我想在客户端加密密码并确认密码字段,在通过某个网络到达服务器端后,它应该再次解密为原始格式。
下面是我写的javascript文件(enc.js)的代码,它将在客户端加密数据。我无法在服务器端解密它。
$(document).ready(function()
{ $("#login_submit").click (
function()
{
var password=$("#password").val();
var pass=CryptoJS.MD5(password).toString();
var q=$("#salt").val();
var encp = CryptoJS.MD5(q + pass).toString();
$("#password").attr('value', encp);
});
});
上面的代码工作得很好,但我需要一些帮助来解密服务器端的加密数据,这些数据已在客户端使用CryptoJS.MD5()
加密。
以下是简洁的侧面网页代码(register.php)
<?PHP
session_start();
session_regenerate_id(true);
if(!isset($_SESSION['user']))
{
header("location:../login/log.php");
}
else if(($_SESSION['user']) != "admin")
{
echo "<br><br>";
header( "refresh:3; url=nopage.php" );
echo "<center>Access Denied</center>";
echo "<center><a href='nopage.php'>Back</a></center>";
}
else
{
require_once("./include/membersite_config.php");
include_once "../validation/Validator.php";
require("../connection123.php");
$protocol = strpos(strtolower($_SERVER['SERVER_PROTOCOL']),'https')
=== FALSE ? 'http' : 'https';
$host = $_SERVER['HTTP_HOST'];
$script = $_SERVER['SCRIPT_NAME'];
$params = $_SERVER['QUERY_STRING'];
$currentUrl = $protocol . '://' . $host . $script . '?' . $params;
$head=$v->valHeader($currentUrl);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<meta http-equiv="Cache-Control" content="no-cache"/>
<meta http-equiv="Cache-Control" content="no-store"/>
<meta http-equiv="Cache-Control" content="must-revalidate"/>
<meta http-equiv="Cache-Control" content="private"/>
<meta http-equiv="Cache-Control" content="pre-check=0"/>
<meta http-equiv="Cache-Control" content="post-check=0"/>
<meta http-equiv="Cache-Control" content="max-stale=0"/>
<meta http-equiv="Pragma" content="no-cache"/>
<meta http-equiv="Expires" content="Mon, 26 Jul 1997 05:00:00 GMT"/>
<link rel="STYLESHEET" type="text/css" href="style/fg_membersite.css" />
<script type='text/javascript' src='scripts/gen_validatorv31.js'></script>
<link rel="STYLESHEET" type="text/css" href="style/pwdwidget.css" />
<script src="scripts/pwdwidget.js" type="text/javascript"></script>
<script type="text/javascript">
window.history.forward();
function noBack(){window.history.forward()}
noBack();
window.onload=noBack;
window.onpageshow=function(evt){if(evt.persisted)noBack()}
window.onunload=function(){void(0)}
</script>
<script type="text/javascript" language="javascript" src="../js/jquery-1.8.3.js"></script>
<script type="text/javascript" language="javascript" src="../js/jquery_md5.js"></script>
<script type="text/javascript" language="javascript" src="../js/md5.js"></script>
<script type="text/javascript" language="javascript" src="../js/enc.js"></script>
</head>
<body bgcolor="#FFFFCC">
<?php
$current_url = $_SERVER['REMOTE_ADDR'].$_SERVER['PHP_SELF'];
$v=new validator();
error_reporting(0);
$url=$_SERVER['HTTP_REFERER'];
$headerAdd=$v->valHeader($url);
$salt = substr(md5(uniqid(rand(), true)), 0, 32);
?>
<div align="left">
<table width="1214" border="0">
<tr>
<td width="867"><a href='login-home.php'>Back</a></td>
<?php
// make a random id
$_SESSION["token"] = md5(uniqid(mt_rand(), true));
