doubenggua9430 2016-03-27 21:34
浏览 68
已采纳

在android上加密密码并存储在DB中

i've made a complete - working register/login system for android, everything is over the air and server sided database, the problem is that right now my password is being saved directly into the DB ( with no ecnryption ) and i've searched tons of websites and SoF posts and threads but nothing actually helped me.

i read about md5 and sha1 , blowfish and bcrypt but couldn't understand the proper implementation of such crytography..

the connection is made using php requests. the register code is below :

if($_SERVER['REQUEST_METHOD']=='POST'){
$username = $_POST['username'];
 $password = $_POST['password'];
 $email = $_POST['email'];
 $Firstname = $_POST['fname'];
 $Lastname = $_POST['lname'];
 $Date = $_POST['Date'];

 require_once('db_config.php');




    $check_username_email = "SELECT * FROM Users WHERE Username ='$username' AND Email = '$email'";

 $check_u_e = mysqli_fetch_array(mysqli_query($db,$check_username_email));

 $check_username = "SELECT * FROM Users WHERE Username ='$username'";

 $check_u = mysqli_fetch_array(mysqli_query($db,$check_username));

 $check_email = "SELECT * FROM Users WHERE Email ='$email'";

 $check_e = mysqli_fetch_array(mysqli_query($db,$check_email));

 if(isset($check_u_e)){

 echo 'Username AND Email already exist, please change them Both.';

 } 

 else if(isset($check_u)){

 echo 'Username already exists, please change it.';

 } 

 else if (isset($check_e)){

 echo 'Email already exists, please change it.';

 }  else{

 $sql = "INSERT INTO Users(Email,Username,Bio,Password,Fname,Lname,Regiser_Date) VALUES ('$email','$username',NULL,'$password','$Firstname','$Lastname','$Date')";

 if(mysqli_query($db,$sql)){

 echo "You have been successfully Registered";

 }   else{

 echo "Sorry, something went wrong - Try again.";

 }
 }
}else{

echo 'Server error - Please try again later.';
mysqli_close($db);
}

and my login is here : 

    if($_SERVER['REQUEST_METHOD']=='POST'){
 $username = $_POST['username'];
 $password = $_POST['password'];

 require_once('db_config.php');


 $sql = "SELECT * FROM Users WHERE Username = '$username' AND Password = '$password'";

 $result = mysqli_query($db,$sql);

 $check = mysqli_fetch_array($result);

 if(isset($check)){
 echo 'Logged In';
 }
  else{
 echo 'Failed to login';
 }
 }

everything is fine except the encrytion. Can someone guide me through this ? i read that it needs 2 sides, one from client ( android app ) and one from php server side

  • 写回答

2条回答 默认 最新

  • dongwaner1367 2016-03-27 22:33
    关注

    To encrypt the password you can use password_hash function. In your registration code add the following before the insert query:

    $options = [
'cost' => 12,
];
$password = password_hash($password, PASSWORD_BCRYPT, $options);

    this will encrypt the password recived throught POST array on registration using BCRYPT algorithm. BCRYPT algorithm generate 60 chars hashes(cutting input strings to 70 chars), so, in your database, you will need to have a CHAR(60) password field to store the hashed password.

    You can also add your own salt in $options however, as wrote in php documentation

    It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one. As noted above, providing the salt option in PHP 7.0 will generate a deprecation warning. Support for providing a salt manually may be removed in a future PHP release.

    Now that you have your crypted password in the database, in the login script you'll need to retrive the hashed password from the database and then, compare it to the entered password with password_verify() function:

    $sql = "SELECT password FROM Users WHERE Username = '$username'";
$result = mysqli_query($db,$sql);
if(!$row = mysqli_fetch_assoc($result)){
echo "failed to login(invalid username)";
die();
//login failed->add code to redirect to login page
}
if(password_verify($password, $row['password'])){
//password match the stored hash
echo "logged in";
//sucessfully logged->retrive all additional data you need, save session, redirect to homepage etc...
}
else echo "failed to log in(invalid password)";

    You will find all informations about password_hash() and password_verify() here but consider that:

    1. Password is still vulnerable on login and registration when is sended to the server through POST array. For this reason you should install a certificate in order to use HTTPS protocol to crypt the data that flow from the server to the client and viceversa (take a look here for configure ssl under apache)
    2. You'r not taking any precaution on the inputs so, your code, is vulnerable to injections. I suggest using mysqli or PDO prepared statements for query the database when you have untrasted data.
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 对于相关问题的求解与代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
  • ¥15 保护模式-系统加载-段寄存器
  • ¥15 电脑桌面设定一个区域禁止鼠标操作
  • ¥15 求NPF226060磁芯的详细资料