我正在寻找有关更新密码系统的最佳实践的帮助或建议。不久前,我使用 php 构建了一个登录系统(在我真正知道我在做什么之前),它所做的只是使用 sha1 加密密码,我知道这不安全或不好使用。
所以基本上在成功登录后,它所做的只是
$password = sha1($password1)
我想使用我最近一直在使用的不同方法,该方法使用如下CRYPT_BLOWFISH函数:
function generateHash($password_1){
if(defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH){
//echo "WE HAVE CRYPT BLOWFISH YAYA";
$salt = '$2y$11$'. substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password_1, $salt);
}//End If
}//End Function generateHash*/
注册时,我加密密码: $password_1 = $_POST['password_1']; 哈希密码 $password = generateHash($password_1);
然后在登录时我使用
$hashed_password = crypt($password_1, $entered_password)
if($hashed_password != $enter_password){
$error['password'] = 'The password or username you entered is incorrect.';
}else{
'Your Good to Go!'
}
我有很多用户,并希望无缝地进行更改,或者至少对他们的影响很小。这甚至可以在他们没有注意到变化的情况下做到这一点吗?任何帮助或建议将不胜感激。
谢谢
您可以在用户表中创建新列,例如密码,新密码
当用户登录时,您可以使用新算法散列密码并将其保存在newPassword列中。
几天后重命名列 newPassword 作为密码
感谢您的想法 Cvetomir。所以我所做的是在表中创建了一个名为encrypted_password的新列,基本上,所有新注册都将使用 CRYPT_BLOWIFSH 进行加密。
所以基本上我的解决方案(不确定它有多优雅,但它有效)查看每个密码。如果输入的密码与 SHA1 密码匹配,则获取该发布的密码并将其加密为新格式并将其添加到数据库中。
更新加密密码列后,我将删除旧密码列无论如何很高兴听到想法/建议以使其更好,但现在它可以工作,在这个中进行了很多试验和错误。
if(!$errors && $username == $teacher_row['username']){
if($_POST['password1'] != ''){
$old_password = filter_var($_POST['password1']);
$old_password = sha1($old_password);
//If the old SHA1 Password does not match anything in the database then try and match it with our new method
if($old_password != $teacher_row['password1']){
//New Password will be the $_POST Password
$new_password = $_POST['password1'];
//Grab the new column
$user_password = $teacher_row['encrypted_password'];
//Uncrypt the password to see if they match
$hashed_password = crypt($new_password, $user_password);
//If it doesn't match throw an error
if($hashed_password != $user_password){
$errors['username'] = 'The username or password you entered is incorrect.';
}//If Hashed Password != User password
else{
if($hashed_password == $user_password){
//The New Password does match and gain your session
session_regenerate_id();
//Create our session on session_id and hash it as well
$session_id = generateHash($id)
$_SESSION['DHL'] = $session_id;
$_SESSION['TIMEOUT'] = time();
$_SESSION['TEACHER_ID'] = $teacher_username;
session_write_close();
}
}else{
$encrypted_password = generateHash($_POST['password1']);
//Build our query
$sql = ("UPDATE members_teachers SET encrypted_password = ? WHERE username = ?") or die(htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die ('database connection() failed: '. htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die($db_connection->error);
//Can not proceed if we can not prepare the query
if(false===$stmt){ die('prepare() failed: ' . htmlspecialchars($db_connection->error));
}
//Bind the fields and there paramters to our query in our testing variable $next_step
$next_step = $stmt->bind_param('ss', $new_password, $teacher_username);
//If next_step is false then it didn't work and there is no sense of proceeding
if($false===$next_step){ die('bind_param() failed: ' . htmlspecialchars($db_connection->error));
}
//Place the Execute into a variable and test if it executed or not
$next_step = $stmt->execute();
//If next_step is false then it didn't work and there is no sense of proceeding
if(false===$next_step){ die('execute() failed: ' . htmlspecialchars($db_connection->error));
}
}
}
else{ //The Old Passwords Must Match
$password = generateHash($_POST['password1']);
//$errors['username'] = 'Password Correct '.$_POST['password1'].' and '.$password.'';
//Build our query
$sql = ("UPDATE members_teachers SET encrypted_password = ? WHERE username = ?") or die(htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die ('database connection() failed: '. htmlspecialchars($db_connection->error));
//Prepare our query
$stmt = $db_connection->prepare($sql) or die($db_connection->error);
//Can not proceed if we can not prepare the query
if(false===$stmt){die('prepare() failed: ' . htmlspecialchars($db_connection->error));
}
//Bind the fields and there paramters to our query in our testing variable $next_step
$next_step = $stmt->bind_param('ss', $password, $teacher_username);
//If next_step is false then it didn't work and there is no sense of proceeding
if($false===$next_step){
die('bind_param() failed: ' . htmlspecialchars($db_connection->error));
}
//Place the Execute into a variable and test if it executed or not
$next_step = $stmt->execute();
//If next_step is false then it didn't work and there is no sense of proceeding
if(false===$next_step){die('execute() failed: ' . htmlspecialchars($db_connection->error));
}
//The New Hashed password does match We are good
session_regenerate_id();
//Create our session on session_id
$session_id=generateHash($dhl_id);
$_SESSION['DHL'] = $session_id;
$_SESSION['TIMEOUT'] = time();
$_SESSION['TEACHER_ID'] = $teacher_username;
session_write_close();
}//End the old Passwords do match
}//If password is not Blank
else{
$errors['username'] = 'You must enter a password';
}
}
}