2016-09-28 9 views
-1

パスワードとユーザー名をPDOで最小限の長さにするにはどうすればよいですか? 私はPHPを使用して簡単な入力フィールドで自分自身を行うことができますが、このPDO登録システムでは、どのように手がかりを取るのか、またはどこで行うべきかわかりません。 PHPではうまくいかず、PDOではさらに悪いです。パスワードとユーザー名のフォームの最小文字数を登録する

登録フォーム:

だから、
<?php 
ob_start(); 
    // This if statement checks to determine whether the registration form has been submitted 
    // If it has, then the registration code is run, otherwise the form is displayed 
    if(!empty($_POST)) { 
     // Ensure that the user has entered a non-empty username 
     if(empty($_POST['username'])) 
     { 
      // Note that die() is generally a terrible way of handling user errors 
      // like this. It is much better to display the error with the form 
      // and allow the user to correct their mistake. However, that is an 
      // exercise for you to implement yourself. ; 
      die(' 
         <div class="notice fail"> 
        <div class="notice-p"> 
         Something went wrong!<br /> 
         Please enter a username 
        </div> 
       </div><br /> 
       '); 
     } 

     // Ensure that the user has entered a non-empty password 
     if(empty($_POST['password'])) 
     { 
      die(' 
       <div class="notice fail"> 
        <div class="notice-p"> 
         Something went wrong!<br /> 
         Please enter a password 
        </div> 
       </div><br /> 
       '); 
     } 

     // Make sure the user entered a valid E-Mail address 
     // filter_var is a useful PHP function for validating form input, see: 
     // http://us.php.net/manual/en/function.filter-var.php 
     // http://us.php.net/manual/en/filter.filters.php 
     if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) 
     { 
      die(' 
       <div class="notice fail"> 
        <div class="notice-p"> 
         Something went wrong!<br /> 
         Invalid E-mail address. 
        </div> 
       </div><br /> 
       '); 
     } 

     // We will use this SQL query to see whether the username entered by the 
     // user is already in use. A SELECT query is used to retrieve data from the database. 
     // :username is a special token, we will substitute a real value in its place when 
     // we execute the query. 
     $query = " 
      SELECT 
       1 
      FROM users 
      WHERE 
       username = :username 
     "; 

     // This contains the definitions for any special tokens that we place in 
     // our SQL query. In this case, we are defining a value for the token 
     // :username. It is possible to insert $_POST['username'] directly into 
     // your $query string; however doing so is very insecure and opens your 
     // code up to SQL injection exploits. Using tokens prevents this. 
     // For more information on SQL injections, see Wikipedia: 
     // http://en.wikipedia.org/wiki/SQL_Injection 
     $query_params = array( 
      ':username' => $_POST['username'] 
     ); 

     try 
     { 
      // These two statements run the query against your database table. 
      $stmt = $db->prepare($query); 
      $result = $stmt->execute($query_params); 
     } 
     catch(PDOException $ex) 
     { 
      // Note: On a production website, you should not output $ex->getMessage(). 
      // It may provide an attacker with helpful information about your code. 
      die(' 
       <div class="notice fail"> 
        <div class="notice-p"> 
         Something went wrong!<br /> 
         Please try agian. 
        </div> 
       </div><br /> 
       ' . $ex->getMessage()); 
     } 

     // The fetch() method returns an array representing the "next" row from 
     // the selected results, or false if there are no more rows to fetch. 
     $row = $stmt->fetch(); 

     // If a row was returned, then we know a matching username was found in 
     // the database already and we should not allow the user to continue. 
     if($row) 
     { 
      die(' 
       <div class="notice fail"> 
        <div class="notice-p"> 
         Something went wrong!<br /> 
         Username is already taken. 
        </div> 
       </div><br /> 
       '); 
     } 

     // Now we perform the same type of check for the email address, in order 
     // to ensure that it is unique. 
     $query = " 
      SELECT 
       1 
      FROM users 
      WHERE 
       email = :email 
     "; 

     $query_params = array( 
      ':email' => $_POST['email'] 
     ); 

     try 
     { 
      $stmt = $db->prepare($query); 
      $result = $stmt->execute($query_params); 
     } 
     catch(PDOException $ex) 
     { 
      die(' 
       <div class="notice fail"> 
        <div class="notice-p"> 
         Something went wrong!<br /> 
         Please try again. 
        </div> 
       </div><br /> 
       ' . $ex->getMessage()); 
     } 

