如何让我的PHP文件正确地从数据库中调用密码?
[英]How to make my PHP files call the password from the database properly?
问题描述
I am currently working on a website, it has a sign up PHP file that sends data to a database. 
我目前正在一个网站上工作,它有一个注册PHP文件,可以将数据发送到数据库。 For security measures, I set up a password encryption file that encrypts the password that the user enters, so that it is impossible to find in the database. 为了安全措施,我设置了一个密码加密文件,用于加密用户输入的密码,因此无法在数据库中找到。 Unfortunately, when the user tries to connect to the database from the log in PHP file, it denies them access to log in because the code connects to the database passwords, but it doesn't "sanitize" the password from it's encryption code, and the password isn't recognized by the server. 不幸的是,当用户尝试从登录PHP文件连接到数据库时,它拒绝他们访问登录,因为代码连接到数据库密码,但它没有从其加密代码“清理”密码,并且服务器无法识别密码。 I will provide my codes below: 我将在下面提供我的代码:
Signup.php Signup.php
$p = $_POST['p'];
$cryptpass = crypt($p);
include_once ("php_includes/randStrGen.php");
$p_hash = randStrGen(20)."$cryptpass".randStrGen(20);
Login.PHP 的login.php
$p = md5($_POST['p']);
How do I change the Login.PHP line provided above so that it sanitizes the password from it's encryption value to the password the user actually knows and entered in the first place? 如何更改上面提供的Login.PHP行,以便将密码从其加密值清除为用户实际知道并首先输入的密码?
ps $p= The Password that the user enters ps $ p =用户输入的密码
3 个解决方案
解决方案1
1 2014-02-08 02:36:17
Ok, so once you get the password from the user you will want to encrypt it when inserting into your database. 好的,所以一旦你从用户那里得到密码,你就会在插入数据库时加密它。 This requires an extra piece of data that is called "salt". 这需要一个称为“盐”的额外数据。 Salt is unique and you decide what you want it to be. 盐是独一无二的,你决定你想要它。 But you will need it to encrypt and decrypt so it's important you do not lose it! 但是你需要它来加密和解密所以重要的是你不要失去它! I keep it in its own file and use an include whenever I need it. 我将它保存在自己的文件中,并在需要时使用包含。 The following is PHP 以下是PHP
$key_salt = 'lettersandnumbers';
Now for the password encrypting Say you have the username and password in variables like so... 现在用于密码加密假设您在变量中有用户名和密码,如此...
$user_id = "usersId";
$password = "usersPassword";
This is the way to put them into the database... Create a variable with the following data 这是将它们放入数据库的方法...使用以下数据创建变量
$insertdata = sprintf("INSERT INTO $table (user_id, password,) VALUES ('%s', AES_ENCRYPT('%s', '$key_salt'))", $user_id, $password);
mysql_query($insertdata);
Notice the AES_ENCRYPT('%s', '$key_salt') This is what is making the encryption and see how it uses the $key_salt along with the '%s' (which is the $password ) 注意AES_ENCRYPT('%s', '$key_salt')这是加密的原因,看看它如何使用$key_salt以及'%s' (这是$password )
The combination of these makes it nearly impossible to crack 这些组合使得几乎不可能破解
This will decrypt the password and put it into a variable then you can do what you want with it after that.... 这将解密密码并将其放入变量中,然后你可以用它做你想要的事情....
$results = mysql_query("
SELECT AES_DECRYPT(password, '$key_salt') as password FROM $table where AES_DECRYPT(password, '$key_salt')='$password'");
$row = mysql_fetch_array($results);
$decryptedpassword = $row['password'];
解决方案2
1 已采纳 2014-02-08 03:34:02
I'm going to add a second answer here, which is more of a safe guard when it comes to any user input you get that will be inserted or drawn from a database. 我将在这里添加第二个答案,当涉及到您将从数据库插入或绘制的任何用户输入时,这更加安全。 When you MySql you want to sanitize any user input to prevent database injection which is the easiest way to break into a database. 当您使用MySql您希望清理任何用户输入以防止数据库注入,这是进入数据库的最简单方法。
Here is a great sanitation script. 这是一个伟大的卫生脚本。 Start by making a separate PHP file and copy/paste this code into it. 首先制作一个单独的PHP文件,然后将此代码复制/粘贴到其中。
<?php
// Sanitize User Input
function sanitize($data){
// apply stripslashes if magic_quotes_gpc is enabled
if(get_magic_quotes_gpc()){
$data = stripslashes($data);
}
// a mySQL connection is required before using this function
$data = mysql_real_escape_string($data);
return $data;
}
?>
Now include this page on any page that you will be interacting with the db 现在,将此页面包含在您将与db交互的任何页面上
<?php require("sanitize.php"); ?>
Note: Before calling the function you must already be connected to your db IE: mysql_connect("mysql",$mysqlusername,$mysqlpassword); 注意:在调用函数之前,您必须已经连接到db IE: mysql_connect("mysql",$mysqlusername,$mysqlpassword);
From here on out it is very simple. 从现在开始,它非常简单。 Say you assign a variable from a post like so 假设您从帖子中分配变量,就像这样
$password = $_POST["password"];
To sanitize this input you would do this 要清理此输入,您可以执行此操作
$password = sanitize($password);
This helps prevent MySql injections by removing certain characters relevant to modifying or revealing database information. 这有助于通过删除与修改或显示数据库信息相关的某些字符来防止MySql注入。
Hope this helps! 希望这可以帮助!
解决方案3
0 2014-02-08 02:16:29
Do not concatenate crypted password with random characters unless you save them also in database, otherwise - you will never be able to compare user input with saved encrypted password. 除非您将加密密码保存在数据库中,否则不要将加密密码与随机字符连接,否则 - 您永远无法将用户输入与保存的加密密码进行比较。 Just use: 只需使用:
$p_hash = $cryptpass;
and in Login.php script do not use md5($_POST['p']); 并且在Login.php脚本中不使用md5($_POST['p']); which is different hashing method, but use also crypt() function: 这是不同的散列方法,但也使用crypt()函数:
$p = crypt($_POST['p']);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.