PDO注册和登录密码匹配 [英] PDO Register and Login Password Matching
本文介绍了PDO注册和登录密码匹配的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
好的..所以我一开始只有php 5.3,所以我不能使用bcrypt,我对salt不熟悉,但是如果有人可以帮助我,我完全愿意这么做.我也想知道此脚本对sql注入是不好还是好.我最大的问题是,当我使用诸如crypt之类的方法并尝试使密码匹配时,密码不会匹配.我已经为此工作了好几天,似乎无法找到解决我问题的正确方法.该代码尚未完成,但可以运行.我只是在沼泽上这样做,所以我不知道这是否是个问题?但我无法想象.
Okay.. so to start off I only have Php 5.3 so I can't use bcrypt, I am not familiar with salt but an completely willing to do it if someone can help me out. I also would like to know if this script is bad or good for sql injections. My biggest problems is when I use something like crypt and try to get my passwords to match, it won't. I've been working on this for days and can't seem to find the right solution to my problem. the code is not done yet, but its able to run. I'm just doing this on wamp so i dunno if thats a problem? but i cant imagine it is.
注册.的PHP
REGISTER . PHP
if ((strlen($username)) < 6 || (preg_match("/[^\w-.]/", $username)) ) {
header('Location: Register.php?fail=1');
die();
}
if ((strlen($password)) < 8) {
header('Location: Register.php?fail=2');
die();
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
header('Location: Register.php?fail=3');
die();
}
/*
TRIED METHODS
$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$salt = base64_encode($salt);
$salt = str_replace('+', '.', $salt);
$hash = crypt('rasmuslerdorf', '$2y$10$'.$salt.'$');
$password = $hash;
echo "<script>alert('$password');</script>";
$salt = '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors';
$digest = crypt($password, $salt);
if (crypt($password, $digest) == $digest){
echo "<script>alert('logged in');</script>";
}else{
header('Location: Login.php?fail=3');
die();
}
*/
//PDO CONNECTION
function pdo_connect() {
try {
$db = new PDO("mysql:host=localhost;dbname=XXX", "XXX", "XXX");
return $db;
} catch (PDOException $e) {
//echo $e->getMessage();
//return false;
header('Location: Register.php?fail=6');
}
}
//CHECK IF USERNAME EXISTS
function usernameCheck($username) {
$con = pdo_connect();
$ustmt = $con->prepare("SELECT u_users FROM users WHERE u_users = :name");
$ustmt->bindParam(':name', $username);
$ustmt->execute();
if($ustmt->rowCount() > 0){
header('Location: Register.php?fail=4');
die();
}
$con = null;
}
echo usernameCheck($username);
//CHECK IF EMAIL EXISTS
function emailCheck($email) {
$con = pdo_connect();
$estmt = $con->prepare("SELECT u_email FROM users WHERE u_email = :name");
$estmt->bindParam(':name', $email);
$estmt->execute();
if($estmt->rowCount() > 0){
header('Location: Register.php?fail=5');
die();
}
$con = null;
}
echo emailCheck($email);
//INSERT EMAIL TO NEWSLETTER
function emailnewsletterCheck($email) {
$con = pdo_connect();
$nstmt = $con->prepare("SELECT n_email FROM newsletter WHERE n_email = :email");
$nstmt->bindParam(':email', $email);
$nstmt->execute();
if($nstmt->rowCount() < 1){
$addstmt = $con->prepare('INSERT INTO newsletter (n_email) VALUES (:email)');
$addstmt->bindParam(':email', $email);
$addstmt->execute();
}
$con = null;
}
echo emailnewsletterCheck($email);
//INSERT
function insert($username,$password,$email,$type) {
$con = pdo_connect();
$password = md5($password);
$istmt = $con->prepare('INSERT INTO users (u_users, u_private, u_email, u_type) VALUES (:username, :password, :email, :type)');
$istmt->execute(array(
':username' => $username,
':password' => $password,
':email' => $email,
':type' => $type
));
$con = null;
header('Location: Login.php?success=1');
}
echo insert($username,$password,$email,$type);
}//end submit
?>
<?php
$page_title = "NS : Web Development : Register";
$page_desc = "Register with us for great deals on website development.";
$services = 0;
include_once 'header.php';
?>
<script type="text/javascript">
// This function checks if the username field is at least 6 characters long.
