-1
我有一个登录/注册应用程序,它以加密的形式在MySQL服务器数据库上存储密码。我想在用户密码中没有加密以备将来恢复。这个PHP不是由我制作的,我也没有这方面的专业知识来编辑它。如果你们可以帮助解决这个问题,那么我可以在数据库中看到用户的密码。新手在这里。
P.S-我不希望任何滥用用户凭据。我尝试了很多为用户提供密码恢复系统的方法,但都没有成功。所以我想保持密码在数据库中可见,这样如果有人要求他/她的密码,我应该能够提供他们。使用保存记录的数据库 你可以看到这行
$hash = $this->hashSSHA($password);
$encrypted_password = $hash["encrypted"]; // encrypted password
$salt = $hash["salt"]; // salt
如果你不想保存加密的密码只需要修改
$result = mysql_query("INSERT INTO users(unique_id, name, email, encrypted_password, number, salt, created_at) VALUES('$uuid', '$name', '$email', '$password', '$number', '$salt', NOW())");
P/S
<?php
class DB_Functions
{
private $db;
//put your code here
// constructor
function __construct() {
require_once 'DB_Connect.php';
// connecting to database
$this->db = new DB_Connect();
$this->db->connect();
}
// destructor
function __destruct() {
}
/**
* Storing new user
* returns user details
*/
public function storeUser($name, $email, $password, $number) {
$uuid = uniqid('', true);
$hash = $this->hashSSHA($password);
$encrypted_password = $hash["encrypted"]; // encrypted password
$salt = $hash["salt"]; // salt
$result = mysql_query("INSERT INTO users(unique_id, name, email, encrypted_password, number, salt, created_at) VALUES('$uuid', '$name', '$email', '$encrypted_password', '$number', '$salt', NOW())");
// check for successful store
if ($result) {
// get user details
$uid = mysql_insert_id(); // last inserted id
$result = mysql_query("SELECT * FROM users WHERE uid = $uid");
// return user details
return mysql_fetch_array($result);
} else {
return false;
}
}
/**
* Get user by email and password
*/
public function getUserByEmailAndPassword($email, $password) {
$result = mysql_query("SELECT * FROM users WHERE email = '$email'") or die(mysql_error());
// check for result
$no_of_rows = mysql_num_rows($result);
if ($no_of_rows > 0) {
$result = mysql_fetch_array($result);
$salt = $result['salt'];
$encrypted_password = $result['encrypted_password'];
$hash = $this->checkhashSSHA($salt, $password);
// check for password equality
if ($encrypted_password == $hash) {
// user authentication details are correct
return $result;
}
} else {
// user not found
return false;
}
}
/**
* Check user is existed or not
*/
public function isUserExisted($email) {
$result = mysql_query("SELECT email from users WHERE email = '$email'");
$no_of_rows = mysql_num_rows($result);
if ($no_of_rows > 0) {
// user existed
return true;
} else {
// user not existed
return false;
}
}
/**
* Encrypting password
* @param password
* returns salt and encrypted password
*/
public function hashSSHA($password) {
$salt = sha1(rand());
$salt = substr($salt, 0, 10);
$encrypted = base64_encode(sha1($password . $salt, true) . $salt);
$hash = array("salt" => $salt, "encrypted" => $encrypted);
return $hash;
}
/**
* Decrypting password
* @param salt, password
* returns hash string
*/
public function checkhashSSHA($salt, $password) {
$hash = base64_encode(sha1($password . $salt, true) . $salt);
return $hash;
}} ?>
不要删除密码加密,用PHP提供['password_hash()'](http://php.net/manual/en/function.password-hash.php) 和['password_verify()'] (http://php.net/manual/en/function.password-verify.php)请使用它们,我可能想使用您的网站有一天 这里有一些[关于密码的好主意](https:// www.owasp.org/index.php/Password_Storage_Cheat_Sheet) 如果您使用的是5.5以前的PHP版本[此处提供兼容包](https://github.com/ircmaxell/password_compat) – RiggsFolly
您的脚本位于[SQL注入攻击]的风险(http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) 看看发生了什么[小鲍比表]( http://bobby-tables.com/)甚至 [如果你是逃避投入,它不安全!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) 使用[准备好的声明和参数化语句](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly
请不要使用[mysql_'数据库扩展](http://stackoverflow.com/questions/12859942 /为什么 - 我应该使用mysql-functions-in-php),它不推荐使用(在PHP7中永远不用)特别是如果你只是学习PHP,花费你的精力学习'PDO'数据库扩展。 [开始](http://php.net/manual/en/book.pdo.php)其真的很容易 – RiggsFolly