[英]Getting username and password exposed in POST parameters when created a new user
I need to hash and store a password from user input in login form in Yii. 我需要在Yii中以登录形式哈希并存储来自用户输入的密码。 If I get them thru POST parameters like this: 如果我通过这样的POST参数得到它们:
$model->username=$_POST['User']['username'];
$model->password=crypt($_POST['User']['username']);// salt might be added
if($model->save())
$this->redirect(array('view','id'=>$model->id));
this way I expose the uncrypted password in POST request. 这样,我在POST请求中公开了未加密的密码。 Other way is to them directly from login form like this: 另一种方法是直接从登录表单访问他们,如下所示:
public function actionCreate2()
{
$model=new User;
$model->username = $form->username;
$model->password = crypt($form->password);
if($model->save())
$this->redirect(array('view','id'=>$model->id));
$this->render('create',array(
'model'=>$model,
));
}
but this does not work in my case with authenticating a saved user. 但这在我的情况下无法验证已保存的用户。 The auth function: auth函数:
public function authenticate()
{
$users = User::model()->findByAttributes(array('username'=>$this->username));
if($users == null)
$this->errorCode=self::ERROR_USERNAME_INVALID;
elseif ($users->password !== crypt($this->password, $users->password))
//elseif($users->password !== $this->password)
$this->errorCode=self::ERROR_PASSWORD_INVALID;
else
$this->errorCode=self::ERROR_NONE;
return !$this->errorCode;
}
How to do it in a proper way? 如何以适当的方式做到这一点?
The more troubles appeared as i followed suggest of Samuel - the validating alarm message even before i enter anything, along with hashed password in input field.(see the picture): 当我遵循塞缪尔的建议时出现了更多的麻烦-甚至在我输入任何内容之前都会验证警报消息,以及输入字段中的哈希密码。(参见图片):
When I still enter my username and my password instead of 'proposed' and press 'Create' the form is being sent with not crypted values (from POST request sniffing): 当我仍然输入我的用户名和密码而不是“ proposed”并按“ Create”时,该表单将以未加密的值发送(通过POST请求嗅探):
Form Data view source view URL encoded
YII_CSRF_TOKEN:9758c50299b9d4b96b6ac6a2e5f0c939eae46abe
User[username]:igor23
User[password]:igor23
yt0:Create
but nothing is actually stored in db, nor crypted not uncrypted... 但实际上什么都没有存储在db中,也没有加密而不是未加密...
Change your create method to: 将您的创建方法更改为:
/**
* Creates a new model.
* If creation is successful, the browser will be redirected to the 'view' page.
*/
public function actionCreate() {
$model = new User;
if (isset($_POST['User'])) {
$model->attributes = $_POST['User'];
$model->password = crypt($model->password, 'mysalt123');
if ($model->save())
$this->redirect(array('view', 'id' => $model->primaryKey));
}
// Reset password field
$model->password = "";
$this->render('create', array(
'model' => $model,
));
}
Change that elseif from this: 从此更改elseif:
elseif ($users->password !== crypt($this->password, $users->password))
To this: 对此:
elseif (strcmp(crypt($this->password, 'mysalt123'), $users->password))
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.