usuario sesiones sesion registro multiusuario inicio descargar control contraseña con administrar administrador php login passwords salt crypt

php - sesiones - Registro de PDO y coincidencia de contraseña de inicio de sesión



sesiones multiusuario php (1)

Está bien ... así que para comenzar solo tengo Php 5.3 así que no puedo usar bcrypt, no estoy familiarizado con la sal pero estoy completamente dispuesto a hacerlo si alguien puede ayudarme. También me gustaría saber si este script es malo o bueno para las inyecciones sql. Mi mayor problema es cuando uso algo como crypt y trato de hacer que mis contraseñas coincidan, pero no es así. He estado trabajando en esto durante días y parece que no puedo encontrar la solución adecuada a mi problema. el código aún no está hecho, pero es capaz de ejecutarse. Solo estoy haciendo esto en Wamp entonces no sé si eso es un problema? pero no puedo imaginarlo.

REGISTRARSE. PHP

if ((strlen($username)) < 6 || (preg_match("/[^/w-.]/", $username)) ) { header(''Location: Register.php?fail=1''); die(); } if ((strlen($password)) < 8) { header(''Location: Register.php?fail=2''); die(); } if(!filter_var($email, FILTER_VALIDATE_EMAIL)) { header(''Location: Register.php?fail=3''); die(); } /* TRIED METHODS $salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM); $salt = base64_encode($salt); $salt = str_replace(''+'', ''.'', $salt); $hash = crypt(''rasmuslerdorf'', ''$2y$10$''.$salt.''$''); $password = $hash; echo "<script>alert(''$password'');</script>"; $salt = ''$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors''; $digest = crypt($password, $salt); if (crypt($password, $digest) == $digest){ echo "<script>alert(''logged in'');</script>"; }else{ header(''Location: Login.php?fail=3''); die(); } */ //PDO CONNECTION function pdo_connect() { try { $db = new PDO("mysql:host=localhost;dbname=XXX", "XXX", "XXX"); return $db; } catch (PDOException $e) { //echo $e->getMessage(); //return false; header(''Location: Register.php?fail=6''); } } //CHECK IF USERNAME EXISTS function usernameCheck($username) { $con = pdo_connect(); $ustmt = $con->prepare("SELECT u_users FROM users WHERE u_users = :name"); $ustmt->bindParam('':name'', $username); $ustmt->execute(); if($ustmt->rowCount() > 0){ header(''Location: Register.php?fail=4''); die(); } $con = null; } echo usernameCheck($username); //CHECK IF EMAIL EXISTS function emailCheck($email) { $con = pdo_connect(); $estmt = $con->prepare("SELECT u_email FROM users WHERE u_email = :name"); $estmt->bindParam('':name'', $email); $estmt->execute(); if($estmt->rowCount() > 0){ header(''Location: Register.php?fail=5''); die(); } $con = null; } echo emailCheck($email); //INSERT EMAIL TO NEWSLETTER function emailnewsletterCheck($email) { $con = pdo_connect(); $nstmt = $con->prepare("SELECT n_email FROM newsletter WHERE n_email = :email"); $nstmt->bindParam('':email'', $email); $nstmt->execute(); if($nstmt->rowCount() < 1){ $addstmt = $con->prepare(''INSERT INTO newsletter (n_email) VALUES (:email)''); $addstmt->bindParam('':email'', $email); $addstmt->execute(); } $con = null; } echo emailnewsletterCheck($email); //INSERT function insert($username,$password,$email,$type) { $con = pdo_connect(); $password = md5($password); $istmt = $con->prepare(''INSERT INTO users (u_users, u_private, u_email, u_type) VALUES (:username, :password, :email, :type)''); $istmt->execute(array( '':username'' => $username, '':password'' => $password, '':email'' => $email, '':type'' => $type )); $con = null; header(''Location: Login.php?success=1''); } echo insert($username,$password,$email,$type); }//end submit ?> <?php $page_title = "NS : Web Development : Register"; $page_desc = "Register with us for great deals on website development."; $services = 0; include_once ''header.php''; ?> <script type="text/javascript"> // This function checks if the username field is at least 6 characters long. function checkUsernameForLength(whatYouTyped) { var fieldset = whatYouTyped.parentNode.parentNode.parentNode; var txt = whatYouTyped.value; if (txt.length > 5) { $("span.hint").hide(); } } // If the password is at least 4 characters long function checkPassword(whatYouTyped) { var fieldset = whatYouTyped.parentNode.parentNode.parentNode; var txt = whatYouTyped.value; if (txt.length > 7) { $("span.hint").hide(); } } // This function checks the email address [email protected] function checkEmail(whatYouTyped) { var fieldset = whatYouTyped.parentNode.parentNode.parentNode; var txt = whatYouTyped.value; if (/^/w+([/.-]?/w+)*@/w+([/.-]?