Php 安全双向散列技术
我目前正在开发一个文档身份验证系统,我希望对用户的密码进行哈希或加密Php 安全双向散列技术,php,sql,password-encryption,Php,Sql,Password Encryption,我目前正在开发一个文档身份验证系统,我希望对用户的密码进行哈希或加密 所以我的问题是,我将使用的最佳和最安全的双向哈希或加密方法是什么 正如上面评论中所建议的,最好且简单的方法是使用password_hash()和密码验证()更多信息可以在php.net网站上找到,在我的基本用户注册中,我使用了mysqli或pdo,也可以使用准备好的语句 请注意,这只是如何使用密码\u散列和密码\u验证()的一个基本示例 我们将在注册时使用password\u hash(),登录时使用password\u ve
所以我的问题是,我将使用的最佳和最安全的双向哈希或加密方法是什么 正如上面评论中所建议的,最好且简单的方法是使用
password_hash()和密码验证()更多信息可以在php.net网站上找到,在我的基本用户注册中,我使用了mysqli或pdo,也可以使用准备好的语句
请注意,这只是如何使用密码\u散列和密码\u验证()的一个基本示例
我们将在注册时使用password\u hash()
,登录时使用password\u verify()
db.php
<?php
$server="localhost";
$username="root";
$password="";
try{
$dbh = new PDO("mysql:host=$server;dbname=sytemDb",$username,$password);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $exc){
error_log($exc);
}
?>
<?php
include 'db.php';
$errors="";
if (isset($_POST['register'])) {
//check if values are not empty
if(empty($_POST['email'])){
die("please enter email");
$errors++;
}else{
$email = $_POST['email'];
//then check for valid email
}
}
if(empty($_POST['upass'])){
die("enter password");
$errors++;
}else{
$password = $_POST['upass'];
$hash = password_hash($password,PASSWORD_DEFAULT);//hashing password
}
if($errors <=0){
//no errors save to db
$stmt= $dbh->prepare("INSERT INTO users (username,password) VALUES(?,?)");
$stmt->execute(array($username,$hash));
echo "User registered";
}
?>
<!DOCTYPE html>
<html>
<head>
<title>User Registration</title>
</head>
<body>
<form method="POST" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<input type="email" name="email" placeholder="Ente Username">
<input type="password" name="upass" placeholder="Enter Password">
<button type="submit" name="register">Register</button>
</form>
</body>
</html>
<?php
ob_start();
session_start();
include 'db.php';
if(isset($_POST['login'])){
if(empty($_POST['username']) || empty($_POST['pass'])){
die("enter password or username");
}else{
$uname = $_POST['username'];
$password = $_POST['pass'];
}
try {
$stmt = $dbh->prepare("SELECT userid,password,username from users where username = ?");
$stmt->bindValue(1,$uname);
$stmt->execute();
$results = $stmt->fetchall(PDO::FETCH_ASSOC);
if(count($results) > 0){
//if username is correct continue check entered password against saved hash
foreach ($results as $row) {
if(password_verify($password,$row['password'])){
//password and saved hash match go to dashboard
echo "login success";
$_SESSION['user']= $row['userid'];
header("refresh:5;url=dashboard");
}else{
echo "username and password does not match";
}
}
}else{
echo "username and password does not match";
}
} catch (PDOException $e) {
error_log($e);
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<form method="POST" action="">
<input type="text" name="username" placeholder="Enter username">
<input type="password" name="pass" placeholder="Enter password">
<button type="submit" name="login">Login</button>
</form>
</body>
</html>
上面的脚本连接到我们的数据库
register.php
<?php
$server="localhost";
$username="root";
$password="";
try{
$dbh = new PDO("mysql:host=$server;dbname=sytemDb",$username,$password);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $exc){
error_log($exc);
}
?>
<?php
include 'db.php';
$errors="";
if (isset($_POST['register'])) {
//check if values are not empty
if(empty($_POST['email'])){
die("please enter email");
$errors++;
}else{
$email = $_POST['email'];
//then check for valid email
}
}
if(empty($_POST['upass'])){
die("enter password");
$errors++;
}else{
$password = $_POST['upass'];
$hash = password_hash($password,PASSWORD_DEFAULT);//hashing password
}
if($errors <=0){
//no errors save to db