     $row = $stmt->fetch(); 

     if($row) 
     { 
      die(' 
       <div class="notice fail"> 
        <div class="notice-p"> 
         Something went wrong!<br /> 
         This E-mail is already in use by someone ells. 
        </div> 
       </div><br /> 
       '); 
     } 

     // An INSERT query is used to add new rows to a database table. 
     // Again, we are using special tokens (technically called parameters) to 
     // protect against SQL injection attacks. 
     $query = " 
      INSERT INTO users ( 
       username, 
       password, 
       salt, 
       email 
      ) VALUES ( 
       :username, 
       :password, 
       :salt, 
       :email 
      ) 
     "; 

     // A salt is randomly generated here to protect again brute force attacks 
     // and rainbow table attacks. The following statement generates a hex 
     // representation of an 8 byte salt. Representing this in hex provides 
     // no additional security, but makes it easier for humans to read. 
     // For more information: 
     // http://en.wikipedia.org/wiki/Salt_%28cryptography%29 
     // http://en.wikipedia.org/wiki/Brute-force_attack 
     // http://en.wikipedia.org/wiki/Rainbow_table 
     $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 

     // This hashes the password with the salt so that it can be stored securely 
     // in your database. The output of this next statement is a 64 byte hex 
     // string representing the 32 byte sha256 hash of the password. The original 
     // password cannot be recovered from the hash. For more information: 
     // http://en.wikipedia.org/wiki/Cryptographic_hash_function 
     $password = hash('sha256', $_POST['password'] . $salt); 

     // Next we hash the hash value 65536 more times. The purpose of this is to 
     // protect against brute force attacks. Now an attacker must compute the hash 65537 
     // times for each guess they make against a password, whereas if the password 
     // were hashed only once the attacker would have been able to make 65537 different 
     // guesses in the same amount of time instead of only one. 
     for($round = 0; $round < 65536; $round++) 
     { 
      $password = hash('sha256', $password . $salt); 
     } 

     // Here we prepare our tokens for insertion into the SQL query. We do not 
     // store the original password; only the hashed version of it. We do store 
     // the salt (in its plaintext form; this is not a security risk). 
     $query_params = array( 
      ':username' => $_POST['username'], 
      ':password' => $password, 
      ':salt' => $salt, 
      ':email' => $_POST['email'] 
     ); 

     try 
     { 
      // Execute the query to create the user 
      $stmt = $db->prepare($query); 
      $result = $stmt->execute($query_params); 
     } 
     catch(PDOException $ex) 
     { 
      // Note: On a production website, you should not output $ex->getMessage(). 
      // It may provide an attacker with helpful information about your code. 
      die(' 
         <div class="notice fail"> 
        <div class="notice-p"> 
         Something went wrong!<br /> 
         Please try again. 
        </div> 
       </div><br /> 
       ' . $ex->getMessage()); 
     } 

     ob_clean(); 
     // This redirects the user back to the login page after they register 
     header("Location: /signin/"); 

     // Calling die or exit after performing a redirect using the header function 
     // is critical. The rest of your PHP script will continue to execute and 
     // will be sent to the user if you do not die or exit. 
     die(); 

    } 


//session to store input after die() function 
?> 
+3

あなたはあなたが、PDOでそれを行ういけませんそれはHTMLまたはjavascriptで、次にPHPコードではデータベースとPDOまで取得します – RiggsFolly

+2

あなた自身の_パスワードハッシュを__rollしないでください。 PHPは['password_hash()'](http://php.net/manual/en/function.password-hash.php) と['password_verify()'](http://php.net/manual/ en/function.password-verify.php)それらを使用してください。 ここにいくつかの[パスワードに関する良いアイデア]があります(https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) 5.5より前のバージョンのPHPを使用している場合は、[互換パックがあります](https ://github.com/ircmaxell/password_compat) – RiggsFolly

+0

少なくとも2つのクエリを 'WHERE username =:username or email =:email'を使ってマージすることができます – RiggsFolly

答えて

0

、右のあなたの確認後、フォームがsubmiitedれた場合、どのように長いものを見ることができます...

if(!empty($_POST)) { 
// check length of $_POST['username'] 

    if (strlen($_POST['username']) <5){ 
      die(' 
        <div class="notice fail"> 
       <div class="notice-p"> 
       Usernames need to be 5 characters or longer 
       </div> 
      </div><br /> 
      '); 
    } 

    // check length of $_POST['password'] 

    if (strlen($_POST['password']) <5){ 
      die(' 
        <div class="notice fail"> 
       <div class="notice-p"> 
       Passwords need to be 5 characters or longer 
       </div> 
      </div><br /> 
      '); 
    } 
関連する問題