防止对php登录系统的恶意攻击
[英]Prevent malicious attacks on php login system
问题描述
I'm developing a C# application that allows the user to register and login. 
我正在开发一个允许用户注册和登录的C#应用程序。 I'm planning to use MySQL database and PHP on server side code. 我打算在服务器端代码上使用MySQL数据库和PHP。 Here is the server-side code that I plan to use. 这是我计划使用的服务器端代码。 This code copied from the below two articles. 这段代码是从下面的两篇文章中复制的。
(Secure) PHP Login System (Protected Against SQL-Injections) (安全)PHP登录系统(防止SQL注入)
Login System with PHP 用PHP登录系统
register.php register.php
<?php
$conn = new mysqli("db4free.net", "csharptricks", "12345678", "csharptricks");
$username = $_POST["username"];
$password = $_POST["password"];
$hashedpw = md5($password);
$stmt = $conn->prepare("SELECT username FROM Users WHERE username = ?");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows > 0) {
echo "Existing";
}
else {
$stmt = $conn->prepare("INSERT INTO Users (username, password) VALUES (?, ?);");
$stmt->bind_param("ss", $username, $hashedpw);
$stmt->execute();
echo "Success";
}
?>
login.php login.php
<?php
session_start();
$conn = new mysqli("db4free.net", "csharptricks", "12345678", "csharptricks");
$username = $_POST["username"];
$password = $_POST["password"];
$hashedpw = md5($password);
$stmt = $conn->prepare("SELECT username, password FROM Users WHERE username = ? LIMIT 1");
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($output1, $output2);
$row = $stmt->fetch();
if($output2 == $hashedpw) {
$_SESSION["username"] = $username;
echo "LoginGood";
}
else {
echo "LoginBad";
}
?>
I'm new to PHP, so I would like to know from experts is there any risk at this code. 我是PHP的新手,所以我想从专家那里了解此代码是否存在任何风险。 Any advice and suggestions are highly appreciated. 任何意见和建议都受到高度赞赏。
Thanks in advance. 提前致谢。
1 个解决方案
解决方案1
2 已采纳 2018-09-08 05:46:04
If you're using PHP 5.5.0 or above, it is preferable if you can use in-built password_hash() function in order to generate hashed passwords. 如果您使用的是PHP 5.5.0或更高版本,则最好使用内置的password_hash()函数来生成哈希密码。 password_hash() creates a new password hash using a strong one-way hashing algorithm. password_hash()使用强大的单向哈希算法创建新的密码哈希。
string password_hash ( string $password , int $algo [, array $options ] )
The following algorithms are currently supported: 当前支持以下算法:
PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0).
PASSWORD_DEFAULT-使用bcrypt算法(自PHP 5.5.0起为默认值)。 Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. 请注意,此常数旨在随着时间的推移而变化,因为新的和更强大的算法已添加到PHP中。 For that reason, the length of the result from using this identifier can change over time. 因此,使用此标识符的结果的长度会随时间变化。 Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice). 因此,建议将结果存储在可以扩展到超过60个字符的数据库列中(255个字符将是一个不错的选择)。 PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash.
PASSWORD_BCRYPT-使用CRYPT_BLOWFISH算法创建哈希。 This will produce a standard crypt() compatible hash using the "$2y$" identifier. 这将使用“ $ 2y $”标识符生成标准的crypt()兼容哈希。 The result will always be a 60 character string, or FALSE on failure. 结果将始终为60个字符串,否则为FALSE。 PASSWORD_ARGON2I - Use the Argon2 hashing algorithm to create the hash.
PASSWORD_ARGON2I-使用Argon2哈希算法创建哈希。
To verify password hashed using password_hash() , you need to use password_verify() function. 要验证使用password_hash()散列的password_hash() ,您需要使用password_verify()函数。
bool password_verify ( string $password , string $hash )
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.