$stmt= $dbh->prepare("INSERT INTO users (username,password) VALUES(?,?)");
$stmt->execute(array($username,$hash));
echo "User registered";
}
?>
<!DOCTYPE html>
<html>
<head>
<title>User Registration</title>
</head>
<body>
<form method="POST" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<input type="email" name="email" placeholder="Ente Username">
<input type="password" name="upass" placeholder="Enter Password">
<button type="submit" name="register">Register</button>
</form>
</body>
</html>
<?php
ob_start();
session_start();
include 'db.php';
if(isset($_POST['login'])){
if(empty($_POST['username']) || empty($_POST['pass'])){
die("enter password or username");
}else{
$uname = $_POST['username'];
$password = $_POST['pass'];
}
try {
$stmt = $dbh->prepare("SELECT userid,password,username from users where username = ?");
$stmt->bindValue(1,$uname);
$stmt->execute();
$results = $stmt->fetchall(PDO::FETCH_ASSOC);
if(count($results) > 0){
//if username is correct continue check entered password against saved hash
foreach ($results as $row) {
if(password_verify($password,$row['password'])){
//password and saved hash match go to dashboard
echo "login success";
$_SESSION['user']= $row['userid'];
header("refresh:5;url=dashboard");
}else{
echo "username and password does not match";
}
}
}else{
echo "username and password does not match";
}
} catch (PDOException $e) {
error_log($e);
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<form method="POST" action="">
<input type="text" name="username" placeholder="Enter username">
<input type="password" name="pass" placeholder="Enter password">
<button type="submit" name="login">Login</button>
</form>
</body>
</html>
用户注册
登录
登录
这应该做它的非常基本的密码哈希在手册和
密码\u verify()也可用
请使用PHP5.6或更高版本,你应该已经使用了
就这样。希望这将为您指明正确的方向
注意:始终验证用户的输入,不要忘记过滤和
清理输入,然后准备一条语句保存到数据库
如果用户忘记了密码,那么有很多方法可以重置用户密码,一个基本的方法是在URDB上有一个autho令牌列
下面的方法对于初学者来说是非常基本的,只是为了开始你的职业生涯lol;)
然后重置密码页
<?php
function resetPassword()
{
if (isset($_GET['code']) && isset($_GET['token'])) {
$code = base64_decode($_GET['code']);
$token = $_GET['token'];
if (isset($_POST['resetpassword'])) {
//check empty fields
if (empty($_POST['newpassword'])) {
$errorMessage = "enter password";
$errors++;
return $errorMessage;
} else {
$password = $_POST['newpassword'];
$hash = password_hash($password, PASSWORD_DEFAULT); //password encryption
}
if (!empty($_POST['newpassword']) && empty($_POST['confirmpassword'])) {
$errorMessage = "Please confirm your password";
$errors++;
return $errorMessage();
}
if (!empty($_POST['confirmpassword']) && $_POST['confirmpassword'] !== $_POST['newpassword']) {
return "Passwords does not match";
$errors++;
}
}
if ($errors <= 0) {
try {
$stmt = $dbh->prepare("Update users set password = ? where userID = ? AND auth_token = ?");
$stmt->execute(array(
$hash,
$code,
$token
));
return "Password successfully changed.. Redirecting to login page";
$update = $dbh->prepare("UPDATE users set aut_token = NULL where userID = ? ");
$update->bindValue(1, $code);
$update->execute();
header("refresh=3:url;login");
}
catch (PDOException $e) {
error_log($e->getMessage());
}
}
} else {
//token code error
return "The link have expired, please go back and request a new one";
}
}
?>
你说的“双向”是什么意思?如果它是一个散列,那么根据定义它肯定是单向的。使用。哈希是唯一的方法。加密是双向的。密码只能进行哈希运算。对于php,使用两种方式通常是不安全的,最好使用一种方式,即password_hash();'和
password_verify()`不,这是错误的,为什么你会让管理员查看用户的密码,如果用户忘记了他们的密码,你应该有一个恢复/重置密码的方法。。。。记住,大多数黑客都是admins@toomelette你根本不应该让任何人看到密码。这些话是不应该被收回的。如果有人忘记了他的密码,给他一个新的。哦,最好的密码散列方法已经提到:password\u hash()
你能给我看一下如何验证的代码吗?@Toomellette答案更新了。非常感谢你的帮助,先生,我真的很感激..酷,如果答案对你有帮助,你可以标记它并投票。先生,还有一个问题。。这种方法最安全吗。。我听到了一些像上面提到的那样的杂音。。使用这些alogarithms是否更安全,或者我将坚持使用密码\u hash()方法?