-1
我有一個登錄/註冊應用程序,它以加密的形式在MySQL服務器數據庫上存儲密碼。我想在用戶密碼中沒有加密以備將來恢復。這個PHP不是由我製作的,我也沒有這方面的專業知識來編輯它。如果你們可以幫助解決這個問題,那麼我可以在數據庫中看到用戶的密碼。新手在這裏。
P.S-我不希望任何濫用用戶憑據。我嘗試了很多爲用戶提供密碼恢復系統的方法,但都沒有成功。所以我想保持密碼在數據庫中可見,這樣如果有人要求他/她的密碼,我應該能夠提供他們。使用保存記錄的數據庫 你可以看到這行
$hash = $this->hashSSHA($password);
$encrypted_password = $hash["encrypted"]; // encrypted password
$salt = $hash["salt"]; // salt
如果你不想保存加密的密碼只需要修改
$result = mysql_query("INSERT INTO users(unique_id, name, email, encrypted_password, number, salt, created_at) VALUES('$uuid', '$name', '$email', '$password', '$number', '$salt', NOW())");
P/S
<?php
class DB_Functions
{
private $db;
//put your code here
// constructor
function __construct() {
require_once 'DB_Connect.php';
// connecting to database
$this->db = new DB_Connect();
$this->db->connect();
}
// destructor
function __destruct() {
}
/**
* Storing new user
* returns user details
*/
public function storeUser($name, $email, $password, $number) {
$uuid = uniqid('', true);
$hash = $this->hashSSHA($password);
$encrypted_password = $hash["encrypted"]; // encrypted password
$salt = $hash["salt"]; // salt
$result = mysql_query("INSERT INTO users(unique_id, name, email, encrypted_password, number, salt, created_at) VALUES('$uuid', '$name', '$email', '$encrypted_password', '$number', '$salt', NOW())");
// check for successful store
if ($result) {
// get user details
$uid = mysql_insert_id(); // last inserted id
$result = mysql_query("SELECT * FROM users WHERE uid = $uid");
// return user details
return mysql_fetch_array($result);
} else {
return false;
}
}
/**
* Get user by email and password
*/
public function getUserByEmailAndPassword($email, $password) {
$result = mysql_query("SELECT * FROM users WHERE email = '$email'") or die(mysql_error());
// check for result
$no_of_rows = mysql_num_rows($result);
if ($no_of_rows > 0) {
$result = mysql_fetch_array($result);
$salt = $result['salt'];
$encrypted_password = $result['encrypted_password'];
$hash = $this->checkhashSSHA($salt, $password);
// check for password equality
if ($encrypted_password == $hash) {
// user authentication details are correct
return $result;
}
} else {
// user not found
return false;
}
}
/**
* Check user is existed or not
*/
public function isUserExisted($email) {
$result = mysql_query("SELECT email from users WHERE email = '$email'");
$no_of_rows = mysql_num_rows($result);
if ($no_of_rows > 0) {
// user existed
return true;
} else {
// user not existed
return false;
}
}
/**
* Encrypting password
* @param password
* returns salt and encrypted password
*/
public function hashSSHA($password) {
$salt = sha1(rand());
$salt = substr($salt, 0, 10);
$encrypted = base64_encode(sha1($password . $salt, true) . $salt);
$hash = array("salt" => $salt, "encrypted" => $encrypted);
return $hash;
}
/**
* Decrypting password
* @param salt, password
* returns hash string
*/
public function checkhashSSHA($salt, $password) {
$hash = base64_encode(sha1($password . $salt, true) . $salt);
return $hash;
}} ?>
不要刪除密碼加密,用PHP提供['password_hash()'](http://php.net/manual/en/function.password-hash.php) 和['password_verify()'] (http://php.net/manual/en/function.password-verify.php)請使用它們,我可能想使用您的網站有一天 這裏有一些[關於密碼的好主意](https:// www.owasp.org/index.php/Password_Storage_Cheat_Sheet) 如果您使用的是5.5以前的PHP版本[此處提供兼容包](https://github.com/ircmaxell/password_compat) – RiggsFolly
您的腳本位於[SQL注入攻擊]的風險(http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) 看看發生了什麼[小鮑比表]( http://bobby-tables.com/)甚至 [如果你是逃避投入,它不安全!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) 使用[準備好的聲明和參數化語句](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly
請不要使用[mysql_'數據庫擴展](http://stackoverflow.com/questions/12859942 /爲什麼 - 我應該使用mysql-functions-in-php),它不推薦使用(在PHP7中永遠不用)特別是如果你只是學習PHP,花費你的精力學習'PDO'數據庫擴展。 [開始](http://php.net/manual/en/book.pdo.php)其真的很容易 – RiggsFolly