function checkUsernameForLength(whatYouTyped) {
var fieldset = whatYouTyped.parentNode.parentNode.parentNode;
var txt = whatYouTyped.value;
if (txt.length > 5) {
$("span.hint").hide();
}
}
// If the password is at least 4 characters long
function checkPassword(whatYouTyped) {
var fieldset = whatYouTyped.parentNode.parentNode.parentNode;
var txt = whatYouTyped.value;
if (txt.length > 7) {
$("span.hint").hide();
}
}
// This function checks the email address blah@blah.blah
function checkEmail(whatYouTyped) {
var fieldset = whatYouTyped.parentNode.parentNode.parentNode;
var txt = whatYouTyped.value;
if (/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/.test(txt)) {
$("span.hint").hide();
}
}
// this part is for the form field hints to display
// only on the condition that the text input has focus.otherwise, it stays hidden.
function addLoadEvent(func) {
var oldonload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
oldonload();
func();
}
}
}
function prepareInputsForHints() {
var inputs = document.getElementsByTagName("input");
for (var i=0; i<inputs.length; i++){
inputs[i].onfocus = function () {
this.parentNode.getElementsByTagName("span")[0].style.display = "inline";
}
inputs[i].onblur = function () {
this.parentNode.getElementsByTagName("span")[0].style.display = "none";
}
}
}
addLoadEvent(prepareInputsForHints);
</script>
<div class="jumbotron">
<div class="container">
<h1>Register for <font color="fb1576">great</font> opportunities</h1>
<p>Get full quotes, package <font color="fb1576">deals</font>, news and updates on the latest themes and scripts, and even <font color="fb1576">win</font> free prizes<font color="fb1576">!</font>
</div>
</div>
<div class="container">
<!-- row of columns -->
<div class="row">
<?php
if ( isset($_GET['fail']) && $_GET['fail'] == 1 ){
echo "<div class='alert alert-danger'>Username must be at least 6 characters in length and can only contain characters matching (a-z) (A-Z) (0-9) and '_' Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 2 ){
echo "<div class='alert alert-danger'>Password must be at least 8 characters in length and cannot exceed 25. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 3 ){
echo "<div class='alert alert-danger'>E-mail is not valid. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 4 ){
echo "<div class='alert alert-danger'>Username you chose already exists. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 5 ){
echo "<div class='alert alert-danger'>E-mail you entered is already in use. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 6 ){
echo "<div class='alert alert-danger'>Something went wrong, we couldn't submit your registration. Please try again later. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
?>
<form name="basicform" id="basicform" method="POST">
<fieldset>
<div class="input-group">
<label for="username">Choose a Username:</label><br>
<input type="text" id="username" name="username" onkeyup="checkUsernameForLength(this);" required class="form-control" maxlength="25" pattern=".{6,}"/>
<span class="hint">Usernames must be a least 6 characters in length and cannot exceed 25. Characters must match (a-z) (A-Z) (0-9) and '_'</span>
</div>
</fieldset>
<fieldset>
<div class="input-group">
<label for="password">Enter a password:</label><br>
<input type="password" id="password" name="password" onkeyup="checkPassword(this);" required class="form-control" maxlength="25" pattern=".{7,}"/>
<span class="hint">The password can be any combination of <strong>characters</strong>, and must be at least 8 characters in length and cannot exceed 25.</span>
</div>
</fieldset>
<fieldset>
<div class="input-group">
<label for="email">Enter your email address:</label><br>
<input type="text" id="email" name="email" onkeyup="checkEmail(this);" required class="form-control" maxlength="30" />
<span class="hint">Please enter your real email address (ie: you@emailprovider.com)</span>
</div>
</fieldset>
<fieldset>
<label for="type">Pick your position of registration:</label><br>
<select name="type">
<option name="type" value="Client">I am a client looking for work to be done</option>
<option name="type" value="Employer">I am an employer looking for a potential hire</option>
<option name="type" value="Employee">I am an employee looking to be hired</option>
</select>
</fieldset>
<fieldset>
<button type="submit" class="btn btn-primary" name="submit" value="submit">Register Now</button>
</fieldset>
</form>
</div>
<!-- //row of columns -->
<?php
include_once 'footer.php';
?>
登录.的PHP
LOGIN . PHP
$username = $_POST['username'];
$password = $_POST['password'];
//before we even bother connecting to the db start validating
if ( (empty($username)) || (empty($password)) ) {
header('Location: Login.php?fail=1');
die();
}
if ( ((strlen($username)) >25) || ((strlen($password)) >25) ) {
