在没有HTTPS的情况下在PHP和MySQL中创建安全的登录脚本 [英] Creating a secure login script in PHP and MySQL without HTTPS
问题描述
是 WikiHow上的这篇文章是在PHP和MySQL中创建安全登录脚本的一个很好的参考?在警告部分,作者强调该代码只能与HTTPS一起使用。我无法使用HTTPS,但需要在PHP和MySQL中实现相对安全的登录脚本,因此想知道该脚本是否也可以用于HTTP连接。
Is this post on WikiHow a good reference to create a secure login script in PHP and MySQL? In the warnings section, the author(s) emphasizes that the code only can be used with HTTPS. I am not able to use HTTPS, but need to implement a relatively secure login script in PHP and MySQL, and was therefore wondering if the script could be implemented for an HTTP connection as well.
第三方解决方案是在PHP和MySQL中创建安全登录脚本的最佳解决方案。通过使用PHP框架(例如Symfony,uLogin)或外部各方(例如Facebook,Google),可以避免创建全新的工作登录脚本和授权( Remember-Me 功能)的需要。如果其他人已经进行了彻底的研究并获得了创建登录功能的经验,那么使用他们的工作会更加安全和容易。
A third party solution is the best solution to create a secure login script in PHP and MySQL. By utilizing a PHP framework (e.g. Symfony, uLogin) or external parties (e.g. Facebook, Google), the need to create an entirely new working login script plus authorization (the Remember-Me functionality) can be avoided. If others have done thorough research and gained experience to create login functionalities, it is much safer and easier to use their work.
推荐答案
虽然您可以自己创建一个登录系统,但强烈建议让外部人员为您完成。
Although you could create a login system yourself, it is strongly recommended to let external parties do it for you.
要想做到这一点需要很多经验,而且经常做错了。
It takes a lot of experience to get it right, and it is so often done wrong.
虽然教程对我来说没问题,但是有很多因素要考虑,而且它似乎也是半岁的。 PHP 5.5提供 password_hash 和 password_verify ,我推荐你的网页建议。
Although the tutorial looks okay to me, there are just so many factors that to consider, and it also seems to be semi-old. PHP 5.5 offers password_hash and password_verify, which I would recommend over what your page suggests.
所以如果你必须制作自己的系统;考虑使用上述功能,如果你只限于较低的PHP版本,有向后移植到版本5.3.7可用。
So if you have to make your own system; consider making use of the above-mentioned functions, if you're restricted to lower php versions, there are backports up to version 5.3.7 available.
如果您 没有制作自己的系统,利用外部各方(Google,Facebook)为您处理登录,或使用具有身份验证支持。
If you don't have to make your own system, make use of external parties (Google, Facebook) to handle the logging in for you, or make use of a framework that has authentication support.
所以在它的一般要点中:不要试图自己动手,利用什么其他人提供了多年的经验。因为要做到这一点非常困难。
So in the general gist of it: Don't try to do it yourself, make use of what other people offer which years of experience in it. As it is incredibly difficult to get it right.
这篇关于在没有HTTPS的情况下在PHP和MySQL中创建安全的登录脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
