分享程序员开发的那些事...
更新时间:2022-04-06 01:39:36
为什么要重新发明***.
Why are you trying to re-invent the wheel.
Php已经内置了密码加密功能,所以为什么要使用 Sha256 + Salt .
Php already has builting password encryption functions so why using Sha256 + Salt.
同样,它们是两种身份验证类型 1.)基于会话的登录 2.)基于令牌的登录.
Again they are two type of authentication 1.) Session Based Login 2.) Token Based Login.
在撰写本文时,您将会话登录与令牌登录结合在一起.您将需要决定要申请哪一个.
From your write-up you are combining session login with token login. You will need to decide which one that you want to apply.
因此,您需要了解许多php验证或清除功能,以确保代码更安全.
Consequently they are alot of php validation or sanitization functions that you need to know to keep your code more secured.
1.)使用strip_tags()
这将从表单输入或变量中删除所有html元素 例如
This will strips out all html elements from form inputs or variables Eg
$email = strip_tags($_POST['email']);
2.)使用htmlentities或htmlspecialchars防止XSS攻击.
这会将htmls标记转换为它们各自的实体.它仅在将结果打印或回显到html页面时使用 您将在welcome.php页面中看到我如何使用它 查看应用程序:
This converts htmls tags to their respective entities. its only used when printing or echoing result to html page to You will see how i used it in the welcome.php page See Applications:
$email = htmlentities($_POST['email']);
3.)对变量进行转义以防止sql注入攻击
如果使用的是Mysqli,则要使用的***sql方法是准备语句. 另外,您仍然可以使用 mysqli_real_escape_string()函数对变量进行转义 查看应用程序
If you are using Mysqli, the best sql method to be used is prepared Statement. Alternatively you can still escape variables using mysqli_real_escape_string() functions See Application
// escape variables Against sql injections
$email = mysqli_real_escape_string($conn, $_POST['email']);
4.)如果使用基于会话的登录,则需要使用 sessionId重新生成方法.这将有助于重新生成新会话 标识为用户登录名,从而防止会话固定攻击.不用担心,您将需要在下面的login.php代码中使用它 查看应用程序:
4.) If you are using session based login, You need to use sessionId regenerate method. This will help to regenerate new session Id as user login thus preventing session fixation attack. do not worry you will need how to use it in the login.php code below See Application:
// first you will need to initialize sessions
session_start();
session_regenerate_id();
这只是其他安全措施中的少数
This are just few among other security measures
让我们看看使用php密码验证功能的基于会话的登录
Lets have a look at Session based login using php password verify functions
假设这是您的
registration.php
<?php
$conn = mysqli_connect("localhost","root","","demo");
if(!$conn){
die("Connection error: " . mysqli_connect_error());
}
if(isset($_POST['submit'])){
$firstName = mysqli_real_escape_string($conn,$_POST['first_name']);
$surName = mysqli_real_escape_string($conn,$_POST['surname']);
$email = mysqli_real_escape_string($conn,$_POST['email']);
$password = mysqli_real_escape_string($conn,$_POST['password']);
$options = array("cost"=>4);
$hashPassword = password_hash($password,PASSWORD_BCRYPT,$options);
$sql = "insert into users (first_name, last_name,email, password) value('".$firstName."', '".$surName."', '".$email."','".$hashPassword."')";
$result = mysqli_query($conn, $sql);
if($result)
{
echo "Registration successfully";
}
}
?>
这就是您的 login.php 代码的样子
<?php
$conn = mysqli_connect("localhost","root","","demo");
if(!$conn){
die("Connection error: " . mysqli_connect_error());
}
if(isset($_POST['submit'])){
$email = mysqli_real_escape_string($conn,$_POST['email']);
$password = mysqli_real_escape_string($conn,$_POST['password']);
$sql = "select * from users where email = '".$email."'";
$rs = mysqli_query($conn,$sql);
$numRows = mysqli_num_rows($rs);
if($numRows == 1){
$row = mysqli_fetch_assoc($rs);
if(password_verify($password,$row['password'])){
echo "Password verified and ok";
// initialize session if things where ok.
session_start();
session_regenerate_id();
$_SESSION['surname'] = $row['surname'];
$_SESSION['first_name'] = $row['first_name'];
$_SESSION['email'] = $row['email'];
// take me to welcome.php page
header('Location: welcome.php');
}
else{
echo "Wrong Password details";
}
}
else{
echo "User does not exist";
}
}
?>
Welcome.php 现在看起来像下面的代码,以显示经过身份验证的用户的会话信息.
Welcome.php will now look like code below to show authenticated users session info.
//使用htmlentities或htmlspecialchars防止XSS攻击.
//use htmlentities or htmlspecialchars to prevent XSS Attack.
<?php echo htmlentities($_SESSION['surname'], ENT_QUOTES, "UTF-8"); ?>
<?php echo htmlspecialchars($_SESSION['first_name'], ENT_QUOTES, "UTF-8"); ?>
<?php echo htmlentities($_SESSION['email'], ENT_QUOTES, "UTF-8"); ?>
现在,在我看到的帖子中,您看到在哪里写了每个http请求发送一个生成的令牌的信息.在这种情况下,我想你是 尝试减轻 CSRF攻击.
Now in your post I Saw where you wrote sending a generated token with every http request. In this case I guess you are trying to mitigate CSRF Attack.
登录后,这是***,最安全的操作方式
Here is the best and most secured way to do once you logged in
为防止CSRF,您需要验证一次令牌,该令牌已过POST,并与当前会话相关联. 类似以下内容. .
To prevent CSRF you'll want to validate a one-time token, POST'ed and associated with the current session. Something like the following . . .
在用户请求的页面上,例如,插入付款记录:
On the page where the user requests eg to insert a record for payments:
payment.php
<?php
session_start();
$token= md5(uniqid());
$_SESSION['payment_token']= $token;
session_write_close();
?>
<html>
<body>
<form method="post" action="payment_save.php">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
Amount: <input type="hidden" name="token" value="100 usd" />
<input type="submit" value="submit" />
</form>
</body>
</html>
然后,当涉及到实际插入记录时:
Then when it comes to actually inserting the record:
payment_save.php
<?php
session_start();
$token = $_SESSION['payment_token'];
unset($_SESSION['payment_token']);
session_write_close();
if ($token && $_POST['token']==$token) {
// Insert the record for payment
} else {
// log message. You are vulnerable to CSRF attack.
}
?>
令牌应该很难猜到,对于每个插入请求都是唯一的,只能通过$ _POST接受,并在几分钟后过期 (未在此图中显示过期).
The token should be hard to guess, unique for each insert request, accepted via $_POST only and expire after a few minutes (expiration not shown in this illustrations).