douduo2407 2012-10-29 01:21
浏览 11
已采纳

检查空密码字段而不发布未加密的密码

Say I have a simple form:

<form action="register.php" method="post">
<label>Password:</label>
<?php if (isset($errors[1])) echo $errors[1]; ?> <- Displays error message if there is one
<input type="password" name="user_pass" />
<label>Confirm Password:</label>
<input type="password" name="user_pass_confirm" />

<input type="submit" />
</form>

$user_pass = $security->encrypt($_POST['user_pass']);
$user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);

$registration->form($user_pass, $user_pass_confirm);

And a class:

if (empty($user_pass)) {
$errors[1] = 'Passwords  required';
} else if ($user_pass != $user_pass_confirm) {
$errors[1] = 'Passwords don't match';
}

//if error array empty, create member

What I'm trying to do is validate the password to make it required, make sure they match and I would also add in a preg_match regular expression to ensure that it was at least 8 characters long or whatever.

My problem is, I've already encrypted the password before I submit it (which I believe unencrypted passwords shouldn't be posted, correct me if I'm wrong).

And then when my class gets the encoded string I can't do anything to validate it. I could check for empty by comparing the fields to the encrypted/salted version of nothing but I'm certain that's not the way to do it.

Can anyone point me to the standard procedure for validating passwords or whatever your suggestions are on the solution.

Many thanks

  • 写回答

1条回答 默认 最新

  • dongrong7267 2012-10-29 01:39
    关注

    PHP cannot be executed on the client side. You cannot encrypt a plain password using PHP without sending it to the server in plain as PHP is a server side language. The password has to be sent to the server before you can access it. You can make use of mechanisms like SSL/TLS over https but this does not affect your PHP-Code.

    That means: You cannot encrypt a password using PHP before the form is submitted. This can be done by client-side programming languages like JavaScript. You could implement a JavaScript function checking if the password is OK (not empty and long/secure enough) and afterwards have JavaScript encrypt it and then send it to the server so that the encrypted password is transferred to the server.

    <form action="register.php" method="post">
...
</form>
<?php
//$user_pass = $security->encrypt($_POST['user_pass']);
//$user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);
//$registration->form($user_pass, $user_pass_confirm);
//YOUR PASSWORD HAS NOT BEEN SENT TO YOUR SERVER YET. YOU CANNOT ACCESS IT USING PHP.
//YOU WOULD NORMALLY DO SOMETHING LIKE THIS (IN REGISTER.PHP)
if(isset($_POST["name_of_your_submit_field"])) //WHICH MEANS THAT YOUR FORM HAS BEEN SUBMITTED NOW
{
    //This checks whether the POST-variable of your submit field is set.
    //If it is, you know that the client has submitted the form and sent the form data to your server.
    //Only here you can access the form data.
    $user_pass=$_POST['user_pass'];
    if(strlen($user_pass) > 8)
    {
        $user_pass = $security->encrypt($user_pass);
        $user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);
        $registration->form($user_pass, $user_pass_confirm);
    }
}
?>
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 请问为什么我配置IPsec后PC1 ping不通 PC2,抓包出来数据包也并没有被加密
  • ¥200 求博主教我搞定neo4j简易问答系统,有偿
  • ¥15 nginx的使用与作用
  • ¥100 关于#VijeoCitect#的问题,如何解决?(标签-ar|关键词-数据类型)
  • ¥15 一个矿井排水监控系统的plc梯形图,求各程序段都是什么意思
  • ¥50 安卓10如何在没有root权限的情况下设置开机自动启动指定app?
  • ¥15 ats2837 spi2从机的代码
  • ¥200 wsl2 vllm qwen1.5部署问题
  • ¥100 有偿求数字经济对经贸的影响机制的一个数学模型,弄不出来已经快要碎掉了
  • ¥15 数学建模数学建模需要