1. 首頁
  2. 問答
  3. sha256加密的PHP註冊腳本

sha256加密的PHP註冊腳本

2012-05-06 87 views
-2

我正在製作一個註冊腳本,讓用戶在網站上註冊一個帳戶。我決定使用sha256來加密密碼。sha256加密的PHP註冊腳本

這裏是我的代碼:

// Set error message as blank upon arrival to page 
$errorMsg = ""; 
// First we check to see if the form has been submitted 
if (isset($_POST['Submit'])){ 
    //Connect to the database through our include 
    require_once ('includes/connect.inc.php'); 
    // Filter the posted variables 
    $forename = $_POST['forename']; 
    $surname = $_POST['surname']; 
    $email = stripslashes($_POST['email']); 
    $password = preg_replace("[^A-Za-z0-9]", "", $_POST['password']); // filter everything but numbers and letters 
    $email = strip_tags($email); 
    $town = preg_replace("[^A-Z a-z0-9]", "", $_POST['town']); // filter everything but spaces, numbers, and letters 

    // Check to see if the user filled all fields with 
    // the "Required"(*) symbol next to them in the join form 
    // and print out to them what they have forgotten to put in 
    if((!$forename) || (!$surname) || (!$email) || (!$password) || (!$town)){ 

     $errorMsg = "You did not submit the following required information!<br /><br />"; 
     if(!$forename){ 
      $errorMsg .= "--- Forename"; 
     } else if(!$surname){ 
      $errorMsg .= "--- Surname"; 
     } else if(!$email){ 
      $errorMsg .= "--- email"; 
     } else if(!$password){ 
      $errorMsg .= "--- password"; 
     } else if(!$town){ 
      $errorMsg .= "--- town"; 
     } 
    } else { 

      $hash = hash("sha256", $password); 

      $sql = "INSERT INTO customers (forename, surname, email, password, town, registeredDate, active) 
      VALUES('$forename','$surname','$email', '$hash', '$town', GETDATE(), 'True')" ; 
      $stmt2 = sqlsrv_query($conn,$sql); 


    } // Close else after missing vars check 
} //Close if $_POST 
?> 

<form action="join_form.php" method="post" enctype="multipart/form-data"> 
    <tr> 
     <td colspan="2"><font color="#FF0000"><?php echo "$errorMsg"; ?></font></td> 
    </tr> 

    <tr> 
     <td width="163"><div align="right">Forename:</div></td> 
     <td width="409"><input name="forename" type="text"/></td> 
    </tr> 

    <tr> 
     <td width="163"><div align="right">Surname:</div></td> 
     <td width="409"><input name="surname" type="text"/></td> 
    </tr> 

    <tr> 
     <td><div align="right">Email: </div></td> 
     <td><input name="email" type="text" /></td> 
    </tr> 

    <tr> 
     <td><div align="right"> Password: </div></td> 
     <td><input name="password" type="password" /> 
     <font size="-2" color="#006600">(letters or numbers only, no spaces no symbols)</font></td> 
    </tr> 

    <tr> 
     <td><div align="right">Town: </div></td> 
     <td> 
     <input name="town" type="text" /> 
     </td> 
    </tr> 

    <tr> 
     <td><div align="right"></div></td> 
     <td><input type="submit" name="Submit" value="Submit Form" /></td> 
    </tr> 
    </form>

當我按下提交按鈕沒有任何反應。我沒有收到錯誤消息,但該記錄也沒有添加到數據庫中。

我知道它是與我使用

$hash = hash("sha256", $password);

也許我把它放錯了地方的東西? 我對PHP很陌生。

來源

2012-05-06 Alex

+3

不會再...不要使用SHA對密碼。 http://stackoverflow.com/a/10471744/34397 – SLaks

+3

和**從來沒有_restrict密碼允許在密碼_!**尤其是從來沒有這樣做的默默。 – SLaks

+1

您有一個SQL注入漏洞。 – SLaks

回答

1

我完全改變了我的代碼,並使用PARAMS爲了記錄添加到數據庫

<?php 
require_once ('includes/connect.inc.php'); 

if ($_POST['Register'] == "register") 
{ 

$params = array($_POST['email']); 

$sql= "SELECT * FROM customers WHERE Email=?"; 
$stmt = sqlsrv_query($conn,$sql,$params); 

if(sqlsrv_has_rows($stmt)) 
{ 
// echo"<h2>You have already signed up with this email </h2>"; 
    header('Location: register_login_forms.php?error=2'); 
    die(); 
} else if($_POST['password'] != $_POST['password2']) 
{ 
// echo"<h2>Wrong Passwod</h2>"; 
    header('Location: register_login_forms.php?error=3'); 
    die(); 
} 

$pass = hash("sha256", $_POST['password']); 

$params = array($_POST['forename'],$_POST['surname'],$_POST['email'],$pass, $_POST['phone'], $_POST['question'], 
$_POST['answer']); 

$sql="INSERT INTO customers (forename,surname,email,password,phone,secret_question, secret_answer,active,registeredDate) 
VALUES (?,?,?,?,?,?,?,'True',GETDATE())"; 
    $stmt=sqlsrv_query($conn,$sql,$params); 
header('Location: registerSuccess.php');  

} 

?>

這裏是形式

<Form name = "Register" action="register.php" method="POST" > 

        <label>Forename</label><br /> 
        <input required title="Please only use Letters" type="text" pattern="\s*[A-z]+\s*" name="forename" /><br/> 
        <label>Surname</label><br /> 
        <input required title="Please only use Letters" type="text" pattern="\s*[A-z]+\s*" name="surname" /><br/> 
        <label>Email</label><br /> 
        <input required title="Please enter a Valid Email Address" type="email" name="email" /></br> 
        <label>Password</label><br /> 
        <input required title="Please have a Password of Minimum of 6 Characters with Numbers" type="password" pattern="[A-z0-9]{6,20}" name="password" /></br> 
        <label>Confirm Password</label><br /> 
        <input required title="Confirm Password" type="password" pattern="[A-z0-9]{6,20}" name="password2" /></br> 
        <label>Secret Question</label><br /> 
        <input required type="text" name="question" /></br> 
        <label>Secret Answer</label><br /> 
        <input required type="text" name="answer" /></br> 
        <label>Phone Number</label><br /> 
        <input required title="Please only use numbers" type="text" pattern="\d+" name="phone" /></br> 

        <input type="hidden" name="Register" value="register"> 
        <input class="button" type = "submit"/> 

      </Form>

來源

2012-05-07 23:50:46 Alex

+0

你不應該使用普通的SHA-256作爲密碼哈希。使用慢密鑰派生函數,如bcrypt和salt一起使用。查看http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html獲取背景信息。 – CodesInChaos

相關問題

 相關問題