How can i turn this into a secure log in?

 

This question already has an answer here:

  • The definitive guide to form-based website authentication [closed] 12 answers

    • As you've noticed, you need to store your passwords securely. If you don't you could be embarrassed the same way Adobe Systems recently was.

    There are two steps to this:

    First, when a user creates or updates the password, encode it and store the encoded value.

    Second, when a user attempts to log in, encode the password and compare it to the stored encoded value. Only if the encoded values match should you let the user have access.

    A good way to do this is using a difficult-to-reverse hashing algorithm with a random salt. See here for some excellent information on doing this:

    Best way to encode passwords in PHP

    Good for you for asking this question. Security programming is hard to get right. Many people attempt to re-invent the wheel and succeed in re-inventing the flat tire. 

    session_start();
ob_start();

// db connect
$dbh = new PDO("mysql:host=localhost;dbname={$db_name}", $dbusername, $password);
$stmt = $dbh->prepare("SELECT password FROM {$tbl_name} WHERE username = :username");
$stmt->bindParam(':username', $_POST['username']);
$stmt->execute();
$password = $stmt->fetchColumn();

if($password !== false && password_verify($_POST['password'], $password)){
    $_SESSION['username'] = $username;
    $_SESSION['password'] = $password;
    header('location:login_success.php');
}else {
    include("top.php");
    include("style.css");
    echo '<p align=center><font size=2>Login Failed. <a href="http://www.sentuamessage.com/login.php">Please Try Again</a></p>';
    include("bottom.php");
}
ob_end_flush();

    And to save password hashes to database use this to generate password hash 

    // Assuming that password you want to store is in $_POST['password']
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);

    If your PHP version is >= 5.5 you are good to go, else take at look at @Mark Baker comment for userland implementation. If your version is lower than 5.3.7 then maybe you should think of some other ways for password hashing.

    Also to convert all password on database to hashed password. PASSWORDS HAVE TO BE PLAINTEXT FOR THIS TO WORK CORRECTLY . Or else you would have to use something like password_verify(md5($_POST['password']), $password) to verify password.

    You should also make password field in database VARCHAR(255) to be safe in future. 

    $dbHost = 'localhost';
$dbUser = 'Database username here';
$dbPass = 'Database password here';
$dbBase = 'Database name here';

$usersTable = 'users';
$userIdColumn = 'username';
$userPasswordColumn = 'password';

if (function_exists('password_hash') && function_exists('password_verify')){
    $dbh = new PDO("mysql:host={$dbHost};dbname={$dbBase}", $dbUser, $dbPass);
    $users = $dbh->prepare("SELECT {$userIdColumn} as id, {$userPasswordColumn} as password FROM {$usersTable}");
    $users->execute();
    $userUpdate = $dbh->prepare("UPDATE `{$usersTable}` SET `{$userPasswordColumn}` = :password WHERE `{$userIdColumn}` = :id");
    $userUpdate->bindParam(':id', $userId);
    $userUpdate->bindParam(':password', $passwordHash);
    foreach($users->fetchAll() as $row){
        $userId = $row['id'];
        $passwordHash = password_hash($row['password'], PASSWORD_DEFAULT);
        $userUpdate->execute();
    }
}
    链接地址: http://www.djcxy.com/p/3720.html

    上一篇: 如何验证表单字段到数据库

    下一篇: 我怎样才能把这个变成一个安全登录?