header('Location: Login.php?fail=2');
die();
}
if ( (preg_match("/[^\w-.]/", $username)) ) {
header('Location: Login.php?fail=3');
die();
}
/*
TRIED METHODS
$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$salt = base64_encode($salt);
$salt = str_replace('+', '.', $salt);
$hash = crypt('rasmuslerdorf', '$2y$10$'.$salt.'$');
$password = $hash;
echo "<script>alert('$password');</script>";
$salt = '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors';
$digest = crypt($password, $salt);
if (crypt($password, $digest) == $digest){
echo "<script>alert('logged in');</script>";
}else{
header('Location: Login.php?fail=3');
die();
}
*/
//PDO CONNECTION
function pdo_connect() {
try {
$db = new PDO("mysql:host=localhost;dbname=XXX", "XXX", "XXX");
return $db;
} catch (PDOException $e) {
//echo $e->getMessage();
//return false;
header('Location: Register.php?fail=6');
}
}
//CHECK IF USERNAME EXISTS
function checkLogin($username,$password) {
$con = pdo_connect();
//$getlogin = $con->query
$getlogin = $con->prepare("SELECT u_users,u_private FROM users WHERE u_users = :username AND u_private = :password");
$getlogin->bindValue(':username', $username, PDO::PARAM_STR);
$getlogin->bindValue(':password', $password, PDO::PARAM_STR);
$getlogin->execute();
if($getlogin->rowCount() > 0){
echo "<script>alert('yes');</script>";
}
$con = null;
}
echo checkLogin($username,$password);
echo "<script>alert('success');</script>";
}
?>
<?php
$page_title = "NS : Web Development : Register";
$page_desc = "Register with us for great deals on website development.";
$services = 0;
include_once 'header.php';
?>
<div class="jumbotron">
<div class="container">
<h1><font color="fb1576">Members</font> log in</h1>
<p> Not yet a member? <a href="Register.php"><font color="fb1576">Sign up today!</font></a>
</div>
</div>
<div class="container">
<?php
if ( isset($_GET['success']) && $_GET['success'] == 1 ){
echo "<div class='alert alert-success'>Registration successful. Please log in.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 1 ){
echo "<div class='alert alert-danger'>Username or Password cannot be left blank.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 2 ){
echo "<div class='alert alert-danger'>Sorry, this is not a valid Username or Password.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 3 ){
echo "<div class='alert alert-danger'>Username or Password incorrect, please try again.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 5 ){
echo "<div class='alert alert-danger'>E-mail you entered is already in use. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 6 ){
echo "<div class='alert alert-danger'>Something went wrong. Please try again later. </div>";
}
?>
<form class="form-signin" role="form" method="POST">
<h2 class="form-signin-heading">Please sign in</h2>
<p>
<input type="text" class="form-control" placeholder="Username" name="username" required autofocus>
</p>
<br>
<p>
<input type="password" class="form-control" placeholder="Password" name="password" required>
</p>
<label class="checkbox">
<input type="checkbox" value="remember-me"> Remember me
</label>
<button class="btn btn-lg btn-primary btn-block" type="submit" name="submit" value="submit">Sign in</button>
</form>
<?php
include_once 'footer.php';
?>
我REALLLLLYY需要获取它,因此它对于我的服务器在启动时是安全的,并且可以安全地登录用户.
I REALLLLLYY need to get it so it is secure for my server on launch and can login a user safely.
推荐答案
使用PHP 5.3版,您可以,并且应使用BCrypt.
With PHP version 5.3 you can and should use BCrypt.
对于PHP 5.5及更高版本,建议使用新的密码功能 password_hash()和 password_verify():
For PHP version 5.5 and higher it is recommended to use the new password functions password_hash() and password_verify():
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
对于PHP 5.3.7及更高版本,存在一个兼容性包,因此您可以以完全相同的方式使用上面的功能.
For PHP version 5.3.7 and higher there exists a compatibility pack, so you can use the functions above in exactly the same way.
对于低于5.3.7的PHP版本,您可以使用兼容性包并将crypt参数从"$2y$%02d$"更改为"$2a$%02d$",这也会生成BCrypt哈希.使用旧版本是最好的选择,当您更新到更新的PHP版本时,散列将兼容.
For PHP versions earlier than 5.3.7 you could use the compatibility pack and change the crypt parameter from "$2y$%02d$" to "$2a$%02d$", this generates a BCrypt hash as well. It is the best you can do with older versions, the hashes will be compatible when you update to a newer PHP version.
要验证密码时,不能直接在SQL语句中执行此操作.第一步,您必须从数据库(使用用户名)获取存储的密码哈希,然后可以在函数password_verify()中使用此哈希. password_verify()函数需要从存储的哈希中提取盐.
When you want to verify the password, you cannot do this in the SQL statement directly. In a first step you have to get the stored password-hash from the database (with the username), then you can use this hash in the function password_verify(). The password_verify() function needs to extract the salt from the stored hash.
这篇关于PDO注册和登录密码匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
