doubenggua9430 2016-03-27 21:34
浏览 68
已采纳

在android上加密密码并存储在DB中

i've made a complete - working register/login system for android, everything is over the air and server sided database, the problem is that right now my password is being saved directly into the DB ( with no ecnryption ) and i've searched tons of websites and SoF posts and threads but nothing actually helped me.

i read about md5 and sha1 , blowfish and bcrypt but couldn't understand the proper implementation of such crytography..

the connection is made using php requests. the register code is below :

if($_SERVER['REQUEST_METHOD']=='POST'){
$username = $_POST['username'];
 $password = $_POST['password'];
 $email = $_POST['email'];
 $Firstname = $_POST['fname'];
 $Lastname = $_POST['lname'];
 $Date = $_POST['Date'];

 require_once('db_config.php');




    $check_username_email = "SELECT * FROM Users WHERE Username ='$username' AND Email = '$email'";

 $check_u_e = mysqli_fetch_array(mysqli_query($db,$check_username_email));

 $check_username = "SELECT * FROM Users WHERE Username ='$username'";

 $check_u = mysqli_fetch_array(mysqli_query($db,$check_username));

 $check_email = "SELECT * FROM Users WHERE Email ='$email'";

 $check_e = mysqli_fetch_array(mysqli_query($db,$check_email));

 if(isset($check_u_e)){

 echo 'Username AND Email already exist, please change them Both.';

 } 

 else if(isset($check_u)){

 echo 'Username already exists, please change it.';

 } 

 else if (isset($check_e)){

 echo 'Email already exists, please change it.';

 }  else{

 $sql = "INSERT INTO Users(Email,Username,Bio,Password,Fname,Lname,Regiser_Date) VALUES ('$email','$username',NULL,'$password','$Firstname','$Lastname','$Date')";

 if(mysqli_query($db,$sql)){

 echo "You have been successfully Registered";

 }   else{

 echo "Sorry, something went wrong - Try again.";

 }
 }
}else{

echo 'Server error - Please try again later.';
mysqli_close($db);
}

and my login is here : 

    if($_SERVER['REQUEST_METHOD']=='POST'){
 $username = $_POST['username'];
 $password = $_POST['password'];

 require_once('db_config.php');


 $sql = "SELECT * FROM Users WHERE Username = '$username' AND Password = '$password'";

 $result = mysqli_query($db,$sql);

 $check = mysqli_fetch_array($result);

 if(isset($check)){
 echo 'Logged In';
 }
  else{
 echo 'Failed to login';
 }
 }

everything is fine except the encrytion. Can someone guide me through this ? i read that it needs 2 sides, one from client ( android app ) and one from php server side

  • 写回答

2条回答 默认 最新

  • dongwaner1367 2016-03-27 22:33
    关注

    To encrypt the password you can use password_hash function. In your registration code add the following before the insert query:

    $options = [
'cost' => 12,
];
$password = password_hash($password, PASSWORD_BCRYPT, $options);

    this will encrypt the password recived throught POST array on registration using BCRYPT algorithm. BCRYPT algorithm generate 60 chars hashes(cutting input strings to 70 chars), so, in your database, you will need to have a CHAR(60) password field to store the hashed password.

    You can also add your own salt in $options however, as wrote in php documentation

    It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one. As noted above, providing the salt option in PHP 7.0 will generate a deprecation warning. Support for providing a salt manually may be removed in a future PHP release.

    Now that you have your crypted password in the database, in the login script you'll need to retrive the hashed password from the database and then, compare it to the entered password with password_verify() function:

    $sql = "SELECT password FROM Users WHERE Username = '$username'";
$result = mysqli_query($db,$sql);
if(!$row = mysqli_fetch_assoc($result)){
echo "failed to login(invalid username)";
die();
//login failed->add code to redirect to login page
}
if(password_verify($password, $row['password'])){
//password match the stored hash
echo "logged in";
//sucessfully logged->retrive all additional data you need, save session, redirect to homepage etc...
}
else echo "failed to log in(invalid password)";

    You will find all informations about password_hash() and password_verify() here but consider that:

    1. Password is still vulnerable on login and registration when is sended to the server through POST array. For this reason you should install a certificate in order to use HTTPS protocol to crypt the data that flow from the server to the client and viceversa (take a look here for configure ssl under apache)
    2. You'r not taking any precaution on the inputs so, your code, is vulnerable to injections. I suggest using mysqli or PDO prepared statements for query the database when you have untrasted data.
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 LiBeAs的带隙等于0.997eV,计算阴离子的N和P
  • ¥15 关于#windows#的问题:怎么用WIN 11系统的电脑 克隆WIN NT3.51-4.0系统的硬盘
  • ¥15 matlab有关常微分方程的问题求解决
  • ¥15 perl MISA分析p3_in脚本出错
  • ¥15 k8s部署jupyterlab,jupyterlab保存不了文件
  • ¥15 ubuntu虚拟机打包apk错误
  • ¥199 rust编程架构设计的方案 有偿
  • ¥15 回答4f系统的像差计算
  • ¥15 java如何提取出pdf里的文字?
  • ¥100 求三轴之间相互配合画圆以及直线的算法