echo '<td width="331"><a href="logout.php?csrf=' . $_SESSION["token"] . '">Logout</a></td>';
?>
</tr>
</table>
</div>
<?php
$token= md5(uniqid());
$_SESSION['delete_customer_token']= $token;
session_write_close();
?>
<br /><br />
<!-- Form Code Start -->
<div id='fg_membersite'>
<form id='register' name='register' action='afterregister.php' method='post' accept-charset='UTF-8'>
<fieldset >
<legend>Register New Account Here</legend>
<div class='short_explanation'>* Required fields</div>
<div><span class='error'><?php echo $fgmembersite->GetErrorMessage(); ?>
</span></div>
<div class='container'>
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<input type="hidden" name="registeracct" value="Register Account" />
<label for='name' >Your Full Name*: </label><br/>
<input type='text' name='name' id='name' value='' maxlength="30" autocomplete="off" /><br/>
<span id='register_name_errorloc' class='error'></span>
</div>
<div class='container'>
<label for='username' >UserName*:</label><br/>
<input type='text' name='username' id='username' value='' maxlength="30" autocomplete="off"/><font-color='#FF0000'>[Only letters without space]</font>
<input id="salt" type="hidden" name="salt" maxlength=50 value=<?php echo $salt;?>/>
<br/>
<span id='register_username_errorloc' class='error'></span>
</div>
<div class='container' style='height:80px;'>
<label for='username' >Email id*:</label><br/>
<input type='text' name='email' id='email' value='' maxlength="300" autocomplete="off"/><br/>
<label for='p_word' >Password*:</label><br/>
<div class='pwdwidgetdiv' id='thepwddiv' ></div>
<noscript>
<input type='password' name='password' id='password' maxlength="30" autocomplete="off" />
</noscript>
<div id='register_password_errorloc' class='error' style='clear:both'></div>
<label for='p_word' >Confirm Password*:</label><br/>
<div class='pwdwidgetdiv' id='cnfpwddiv' ></div>
<noscript>
<input type='password' name='cnpwd' id='cnpwd' maxlength="30" autocomplete="off" />
</noscript>
<div id='register_password_errorloc' class='error' style='clear:both'></div>
<br/>
</div><br/>
<br/>
<br/>
<br/>
<div class='container'>
<input type="submit" id="login_submit" name="Submit" value="Submit" />
</div>
</fieldset>
</form>
<script type='text/javascript'>
// <![CDATA[
var pwdwidget = new PasswordWidget('thepwddiv','password');
pwdwidget.MakePWDWidget();
var pwdwidget = new PasswordWidget('cnfpwddiv','cnpwd');
pwdwidget.enableGenerate = false;
pwdwidget.MakePWDWidget();
var frmvalidator = new Validator("register");
frmvalidator.EnableOnPageErrorDisplay();
frmvalidator.EnableMsgsTogether();
frmvalidator.addValidation("name","req","Please provide your name");
frmvalidator.addValidation("username","req","Please provide a username");
frmvalidator.addValidation("email","req","Please provide a email-id");
frmvalidator.addValidation("password","req","Please provide a password");
frmvalidator.addValidation("cnpwd","req","Please re-enter password");
// ]]>
</script>
</body>
</html>
<?php
}
?>
Below is the code of server side (afterregister.php)
<?php
session_start();
session_regenerate_id(true);
$s_id=session_id();//PHPSESSID
error_reporting(0);
