Php 这是一个密码,我只是不注册。允许用户使用他们想要的密码。和。在散列之前,请确保您在它们上安装或使用任何其他清理机制。这样做会更改密码并导致不必要的额外编码。^-他说的。要回答您的问题,您的正则表达式会检查长度是否在8到12之间,而不是6到12之间。@Jay
Php 这是一个密码,我只是不注册。允许用户使用他们想要的密码。和。在散列之前,请确保您在它们上安装或使用任何其他清理机制。这样做会更改密码并导致不必要的额外编码。^-他说的。要回答您的问题,您的正则表达式会检查长度是否在8到12之间,而不是6到12之间。@Jay,php,Php,这是一个密码,我只是不注册。允许用户使用他们想要的密码。和。在散列之前,请确保您在它们上安装或使用任何其他清理机制。这样做会更改密码并导致不必要的额外编码。^-他说的。要回答您的问题,您的正则表达式会检查长度是否在8到12之间,而不是6到12之间。@JayBlanchard实际上,有一个最大长度是一件好事,但最大长度应该很高,比如1024个字符或更多。当前的散列算法是故意慢下来的。通过一个已知的“慢”页面,通过DoS发送大密码是将服务器绑定起来的一种简单方法@具有讽刺意味的是,强制执行一套特殊的
这是一个密码,我只是不注册。允许用户使用他们想要的密码。和。在散列之前,请确保您在它们上安装或使用任何其他清理机制。这样做会更改密码并导致不必要的额外编码。^-他说的。要回答您的问题,您的正则表达式会检查长度是否在8到12之间,而不是6到12之间。@JayBlanchard实际上,有一个最大长度是一件好事,但最大长度应该很高,比如1024个字符或更多。当前的散列算法是故意慢下来的。通过一个已知的“慢”页面,通过DoS发送大密码是将服务器绑定起来的一种简单方法@具有讽刺意味的是,强制执行一套特殊的规则实际上限制了密码的随机性。我宁愿加入2fa,比如google authenticator。@Mike我相信我们的工作是指导他们,而不是限制他们。我认为,我们应该进行教育,而不是裁决,鉴于所有关于黑客账户的报道,我希望在线用户在保护其信息方面变得更加精明。我总是建议在我创建或修改的任何帐户注册中使用密码短语。最大密码长度表明密码以明文形式存储。
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
// include function files for this application
require_once('bookmark_fns.php');
//create short variable names
$email=$_POST['email'];
$username=$_POST['username'];
$passwd=$_POST['passwd'];
$passwd2=$_POST['passwd2'];
// start session which may be needed later
// start it now because it must go before headers
session_start();
try {
// check forms filled in
if (!filled_out($_POST)) {
throw new Exception('You have not filled the form out correctly. Please go back and try again.');
}
// email address not valid
if (!valid_email($email)) {
throw new Exception('That is not a valid email address. Please go back and try again.');
}
// passwords not the same
if ($passwd != $passwd2) {
throw new Exception('The passwords you entered do not match. Please go back and try again.');
}
// check password length is ok
// ok if username truncates, but passwords will get
// munged if they are too long.
if (!preg_match('/^(?=.*\d)(?=.*[A-Za-z])[0-9A-Za-z]{6,12}$/', $passwd)) {
throw new Exception('Your password must be between 6 and 12 characters inclusive. Please go back and try again.');
}
// attempt to register
// this function can also throw an exception
register($username, $email, $passwd);
// register session variable
$_SESSION['valid_user'] = $username;
// provide link to members page
do_html_header('Registration successful');
echo "Welcome " . $_POST["username"];
echo 'Your registration was successful. Go to the members page to start setting up your bookmarks!';
do_html_url('member.php', 'Go to members page');
// end page
do_html_footer();
}
catch (Exception $e) {
do_html_header('Warning:');
echo $e->getMessage();
do_html_footer();
exit;
}
?>
<?php
function db_connect() {
$result = new mysqli('localhost', 'bm_user', 'password', 'bookmarks');
if (!$result) {
throw new Exception('Could not connect to database server');
} else {
return $result;
}
}
?>
require_once('db_fns.php');
function register($username, $email, $password) {
// register new person with db
// return true or error message
// connect to db
$conn = db_connect();
// check if username is unique
$result = $conn->query("select * from user where username='".$username."'");
if (!$result) {
throw new Exception('Could not execute query');
}
if ($result->num_rows>0) {
throw new Exception('That username is taken - go back and choose another one.');
}
// if ok, put in db
$result = $conn->query("insert into user values
('".$username."', sha1('".$password."'), '".$email."')");
if (!$result) {
throw new Exception('Could not register you in database - please try again later.');
}
return true;
}
function login($username, $password) {
// check username and password with db
// if yes, return true
// else throw exception
// connect to db
$conn = db_connect();
// check if username is unique
$result = $conn->query("select * from user
where username='".$username."'