/w+)*(/./w{2,3})+$/.test(txt)) { $("span.hint").hide(); } } // this part is for the form field hints to display // only on the condition that the text input has focus.otherwise, it stays hidden. function addLoadEvent(func) { var oldonload = window.onload; if (typeof window.onload != ''function'') { window.onload = func; } else { window.onload = function() { oldonload(); func(); } } } function prepareInputsForHints() { var inputs = document.getElementsByTagName("input"); for (var i=0; i<inputs.length; i++){ inputs[i].onfocus = function () { this.parentNode.getElementsByTagName("span")[0].style.display = "inline"; } inputs[i].onblur = function () { this.parentNode.getElementsByTagName("span")[0].style.display = "none"; } } } addLoadEvent(prepareInputsForHints); </script> <div class="jumbotron"> <div class="container"> <h1>Register for <font color="fb1576">great</font> opportunities</h1> <p>Get full quotes, package <font color="fb1576">deals</font>, news and updates on the latest themes and scripts, and even <font color="fb1576">win</font> free prizes<font color="fb1576">!</font> </div> </div> <div class="container"> <!-- row of columns --> <div class="row"> <?php if ( isset($_GET[''fail'']) && $_GET[''fail''] == 1 ){ echo "<div class=''alert alert-danger''>Username must be at least 6 characters in length and can only contain characters matching (a-z) (A-Z) (0-9) and ''_'' Please try again. <a href=''Register.php''><span class=''glyphicon glyphicon-remove''></span> Close</a></div>"; } if ( isset($_GET[''fail'']) && $_GET[''fail''] == 2 ){ echo "<div class=''alert alert-danger''>Password must be at least 8 characters in length and cannot exceed 25. Please try again. <a href=''Register.php''><span class=''glyphicon glyphicon-remove''></span> Close</a></div>"; } if ( isset($_GET[''fail'']) && $_GET[''fail''] == 3 ){ echo "<div class=''alert alert-danger''>E-mail is not valid. Please try again. <a href=''Register.php''><span class=''glyphicon glyphicon-remove''></span> Close</a></div>"; } if ( isset($_GET[''fail'']) && $_GET[''fail''] == 4 ){ echo "<div class=''alert alert-danger''>Username you chose already exists. Please try again. <a href=''Register.php''><span class=''glyphicon glyphicon-remove''></span> Close</a></div>"; } if ( isset($_GET[''fail'']) && $_GET[''fail''] == 5 ){ echo "<div class=''alert alert-danger''>E-mail you entered is already in use. Please try again. <a href=''Register.php''><span class=''glyphicon glyphicon-remove''></span> Close</a></div>"; } if ( isset($_GET[''fail'']) && $_GET[''fail''] == 6 ){ echo "<div class=''alert alert-danger''>Something went wrong, we couldn''t submit your registration. Please try again later. <a href=''Register.php''><span class=''glyphicon glyphicon-remove''></span> Close</a></div>"; } ?> <form name="basicform" id="basicform" method="POST"> <fieldset> <div class="input-group"> <label for="username">Choose a Username:</label><br> <input type="text" id="username" name="username" onkeyup="checkUsernameForLength(this);" required class="form-control" maxlength="25" pattern=".{6,}"/> <span class="hint">Usernames must be a least 6 characters in length and cannot exceed 25. Characters must match (a-z) (A-Z) (0-9) and ''_''</span> </div> </fieldset> <fieldset> <div class="input-group"> <label for="password">Enter a password:</label><br> <input type="password" id="password" name="password" onkeyup="checkPassword(this);" required class="form-control" maxlength="25" pattern=".{7,}"/> <span class="hint">The password can be any combination of <strong>characters</strong>, and must be at least 8 characters in length and cannot exceed 25.</span> </div> </fieldset> <fieldset> <div class="input-group"> <label for="email">Enter your email address:</label><br> <input type="text" id="email" name="email" onkeyup="checkEmail(this);" required class="form-control" maxlength="30" /> <span class="hint">Please enter your real email address (ie: [email protected])</span> </div> </fieldset> <fieldset> <label for="type">Pick your position of registration:</label><br> <select name="type"> <option name="type" value="Client">I am a client looking for work to be done</option> <option name="type" value="Employer">I am an employer looking for a potential hire</option> <option name="type" value="Employee">I am an employee looking to be hired</option> </select> </fieldset> <fieldset> <button type="submit" class="btn btn-primary" name="submit" value="submit">Register Now</button> </fieldset> </form> </div> <!-- //row of columns --> <?php include_once ''footer.php''; ?>