require("../connection123.php");
include_once "../validation/Validator.php";
include_once "../validation/val.php";
$v=new Validator();
if(mysqli_connect_errno())
{
echo "Connection Failed: " . mysqli_connect_errno();
exit();
}
$array=array('token','registeracct','name','username','salt','email','password','cnpwd','Submit');
$n=$v->array_equal($_POST,$array);
if($n!=0){
$redirect="../nopage.php";
die('<script type="text/javascript">window.location.href="' . $redirect . '";</script>');
}
$ip="";
if (!empty($_SERVER['HTTP_CLIENT_IP'])) { //check ip from share internet
$ip1 = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { //to check ip is pass from proxy
$ip1 = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip1 = $_SERVER['REMOTE_ADDR'];
if(filter_var($ip1,FILTER_VALIDATE_IP)){
$ip=$ip1;
}else{
header("location:../nopage.php");
}
}
$formname="";
if(isset($_POST['registeracct']))
{
$formname= $_POST['registeracct'];
}
$token = $_SESSION['delete_customer_token'];
unset($_SESSION['delete_customer_token']);
session_write_close();
//echo $formname;
$stmt = $mysqli -> prepare("SELECT logindt FROM tblaudit ORDER BY logindt DESC LIMIT 1");
$stmt-> execute();
$stmt->store_result();
$stmt-> bind_result($result1);
$login="";
if($stmt->fetch())
{
$login=$result1;
}
//echo $login;
//echo $ip;
$name1=$v->validateSQLInjectionlogin($_POST['name']);
$name2=$v->xss_protect($name1);
$name=$v->validf_name($name2);
//echo $name;
/** if($name==""){
$redirect="../nopage.php";
die('<script type="text/javascript">window.location.href="' . $redirect . '";</script>');
}**/
$name1=$v->validateSQLInjectionlogin($_POST['username']);
$usernamee=$v->xss_protect($name1);
$username=$v->validf_name($usernamee);
//echo $username;
$salt1=$v->validateSQLInjectionlogin($_POST['salt']);
$salt=$v->xss_protect($salt1);
$email="";
if(isset($_POST['email']))
{
$email= $_POST['email'];
}
//echo $email;
$name1=$v->validateSQLInjection($_POST['password']);
$password=$v->xss_protect($name1);
//$pass=md5($salt . md5($password));
$pass=md5($password);
//echo $pass;
$cnfpwd1=$v->validateSQLInjection($_POST['cnpwd']);
$cnfpwd=$v->xss_protect($cnfpwd1);
//echo $cnfpwd;
$no='no';
$confirmcode = 'y';
$stmt1 = $mysqli -> prepare("SELECT distinct username FROM users WHERE username=?");
$stmt1->bind_param("s", $username);
$stmt1->execute();
$stmt1->store_result();
$stmt1-> bind_result($result2);
$stmt5 = $mysqli -> prepare("SELECT distinct email FROM users WHERE email=?");
$stmt5->bind_param("s", $email);
$stmt5-> execute();
$stmt5->store_result();
$stmt5->bind_result($result3);
/** if($formname=="" or $name=="" or $username=="" or $salt=="" or $password=="" or $cnfpwd=="" )
{
$redirect="../nopage.php";
die('<script type="text/javascript">window.location.href="' . $redirect . '";</script>');
}**/
if ($token && $_POST['token']==$token)
{
if($stmt1->fetch())
{
echo "<br><br>";
echo "<center>Username already exists. Please provide a unique username</center>";
echo "<center><a href='register.php'>Back</a></center>";
$stmt1->close();
}
else if (strlen($username) < 5 OR strlen($username) > 20)
{
echo "<br><br>";
