是否可以清除密码输入?

时间:2017-08-07 01:10:11

标签: php security pdo

我按如下方式清理用户名输入:

function clean($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

我正在使用PDO格式的预准备语句并对密码进行哈希处理,所以是否仍然建议清除密码输入?

以下是代码。要注意,从现在开始它还没有完成,也非常混乱。

<?php
  // start session
  session_start();
?>
<!DOCTYPE html>
<head>
  <link href='css/verify-id.css' rel='stylesheet'>
</head>
<body>
<?php
function clean($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

if ($_SERVER['REQUEST_METHOD'] === 'POST') {

  // set or enter password
  if (isset($_POST['password']) && empty($_POST['password'])) {

    $error    = 'A password is required.';
    $identity = '';
    $tip      = '';
    $prompt   = '';

  } else if (isset($_POST['password']) && !empty($_POST['password'])) {
    //echo '<br>SESSION idPersist<br>'.$_SESSION['idPersist'];
    //echo '<br><br>POST password<br>'.$_POST['password'];

    $password = $_SESSION['password'];
    $idPersist = $_SESSION['idPersist'];

    include 'include/database-connection.php';

    if ($_SESSION['prompt'] === 'Enter Password') {
      //echo '<br><br>SESSION prompt is Enter Password';

      // compare password
      $sql  = 'SELECT pass FROM guests WHERE id = :id';
      $stmt = $conn->prepare($sql);
      $stmt->bindParam(':id', $idPersist);
      $conn->exec($sql);

    } else if ($_SESSION['prompt'] === 'Set Password') {
      echo '<br><br>SESSION prompt is Set Password';
    /*
      // set password
      $sql  = 'INSERT INTO guests (pass)
        VALUES (:password)';
      $stmt = $conn->prepare($sql);
      $stmt->bindParam(':password', $password);
      //$conn->exec($sql);
    */
    }

    $conn = null;

    /*
    $error    = '';
    $identity = '';
    $tip      = '';
    $prompt   = '';
    */
  }

  // enter id
  if (!isset($_POST['password']) && empty($_POST['id'])) {
    $error  = 'An ID is required.';
  } else if (!isset($_POST['password']) && !empty($_POST['id'])) {
    include 'include/database-connection.php';
    $id     = clean($_POST['id']);
    $sql    = 'SELECT id, pass FROM guests WHERE id = :id';
    $stmt   = $conn->prepare($sql);
    $stmt->bindParam(':id', $id);
    $stmt->execute();
    $result = $stmt->fetch(PDO::FETCH_ASSOC);

    if ($result) {
      $_SESSION['idPersist'] = $id;
      $identity              = 'password';
      $tip                   = 'Password';
      $error                 = '';
      if (is_null($result['pass'])) {
        $prompt             = 'Set Password';
        $_SESSION['prompt'] = 'Set Password';
      } else {
        $prompt             = 'Enter Password';
        $_SESSION['prompt'] = 'Enter Password';
      }
    } else {
      $prompt = 'Enter Valid ID';
    }
    $conn = null;
  }

}
?>
  <form
    accept-charset ='UTF-8'
    action         ='<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>'
    autocomplete   ='off'
    enctype        ='application/x-www-form-urlencoded'
    method         ='post'
    target         ='_self'>
      <input
        autofocus
        id          ='<?php
          if (empty($identity)) {
            echo 'id';
          } else {
            echo $identity;
          }
        ?>'
        name        ='<?php
          if (empty($identity)) {
            echo 'id';
          } else {
            echo $identity;
          }
        ?>'
        placeholder ='<?php
          if (empty($tip)) {
            echo 'ID';
          } else {
            echo $tip;
          }
        ?>'
        required
        size        ='25'
        title       ='<?php
          if (empty($tip)) {
            echo 'ID';
          } else {
            echo $tip;
          }
        ?>'
        type        ='text'>
      <span><?php echo $error; ?></span>
      <input
        id    ='submit'
        name  ='submit'
        type  ='submit'
        value ='<?php
        if (empty($prompt)) {
          echo 'Enter ID';
        } else {
          echo $prompt;
        }
        ?>'>
  </form>
</body>
</html>

1 个答案:

答案 0 :(得分:5)

不要乱用用户密码。无需清理和清理用户密码。

它不会造成任何伤害,因为密码应始终进行哈希处理。它永远不应该以原始形式存储。

$2y$10$36PQzf67DtRPrn3ViqNFS.iswIU9AyIPRWV23KzmSXWD66RD7frIm这样的哈希密码不会造成任何伤害。