button" type="submit">Login</button>
</form>
之后,您只需删除javascript函数formhash
即可。
然后你必须改变PHP脚本:
<强> process_login.php 强>
if (isset($_POST['email'], $_POST['password'])) {
$email = $_POST['email'];
$password = hash('sha512', $_POST['password']); // The hashed password (sha512)
if (login($email, $password, $mysqli) == false) {
// Login success
header('Location: ../desk.php');
} else {
// Login failed
header('Location: ../index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
答案 1 :(得分:0)
您严重滥用哈希函数。当您的函数发送密码哈希时,此哈希有效地成为密码。这是你通过在传输之前散列密码来实现 nothing 。
如果您需要安全登录表单,则应使用TLS(HTTPS)加密与站点的通信。
另一种选择是Secure remote password,但这实在太复杂了。