echo "<center>Username should be within 5-20 characters long.</center>";
echo "<center><a href='register.php'>Back</a></center>";
}
elseif(!preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$/i", $email))
{
echo "<br><br>";
echo "<center>Enter a valid Email-id.</center>";
echo "<center><a href='register.php'>Back</a></center>";
}
elseif($stmt5->fetch())
{
echo "<br><br>";
echo "<center>Email-id already exists. Please provide a unique email-id</center>";
echo "<center><a href='register.php'>Back</a></center>";
$stmt5->close();
}
else if (!preg_match('/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])[0-9a-zA-Z]{8,}$/', $password))
{
echo "<br><br>";
echo "<center>Password should contain minimum 8 characters, atleast an uppercase letter, a lowercase letter and a number.</center>";
echo "<center><a href='register.php'>Back</a></center>";
}
else if($password != $cnfpwd)
{
echo "<br><br>";
echo "<center>Confirm password not matched!</center>";
echo "<center><a href='register.php'>Back</a></center>";
}
else
{
$stmt2 = $mysqli->prepare("insert into users(name,username,email,password,confirmcode,locked) values(?,?,?,?,?,?)");
$stmt2->bind_param('ssssss',$name,$username,$email,$pass,$confirmcode,$no);
$stmt2->execute();
$stmt3=$mysqli->prepare("insert into session(id,username,salt,session_id) values(?,?,?,?)");
$stmt3->bind_param('ssss',$ip,$username,$salt,$s_id);
$stmt3->execute();
// create the audit trail
//$stmt4 = $mysqli->prepare("insert into tblaudit (uID,editor,formname,whenpost,ip) values(?,?,?,NOW(),?)");
//$stmt4->bind_param('ssss',$userid,$editor,$formname,$ip);
//$stmt4->execute();
$stmt4=$mysqli->prepare("update tblaudit set formname=?, whenpost= NOW() where logindt=?");
$stmt4->bind_param('ss',$formname,$login);
$stmt4->execute();
include "thank-you-regd.html";
$stmt2->close();
$stmt3->close();
$stmt4->close();
$mysqli->close();
}
}
else
{
echo "unable to register a new account";
}
?>
答案 0 :(得分:0)
SSL(安全套接字层)是标准的安全技术 在Web服务器和浏览器之间建立加密链接。 此链接可确保在Web服务器和Web服务器之间传递的所有数据 浏览器保持私密和完整。
但是,您可以创建自己的(无用的)加密,但我建议您使用SSL 。
加密类型:https://support.microsoft.com/en-us/kb/246071
非对称加密 - 对称加密是最古老,最知名的技术。密钥,可以是数字,单词或 只是一串随机字母,应用于邮件的文本 以特定方式更改内容。这可能很简单 将每个字母移动到字母表中的多个位置。只要 发件人和收件人都知道密钥,他们可以加密和 解密使用此密钥的所有邮件。
对称加密 - 这是两个相关的密钥 - 密钥对。任何可能想要发送的人都可以免费使用公钥 你留言第二个私钥是保密的,所以只有你 知道了。
非对称和对称加密协同工作,创建SSL加密,以便从客户端与服务器进行通信。
强烈建议您不要尝试重新发明轮子,使用SSL。您在客户端编写的任何加密都很容易被破解,因为JavaScript是可读的。
MD5(消息摘要算法) - 广泛使用的加密散列函数,产生128位(16字节)散列值,通常以文本格式表示为32位十六进制数。 MD5已被用于各种加密应用程序,并且通常也用于验证数据完整性。
哈希&amp;加密是完全不同的术语。散列是一种方式,可能有几种匹配的替代模式。使用密钥可以加密加密。在此处阅读更多内容:http://www.securityinnovationeurope.com/blog/whats-the-difference-between-hashing-and-encryptingJavascript - 是一种高级,动态,无类型和解释的编程语言。它已在ECMAScript语言规范中标准化。
JavaScript并不意味着管理安全性。 JavaScript主要用于DOM(文档对象模型)操作&amp;一些其他相关的操作。虽然,确实有一些超出DOM范围的功能。
答案 1 :(得分:0)
不幸的是,客户端javascript源代码广泛开放供所有人查看和检查。您只需右键单击并按&#34;查看源...&#34;或使用萤火虫或其他东西。
此外,每个不安全的http请求(通过http而非https = ssl)都是以可读的未加密字符串形式发送的,可以从网络中的其他设备进行监控。
上述两个意味着你实际上不应该MD5你的用户+在将它们发送到服务器之前传递给客户端js,因为它确实无关紧要,因为用户无论如何都可以查看你的js源代码并推断你的盐和安排要散列的字符串。因此,如果您在没有任何加密的情况下发送用户+密码,那就无所谓了。
为方便加密,我建议您从托管公司(如godaddy)购买ssl计划,并确保为您安装。然后,它只需通过https导航到您的网站。