我正在寻找有关更新密码系统的最佳做法的一些帮助或建议。我之前使用php构建了一个登录系统(在我真正知道自己在做什么之前),它所做的只是使用sha1加密密码,我知道它不安全或不好用。
所以基本上成功登录所有它都是
$password = sha1($password1)
我想使用我最近使用的另一种方法,它使用CRYPT_BLOWFISH函数,如下所示:
function generateHash($password_1){
if(defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH){
//echo "WE HAVE CRYPT BLOWFISH YAYA";
$salt = '$2y$11$'. substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password_1, $salt);
}//End If
}//End Function generateHash*/
注册时我加密密码: $ password_1 = $ _POST [' password_1']; //哈希密码 $ password = generateHash($ password_1);
然后在登录时我使用
$hashed_password = crypt($password_1, $entered_password)
if($hashed_password != $enter_password){
$error['password'] = 'The password or username you entered is incorrect.';
}else{
'Your Good to Go!'
}
我有很多用户,并希望无缝地进行更改,或者至少对他们的影响非常小。如果没有他们注意到改变,这甚至可能吗?非常感谢任何帮助或建议。
感谢
答案 0 :(得分:1)
您可以在用户表格ex中创建新列。密码, newPassword
用户登录时,您可以使用新算法对密码进行哈希处理,并将其保存在newPassword列中
几天后将列newPassword重命名为密码
答案 1 :(得分:0)
感谢Cvetomir的想法。所以我所做的是在表格中创建一个名为encrypted_password的新列,基本上,所有新注册都将使用CRYPT_BLOWIFSH加密。
所以基本上我的解决方案(不确定它有多优雅,但它有效)查看每个密码。如果输入的密码与SHA1密码匹配,则获取该发布的密码并将其加密为新格式并将其添加到数据库中。
一旦加密密码列更新,我将删除旧密码列无论如何都很高兴听到想法/建议,使其更好,但现在它的工作,在这一个很多的试验和错误。
if(!$errors && $username == $teacher_row['username']){
if($_POST['password1'] != ''){
$old_password = filter_var($_POST['password1']);
$old_password = sha1($old_password);
//If the old SHA1 Password does not match anything in the database then try and match it with our new method
if($old_password != $teacher_row['password1']){
//New Password will be the $_POST Password
$new_password = $_POST['password1'];
//Grab the new column
$user_password = $teacher_row['encrypted_password'];
//Uncrypt the password to see if they match
$hashed_password = crypt($new_password, $user_password);
//If it doesn't match throw an error
if($hashed_password != $user_password){
$errors['username'] = 'The username or password you entered is incorrect.';
}//If Hashed Password != User password
else{
if($hashed_password == $user_password){
//The New Password does match and gain your session
session_regenerate_id();
//Create our session on session_id and hash it as well
$session_id = generateHash($id)
$_SESSION['DHL'] = $session_id;
$_SESSION['TIMEOUT'] = time();
$_SESSION['TEACHER_ID'] = $teacher_username;
session_write_close();
}
}else{
$encrypted_password = generateHash($_POST['password1']);
//Build our query
$sql = ("UPDATE members_teachers SET encrypted_password = ? WHERE username = ?") or die(htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die ('database connection() failed: '. htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die($db_connection->error);
//Can not proceed if we can not prepare the query
if(false===$stmt){ die('prepare() failed: ' . htmlspecialchars($db_connection->error));
}
//Bind the fields and there paramters to our query in our testing variable $next_step
$next_step = $stmt->bind_param('ss', $new_password, $teacher_username);
//If next_step is false then it didn't work and there is no sense of proceeding
if($false===$next_step){ die('bind_param() failed: ' . htmlspecialchars($db_connection->error));
}
//Place the Execute into a variable and test if it executed or not
$next_step = $stmt->execute();
//If next_step is false then it didn't work and there is no sense of proceeding
if(false===$next_step){ die('execute() failed: ' . htmlspecialchars($db_connection->error));
}
}
}
else{ //The Old Passwords Must Match
$password = generateHash($_POST['password1']);
//$errors['username'] = 'Password Correct '.$_POST['password1'].' and '.$password.'';
//Build our query
$sql = ("UPDATE members_teachers SET encrypted_password = ? WHERE username = ?") or die(htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die ('database connection() failed: '. htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die($db_connection->error);
//Can not proceed if we can not prepare the query
if(false===$stmt){die('prepare() failed: ' . htmlspecialchars($db_connection->error));
}
//Bind the fields and there paramters to our query in our testing variable $next_step
$next_step = $stmt->bind_param('ss', $password, $teacher_username);
//If next_step is false then it didn't work and there is no sense of proceeding
if($false===$next_step){
die('bind_param() failed: ' . htmlspecialchars($db_connection->error));
}
//Place the Execute into a variable and test if it executed or not
$next_step = $stmt->execute();
//If next_step is false then it didn't work and there is no sense of proceeding
if(false===$next_step){die('execute() failed: ' . htmlspecialchars($db_connection->error));
}
//The New Hashed password does match We are good
session_regenerate_id();
//Create our session on session_id
$session_id=generateHash($dhl_id);
$_SESSION['DHL'] = $session_id;
$_SESSION['TIMEOUT'] = time();
$_SESSION['TEACHER_ID'] = $teacher_username;
session_write_close();
}//End the old Passwords do match
}//If password is not Blank
else{
$errors['username'] = 'You must enter a password';
}
}
}