douduo2407 2012-10-29 01:21
浏览 11
已采纳

检查空密码字段而不发布未加密的密码

Say I have a simple form:

<form action="register.php" method="post">
<label>Password:</label>
<?php if (isset($errors[1])) echo $errors[1]; ?> <- Displays error message if there is one
<input type="password" name="user_pass" />
<label>Confirm Password:</label>
<input type="password" name="user_pass_confirm" />

<input type="submit" />
</form>

$user_pass = $security->encrypt($_POST['user_pass']);
$user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);

$registration->form($user_pass, $user_pass_confirm);

And a class:

if (empty($user_pass)) {
$errors[1] = 'Passwords  required';
} else if ($user_pass != $user_pass_confirm) {
$errors[1] = 'Passwords don't match';
}

//if error array empty, create member

What I'm trying to do is validate the password to make it required, make sure they match and I would also add in a preg_match regular expression to ensure that it was at least 8 characters long or whatever.

My problem is, I've already encrypted the password before I submit it (which I believe unencrypted passwords shouldn't be posted, correct me if I'm wrong).

And then when my class gets the encoded string I can't do anything to validate it. I could check for empty by comparing the fields to the encrypted/salted version of nothing but I'm certain that's not the way to do it.

Can anyone point me to the standard procedure for validating passwords or whatever your suggestions are on the solution.

Many thanks

  • 写回答

1条回答 默认 最新

  • dongrong7267 2012-10-29 01:39
    关注

    PHP cannot be executed on the client side. You cannot encrypt a plain password using PHP without sending it to the server in plain as PHP is a server side language. The password has to be sent to the server before you can access it. You can make use of mechanisms like SSL/TLS over https but this does not affect your PHP-Code.

    That means: You cannot encrypt a password using PHP before the form is submitted. This can be done by client-side programming languages like JavaScript. You could implement a JavaScript function checking if the password is OK (not empty and long/secure enough) and afterwards have JavaScript encrypt it and then send it to the server so that the encrypted password is transferred to the server.

    <form action="register.php" method="post">
...
</form>
<?php
//$user_pass = $security->encrypt($_POST['user_pass']);
//$user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);
//$registration->form($user_pass, $user_pass_confirm);
//YOUR PASSWORD HAS NOT BEEN SENT TO YOUR SERVER YET. YOU CANNOT ACCESS IT USING PHP.
//YOU WOULD NORMALLY DO SOMETHING LIKE THIS (IN REGISTER.PHP)
if(isset($_POST["name_of_your_submit_field"])) //WHICH MEANS THAT YOUR FORM HAS BEEN SUBMITTED NOW
{
    //This checks whether the POST-variable of your submit field is set.
    //If it is, you know that the client has submitted the form and sent the form data to your server.
    //Only here you can access the form data.
    $user_pass=$_POST['user_pass'];
    if(strlen($user_pass) > 8)
    {
        $user_pass = $security->encrypt($user_pass);
        $user_pass_confirm = $security->encrypt($_POST['user_pass_confirm']);
        $registration->form($user_pass, $user_pass_confirm);
    }
}
?>
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 数学建模招标中位数问题
  • ¥15 phython路径名过长报错 不知道什么问题
  • ¥15 深度学习中模型转换该怎么实现
  • ¥15 HLs设计手写数字识别程序编译通不过
  • ¥15 Stata外部命令安装问题求帮助!
  • ¥15 从键盘随机输入A-H中的一串字符串,用七段数码管方法进行绘制。提交代码及运行截图。
  • ¥15 TYPCE母转母,插入认方向
  • ¥15 如何用python向钉钉机器人发送可以放大的图片?
  • ¥15 matlab(相关搜索:紧聚焦)
  • ¥15 基于51单片机的厨房煤气泄露检测报警系统设计