2017-08-07 83 views
0

我清理用戶名輸入像這樣:建議您清理密碼輸入嗎?

function clean($data) { 
    $data = trim($data); 
    $data = stripslashes($data); 
    $data = htmlspecialchars($data); 
    return $data; 
} 

我正在使用PDO格式準備的語句和散列密碼,所以它仍然是可取的也是乾淨的密碼輸入?

以下是代碼。要小心,它是未完成的這一刻,也非常混亂。

<?php 
    // start session 
    session_start(); 
?> 
<!DOCTYPE html> 
<head> 
    <link href='css/verify-id.css' rel='stylesheet'> 
</head> 
<body> 
<?php 
function clean($data) { 
    $data = trim($data); 
    $data = stripslashes($data); 
    $data = htmlspecialchars($data); 
    return $data; 
} 

if ($_SERVER['REQUEST_METHOD'] === 'POST') { 

    // set or enter password 
    if (isset($_POST['password']) && empty($_POST['password'])) { 

    $error = 'A password is required.'; 
    $identity = ''; 
    $tip  = ''; 
    $prompt = ''; 

    } else if (isset($_POST['password']) && !empty($_POST['password'])) { 
    //echo '<br>SESSION idPersist<br>'.$_SESSION['idPersist']; 
    //echo '<br><br>POST password<br>'.$_POST['password']; 

    $password = $_SESSION['password']; 
    $idPersist = $_SESSION['idPersist']; 

    include 'include/database-connection.php'; 

    if ($_SESSION['prompt'] === 'Enter Password') { 
     //echo '<br><br>SESSION prompt is Enter Password'; 

     // compare password 
     $sql = 'SELECT pass FROM guests WHERE id = :id'; 
     $stmt = $conn->prepare($sql); 
     $stmt->bindParam(':id', $idPersist); 
     $conn->exec($sql); 

    } else if ($_SESSION['prompt'] === 'Set Password') { 
     echo '<br><br>SESSION prompt is Set Password'; 
    /* 
     // set password 
     $sql = 'INSERT INTO guests (pass) 
     VALUES (:password)'; 
     $stmt = $conn->prepare($sql); 
     $stmt->bindParam(':password', $password); 
     //$conn->exec($sql); 
    */ 
    } 

    $conn = null; 

    /* 
    $error = ''; 
    $identity = ''; 
    $tip  = ''; 
    $prompt = ''; 
    */ 
    } 

    // enter id 
    if (!isset($_POST['password']) && empty($_POST['id'])) { 
    $error = 'An ID is required.'; 
    } else if (!isset($_POST['password']) && !empty($_POST['id'])) { 
    include 'include/database-connection.php'; 
    $id  = clean($_POST['id']); 
    $sql = 'SELECT id, pass FROM guests WHERE id = :id'; 
    $stmt = $conn->prepare($sql); 
    $stmt->bindParam(':id', $id); 
    $stmt->execute(); 
    $result = $stmt->fetch(PDO::FETCH_ASSOC); 

    if ($result) { 
     $_SESSION['idPersist'] = $id; 
     $identity    = 'password'; 
     $tip     = 'Password'; 
     $error     = ''; 
     if (is_null($result['pass'])) { 
     $prompt    = 'Set Password'; 
     $_SESSION['prompt'] = 'Set Password'; 
     } else { 
     $prompt    = 'Enter Password'; 
     $_SESSION['prompt'] = 'Enter Password'; 
     } 
    } else { 
     $prompt = 'Enter Valid ID'; 
    } 
    $conn = null; 
    } 

} 
?> 
    <form 
    accept-charset ='UTF-8' 
    action   ='<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>' 
    autocomplete ='off' 
    enctype  ='application/x-www-form-urlencoded' 
    method   ='post' 
    target   ='_self'> 
     <input 
     autofocus 
     id   ='<?php 
      if (empty($identity)) { 
      echo 'id'; 
      } else { 
      echo $identity; 
      } 
     ?>' 
     name  ='<?php 
      if (empty($identity)) { 
      echo 'id'; 
      } else { 
      echo $identity; 
      } 
     ?>' 
     placeholder ='<?php 
      if (empty($tip)) { 
      echo 'ID'; 
      } else { 
      echo $tip; 
      } 
     ?>' 
     required 
     size  ='25' 
     title  ='<?php 
      if (empty($tip)) { 
      echo 'ID'; 
      } else { 
      echo $tip; 
      } 
     ?>' 
     type  ='text'> 
     <span><?php echo $error; ?></span> 
     <input 
     id ='submit' 
     name ='submit' 
     type ='submit' 
     value ='<?php 
     if (empty($prompt)) { 
      echo 'Enter ID'; 
     } else { 
      echo $prompt; 
     } 
     ?>'> 
    </form> 
</body> 
</html> 
+1

不,不這樣做。此外,該功能通常被錯誤地使用,請小心。 – chris85

+0

將您使用的密碼應用於只用於散列的密碼,您會獲得什麼? –

+0

@HubertGrzeskowiak我不確定你的意思?我計劃對密碼進行哈希處理,但是我不確定是否在破壞之前進行了密碼哈希處理? – Anthony

回答

4

NO

不要亂用用戶密碼。沒有必要清理和消毒用戶密碼。

它不會造成危害,因爲密碼應該總是被散列。它不應該以原始形式存儲。

$2y$10$36PQzf67DtRPrn3ViqNFS.iswIU9AyIPRWV23KzmSXWD66RD7frIm這樣的散列密碼不會造成任何危害。

+0

這是否意味着哈希是在輸入發佈之前進行的?因此,某些輸入(即'