使用php和mysql的登录/注册系统 [英] Login/Registration System with php and mysql

问题描述

我想使用PHP和mysql创建一个简单的用户登录/注册系统.除了用户登录和注销所需的信息之外，我不需要获取任何信息.我想确保系统是安全的.

I would like to make a simple user login/registration system using PHP and mysql. I don't need to get any information beyond what is necessary for the user to log in and out. I want to make sure that the system is secure.

我目前了解它应该如何工作的方式是:

The way that I currently understand how it should work is:

注册

用户输入其电子邮件地址和密码以及确认密码.

User enters their email address and password and confirmation password.

PHP脚本确保密码匹配，并且电子邮件是有效地址，并且不在数据库中.

The PHP script makes sure the passwords match and that the email is a valid address and is not already in the database.

它将散列密码和随机盐一起散列，并将盐和生成的哈希密码存储在数据库中. (php的md5函数是否适合此功能?我不太确定这部分的工作原理.)

It hashes the password along with a random salt and stores the salt and resulting hashed password in the database. (Is php's md5 function suitable for this? I am not quite sure how this part works.)

将电子邮件确认代码存储在数据库中，然后将给定的电子邮件地址的链接发送回包含该代码以进行验证的网站吗?

Store an email confirmation code in the database and send the given email address a link back to the website that contains that code for verification?

登录

用户输入其电子邮件地址和密码.

User input their email address and password.

服务器在数据库中查找电子邮件并检索盐.然后使用用户刚刚提供的密码对盐进行哈希处理，以查看其是否与数据库中的密码匹配.

The server looks up the email in the database and retrieves the salt. Then hashes the salt with the password the user just provided to see if it matches the one in the database.

如何使会话在登录后仍然存在.使用PHP会话?一块饼干?应当在Cookie中存储哪些内容，以便在两次访问之间记住用户?

How do I make the session persist after login. With a PHP session? A cookie? What should get stored in the cookie for remembering the user between visits?

我基本上只想验证一下我描述的过程是进行用户注册/登录的准确和安全的方法.此外，还有哪些很好的教程，提供了更多信息.

I basically would just like some verification that the process I am describing is an accurate and secure way of doing user registration/login. Also, what are some good tutorials with more information.

推荐答案

php的md5功能是否适合此功能?

Is php's md5 function suitable for this?

MD5不再被认为是安全的；考虑将PHP的较新的内置密码哈希与bcrypt算法结合使用，该算法具有可变的计算复杂性: PHP password_hash() 和 password_verify() .

MD5 is no longer considered secure; consider using PHP's newer built-in password hashing with the bcrypt algorithm which has variable computational complexity: PHP password_hash() and password_verify().

如何使会话在登录后仍然存在.用PHP会话?一块饼干?应当在Cookie中存储哪些内容，以便在两次访问之间记住用户?

How do I make the session persist after login. With a php session? A cookie? What should get stored in the cookie for remembering the user between visits?

理想情况下，您将使用PHP会话来维护一次访问期间的状态，并且如果您希望使用记住我的登录名"选项，则可以使用包含足够信息的cookie来验证返回的用户并重新启动一个新的会话. 2004年有一篇很好的文章介绍了有关登录Cookie的最佳做法:永久性登录Cookie最佳做法.您可能还会对.

Ideally, you would use a PHP session to maintain state during a single visit, and if you would like to have a "remember my login" option, you would use a cookie that contains enough information to authenticate a returning user and restart a new session. There's a good article from 2004 on best practices regarding login cookies here: Persistent Login Cookie Best Practice. You might also be interested in a more modern (2015) solution to securely implementing "remember me" checkboxes.

除了这些，我认为您所描述的都很好.

Apart from these, I think whatever you have described is fine.

这篇关于使用php和mysql的登录/注册系统的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！