doubenggua9430
doubenggua9430
2016-03-27 21:34

在android上加密密码并存储在DB中

已采纳

i've made a complete - working register/login system for android, everything is over the air and server sided database, the problem is that right now my password is being saved directly into the DB ( with no ecnryption ) and i've searched tons of websites and SoF posts and threads but nothing actually helped me.

i read about md5 and sha1 , blowfish and bcrypt but couldn't understand the proper implementation of such crytography..

the connection is made using php requests. the register code is below :

if($_SERVER['REQUEST_METHOD']=='POST'){
$username = $_POST['username'];
 $password = $_POST['password'];
 $email = $_POST['email'];
 $Firstname = $_POST['fname'];
 $Lastname = $_POST['lname'];
 $Date = $_POST['Date'];

 require_once('db_config.php');




    $check_username_email = "SELECT * FROM Users WHERE Username ='$username' AND Email = '$email'";

 $check_u_e = mysqli_fetch_array(mysqli_query($db,$check_username_email));

 $check_username = "SELECT * FROM Users WHERE Username ='$username'";

 $check_u = mysqli_fetch_array(mysqli_query($db,$check_username));

 $check_email = "SELECT * FROM Users WHERE Email ='$email'";

 $check_e = mysqli_fetch_array(mysqli_query($db,$check_email));

 if(isset($check_u_e)){

 echo 'Username AND Email already exist, please change them Both.';

 } 

 else if(isset($check_u)){

 echo 'Username already exists, please change it.';

 } 

 else if (isset($check_e)){

 echo 'Email already exists, please change it.';

 }  else{

 $sql = "INSERT INTO Users(Email,Username,Bio,Password,Fname,Lname,Regiser_Date) VALUES ('$email','$username',NULL,'$password','$Firstname','$Lastname','$Date')";

 if(mysqli_query($db,$sql)){

 echo "You have been successfully Registered";

 }   else{

 echo "Sorry, something went wrong - Try again.";

 }
 }
}else{

echo 'Server error - Please try again later.';
mysqli_close($db);
}

and my login is here :

    if($_SERVER['REQUEST_METHOD']=='POST'){
 $username = $_POST['username'];
 $password = $_POST['password'];

 require_once('db_config.php');


 $sql = "SELECT * FROM Users WHERE Username = '$username' AND Password = '$password'";

 $result = mysqli_query($db,$sql);

 $check = mysqli_fetch_array($result);

 if(isset($check)){
 echo 'Logged In';
 }
  else{
 echo 'Failed to login';
 }
 }

everything is fine except the encrytion. Can someone guide me through this ? i read that it needs 2 sides, one from client ( android app ) and one from php server side

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

2条回答

  • dongwaner1367 dongwaner1367 5年前

    To encrypt the password you can use password_hash function. In your registration code add the following before the insert query:

    $options = [
    'cost' => 12,
    ];
    $password = password_hash($password, PASSWORD_BCRYPT, $options);
    

    this will encrypt the password recived throught POST array on registration using BCRYPT algorithm. BCRYPT algorithm generate 60 chars hashes(cutting input strings to 70 chars), so, in your database, you will need to have a CHAR(60) password field to store the hashed password.

    You can also add your own salt in $options however, as wrote in php documentation

    It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one. As noted above, providing the salt option in PHP 7.0 will generate a deprecation warning. Support for providing a salt manually may be removed in a future PHP release.

    Now that you have your crypted password in the database, in the login script you'll need to retrive the hashed password from the database and then, compare it to the entered password with password_verify() function:

    $sql = "SELECT password FROM Users WHERE Username = '$username'";
    $result = mysqli_query($db,$sql);
    if(!$row = mysqli_fetch_assoc($result)){
    echo "failed to login(invalid username)";
    die();
    //login failed->add code to redirect to login page
    }
    if(password_verify($password, $row['password'])){
    //password match the stored hash
    echo "logged in";
    //sucessfully logged->retrive all additional data you need, save session, redirect to homepage etc...
    }
    else echo "failed to log in(invalid password)";
    

    You will find all informations about password_hash() and password_verify() here but consider that:

    1. Password is still vulnerable on login and registration when is sended to the server through POST array. For this reason you should install a certificate in order to use HTTPS protocol to crypt the data that flow from the server to the client and viceversa (take a look here for configure ssl under apache)
    2. You'r not taking any precaution on the inputs so, your code, is vulnerable to injections. I suggest using mysqli or PDO prepared statements for query the database when you have untrasted data.
    点赞 评论 复制链接分享
  • douqiong8412 douqiong8412 5年前

    So it would be like this, while storing password in DB, Using any hashing or encrption like bcrypt,md5,sha1 and store it in Database. When user wants to login, again using the same hashing or encrytion mechanism compare it the value stored in DB matches with the one passed by user . If yes,then sucessful login.

    so now,

    your query for insert will chnage something like this,

     $sql = "INSERT INTO Users(Email,Username,Bio,Password,Fname,Lname,Regiser_Date) VALUES ('$email','$username',NULL,'md5($password)','$Firstname','$Lastname','$Date')";
    

    And

    $sql = "SELECT * FROM Users WHERE Username = '$username' AND Password = 'md5($password)'";
    

    Then Use Bcrypt,

    An example is shown in

    $options = [
        'cost' => 12,
    ];
    echo password_hash("password", PASSWORD_BCRYPT, $options)."
    ";
    

    http://php.net/manual/en/function.password-hash.php

    点赞 评论 复制链接分享

为你推荐