and passwd = sha1('".$password."')");
if (!$result) {
throw new Exception('Could not log you in.');
}
if ($result->num_rows>0) {
return true;
} else {
throw new Exception('Could not log you in.');
}
}
function check_valid_user() {
// see if somebody is logged in and notify them if not
if (isset($_SESSION['valid_user'])) {
echo "Logged in as ".$_SESSION['valid_user'].".<br />";
} else {
// they are not logged in
do_html_heading('Warning:');
echo 'You have not filled the form out correctly.
Please go back and try again.<br />';
do_html_url('login.php', 'Login');
do_html_footer();
exit;
}
}
function change_password($username, $old_password, $new_password) {
// change password for username/old_password to new_password
// return true or false
// if the old password is right
// change their password to new_password and return true
// else throw an exception
login($username, $old_password);
$conn = db_connect();
$result = $conn->query("update user
set passwd = sha1('".$new_password."')
where username = '".$username."'");
if (!$result) {
throw new Exception('Password could not be changed.');
} else {
return true; // changed successfully
}
}
function get_random_word($min_length, $max_length) {
// grab a random word from dictionary between the two lengths
// and return it
// generate a random word
$word = '';
// remember to change this path to suit your system
$dictionary = '/usr/dict/words'; // the ispell dictionary
$fp = @fopen($dictionary, 'r');
if(!$fp) {
return false;
}
$size = filesize($dictionary);
// go to a random location in dictionary
$rand_location = rand(0, $size);
fseek($fp, $rand_location);
// get the next whole word of the right length in the file
while ((strlen($word) < $min_length) || (strlen($word)>$max_length) || (strstr($word, "'"))) {
if (feof($fp)) {
fseek($fp, 0); // if at end, go to start
}
$word = fgets($fp, 80); // skip first word as it could be partial
$word = fgets($fp, 80); // the potential password
}
$word = trim($word); // trim the trailing \n from fgets
return $word;
}
function reset_password($username) {
// set password for username to a random value
// return the new password or false on failure
// get a random dictionary word b/w 6 and 13 chars in length
$new_password = get_random_word(6, 13);
if($new_password == false) {
throw new Exception('Could not generate new password.');
}
// add a number between 0 and 999 to it
// to make it a slightly better password
$rand_number = rand(0, 999);
$new_password .= $rand_number;
// set user's password to this in database or return false
$conn = db_connect();
$result = $conn->query("update user
set passwd = sha1('".$new_password."')
where username = '".$username."'");
if (!$result) {
throw new Exception('Could not change password.'); // not changed
} else {
return $new_password; // changed successfully
}
}
function notify_password($username, $password) {
// notify the user that their password has been changed
$conn = db_connect();
$result = $conn->query("select email from user
where username='".$username."'");
if (!$result) {
throw new Exception('Could not find email address.');
} else if ($result->num_rows == 0) {
throw new Exception('Could not find email address.');
// username not in db
} else {
$row = $result->fetch_object();
$email = $row->email;
$from = "From: support@phpbookmark \r\n";
$mesg = "Your PHPBookmark password has been changed to ".$password."\r\n"
."Please change it next time you log in.\r\n";
if (mail($email, 'PHPBookmark login information', $mesg, $from)) {
return true;
} else {
throw new Exception('Could not send email.');
}
}
}
?>