drnmslpz42661 2010-12-15 19:03
浏览 55
已采纳

这是否正确使用PDO和准备好的语句进行安全登录?

Once again looking for some help with PHP security and a login system. Wondering if i did this correctly here. If i wasn't specific enough anywhere please ask, Any help is greatly appreciated. I am trying to create a secure login system, just for purposes of learning. here is the code:

require("constants.php");
$DBH = new mysqli($dbhost, $dbuser, $dbpass, $dbname);

function createSalt() {
    $length = mt_rand(64, 128);
    $salt = '';
    for ($i = 0; $i < $length; $i++) {
        $salt .= chr(mt_rand(33, 255));
    }
    return $salt;
}
//Salt function created by ircmaxell

function registerNewUser() {
    //Check to see if     Username Is In Use//
    $q = $DBH->prepare("SELECT id FROM users WHERE username = ?"); 
    $username = filter_var($username, FILTER_SANITIZE_STRING);
    $data = array($username);
    $q->execute($data);
    $row = $q->fetch();

    if ($row === false) { 
        //If Username Is Not Already In Use Insert Data//
        $hash = hash('sha256', $pass);
        $salt = createSalt();
        $hash = hash('sha256', $salt . $hash . $pass);  //UPDATED
        $data = array($username, $hash, $salt);
        $qInsert = $DBH->prepare(
            "INSERT INTO users (username, password, salt) values (?, ?, ?)"
        );
        $qInsert->execute($data); //Inserts User Data Into Table//  
    }
}
  • 写回答

2条回答 默认 最新

  • dongpa2000 2010-12-15 19:07
    关注

    That looks good so far. I have three suggestions, though:

    1. Choose a longer salt
    2. Don't store salt and password digest separately
    3. If your database connection is not to localhost use a different database connector: PDO doesn't (yet) support SSL connections

    EDIT: Also, validate the input a client provides as a "username". But since your code sample is just an excerpt I guess you're doing that.

    EDIT #2: When I said, "don't store salt and password separately" I meant incorporating the salt into the stored password hash. Since the hash algorithm of your choice produces quite a long string (64 character) composed of [0-9a-f] you might want to contemplate generating a salt of random length (credits to ircmaxell here) and either concatenate that to the beginning or end of the password hash. So you'll end up storing variable length values (96 - 128 characters) worth of meaninglessness (to outsiders):

    $hash = hash('sha256', $pass);
$salt = substr(hash('sha256', mt_rand(0, 1337)), mt_rand(0, 31), 32);
$hash = $salt . hash('sha256', $salt . $hash . $pass);
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 完全没有学习过GAN,看了CSDN的一篇文章,里面有代码但是完全不知道如何操作
  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等
  • ¥15 matlab 用yalmip搭建模型,cplex求解,线性化处理的方法
  • ¥15 qt6.6.3 基于百度云的语音识别 不会改
  • ¥15 关于#目标检测#的问题:大概就是类似后台自动检测某下架商品的库存,在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
  • ¥15 神经网络怎么把隐含层变量融合到损失函数中?
  • ¥15 lingo18勾选global solver求解使用的算法
  • ¥15 全部备份安卓app数据包括密码,可以复制到另一手机上运行