INICIAR SESIÓN . PHP

$username = $_POST[''username'']; $password = $_POST[''password'']; //before we even bother connecting to the db start validating if ( (empty($username)) || (empty($password)) ) { header(''Location: Login.php?fail=1''); die(); } if ( ((strlen($username)) >25) || ((strlen($password)) >25) ) { header(''Location: Login.php?fail=2''); die(); } if ( (preg_match("/[^/w-.]/", $username)) ) { header(''Location: Login.php?fail=3''); die(); } /* TRIED METHODS $salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM); $salt = base64_encode($salt); $salt = str_replace(''+'', ''.'', $salt); $hash = crypt(''rasmuslerdorf'', ''$2y$10$''.$salt.''$''); $password = $hash; echo "<script>alert(''$password'');</script>"; $salt = ''$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors''; $digest = crypt($password, $salt); if (crypt($password, $digest) == $digest){ echo "<script>alert(''logged in'');</script>"; }else{ header(''Location: Login.php?fail=3''); die(); } */ //PDO CONNECTION function pdo_connect() { try { $db = new PDO("mysql:host=localhost;dbname=XXX", "XXX", "XXX"); return $db; } catch (PDOException $e) { //echo $e->getMessage(); //return false; header(''Location: Register.php?fail=6''); } } //CHECK IF USERNAME EXISTS function checkLogin($username,$password) { $con = pdo_connect(); //$getlogin = $con->query $getlogin = $con->prepare("SELECT u_users,u_private FROM users WHERE u_users = :username AND u_private = :password"); $getlogin->bindValue('':username'', $username, PDO::PARAM_STR); $getlogin->bindValue('':password'', $password, PDO::PARAM_STR); $getlogin->execute(); if($getlogin->rowCount() > 0){ echo "<script>alert(''yes'');</script>"; } $con = null; } echo checkLogin($username,$password); echo "<script>alert(''success'');</script>"; } ?> <?php $page_title = "NS : Web Development : Register"; $page_desc = "Register with us for great deals on website development."; $services = 0; include_once ''header.php''; ?> <div class="jumbotron"> <div class="container"> <h1><font color="fb1576">Members</font> log in</h1> <p> Not yet a member? <a href="Register.php"><font color="fb1576">Sign up today!</font></a> </div> </div> <div class="container"> <?php if ( isset($_GET[''success'']) && $_GET[''success''] == 1 ){ echo "<div class=''alert alert-success''>Registration successful. Please log in.</div>"; } if ( isset($_GET[''fail'']) && $_GET[''fail''] == 1 ){ echo "<div class=''alert alert-danger''>Username or Password cannot be left blank.</div>"; } if ( isset($_GET[''fail'']) && $_GET[''fail''] == 2 ){ echo "<div class=''alert alert-danger''>Sorry, this is not a valid Username or Password.</div>"; } if ( isset($_GET[''fail'']) && $_GET[''fail''] == 3 ){ echo "<div class=''alert alert-danger''>Username or Password incorrect, please try again.</div>"; } if ( isset($_GET[''fail'']) && $_GET[''fail''] == 5 ){ echo "<div class=''alert alert-danger''>E-mail you entered is already in use. Please try again. <a href=''Register.php''><span class=''glyphicon glyphicon-remove''></span> Close</a></div>"; } if ( isset($_GET[''fail'']) && $_GET[''fail''] == 6 ){ echo "<div class=''alert alert-danger''>Something went wrong. Please try again later. </div>"; } ?> <form class="form-signin" role="form" method="POST"> <h2 class="form-signin-heading">Please sign in</h2> <p> <input type="text" class="form-control" placeholder="Username" name="username" required autofocus> </p> <br> <p> <input type="password" class="form-control" placeholder="Password" name="password" required> </p> <label class="checkbox"> <input type="checkbox" value="remember-me"> Remember me </label> <button class="btn btn-lg btn-primary btn-block" type="submit" name="submit" value="submit">Sign in</button> </form> <?php include_once ''footer.php''; ?>

REALMENTE necesito obtenerlo para que sea seguro para mi servidor en el lanzamiento y pueda iniciar sesión de forma segura.


Con PHP versión 5.3 puede y debe usar BCrypt.

Para PHP versión 5.5 y superior, se recomienda utilizar las nuevas funciones de contraseña password_hash () y password_verify () :

// Hash a new password for storing in the database. // The function automatically generates a cryptographically safe salt. $hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT); // Check if the hash of the entered login password, matches the stored hash. // The salt and the cost factor will be extracted from $existingHashFromDb. $isPasswordCorrect = password_verify($password, $existingHashFromDb);

Para PHP versión 5.3.7 y superior existe un paquete de compatibilidad , por lo que puede usar las funciones anteriores exactamente de la misma manera.

Para las versiones de PHP anteriores a la 5.3.7, puede usar el paquete de compatibilidad y cambiar el parámetro crypt de "$2y$%02d$" a "$2a$%02d$" , esto también genera un hash BCrypt. Es lo mejor que puede hacer con versiones anteriores, los hash serán compatibles cuando actualice a una versión PHP más nueva.

Cuando quiera verificar la contraseña, no puede hacer esto en la declaración SQL directamente. En un primer paso, debe obtener el hash de contraseña almacenado de la base de datos (con el nombre de usuario), luego puede usar este hash en la función password_verify (). La función password_verify () necesita extraer la sal del hash almacenado.