-1
Wie kann ich Passwort und Benutzernamen zwingen, eine Mindestlänge in PDO zu haben? Ich könnte es mir selbst in einem einfachen Eingabefeld mit PHP tun, aber mit diesem PDO-Register-System habe ich keine Ahnung, wie es geht, oder wo es zu tun ist. Ich bin nicht gut mit PHP und noch schlimmer mit PDO.Register bilden Mindest Zeichen für Benutzernamen und Passwort
Register Form:
<?php
ob_start();
// This if statement checks to determine whether the registration form has been submitted
// If it has, then the registration code is run, otherwise the form is displayed
if(!empty($_POST)) {
// Ensure that the user has entered a non-empty username
if(empty($_POST['username']))
{
// Note that die() is generally a terrible way of handling user errors
// like this. It is much better to display the error with the form
// and allow the user to correct their mistake. However, that is an
// exercise for you to implement yourself. ;
die('
<div class="notice fail">
<div class="notice-p">
Something went wrong!<br />
Please enter a username
</div>
</div><br />
');
}
// Ensure that the user has entered a non-empty password
if(empty($_POST['password']))
{
die('
<div class="notice fail">
<div class="notice-p">
Something went wrong!<br />
Please enter a password
</div>
</div><br />
');
}
// Make sure the user entered a valid E-Mail address
// filter_var is a useful PHP function for validating form input, see:
// http://us.php.net/manual/en/function.filter-var.php
// http://us.php.net/manual/en/filter.filters.php
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
die('
<div class="notice fail">
<div class="notice-p">
Something went wrong!<br />
Invalid E-mail address.
</div>
</div><br />
');
}
// We will use this SQL query to see whether the username entered by the
// user is already in use. A SELECT query is used to retrieve data from the database.
// :username is a special token, we will substitute a real value in its place when
// we execute the query.
$query = "
SELECT
1
FROM users
WHERE
username = :username
";
// This contains the definitions for any special tokens that we place in
// our SQL query. In this case, we are defining a value for the token
// :username. It is possible to insert $_POST['username'] directly into
// your $query string; however doing so is very insecure and opens your
// code up to SQL injection exploits. Using tokens prevents this.
// For more information on SQL injections, see Wikipedia:
// http://en.wikipedia.org/wiki/SQL_Injection
$query_params = array(
':username' => $_POST['username']
);
try
{
// These two statements run the query against your database table.
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die('
<div class="notice fail">
<div class="notice-p">
Something went wrong!<br />
Please try agian.
</div>
</div><br />
' . $ex->getMessage());
}
// The fetch() method returns an array representing the "next" row from
// the selected results, or false if there are no more rows to fetch.
$row = $stmt->fetch();
// If a row was returned, then we know a matching username was found in
// the database already and we should not allow the user to continue.
if($row)
{
die('
<div class="notice fail">
<div class="notice-p">
Something went wrong!<br />
Username is already taken.
</div>
</div><br />
');
}
// Now we perform the same type of check for the email address, in order
// to ensure that it is unique.
$query = "
SELECT
1
FROM users
WHERE
email = :email
";
$query_params = array(
':email' => $_POST['email']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die('
<div class="notice fail">
<div class="notice-p">
Something went wrong!<br />
Please try again.
</div>
</div><br />
' . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
die('
<div class="notice fail">
<div class="notice-p">
Something went wrong!<br />
This E-mail is already in use by someone ells.
</div>
</div><br />
');
}
// An INSERT query is used to add new rows to a database table.
// Again, we are using special tokens (technically called parameters) to
// protect against SQL injection attacks.
$query = "
INSERT INTO users (
username,
password,
salt,
email
) VALUES (
:username,
:password,
:salt,
:email
)
";
// A salt is randomly generated here to protect again brute force attacks
// and rainbow table attacks. The following statement generates a hex
// representation of an 8 byte salt. Representing this in hex provides
// no additional security, but makes it easier for humans to read.
// For more information:
// http://en.wikipedia.org/wiki/Salt_%28cryptography%29
// http://en.wikipedia.org/wiki/Brute-force_attack
// http://en.wikipedia.org/wiki/Rainbow_table
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
// This hashes the password with the salt so that it can be stored securely
// in your database. The output of this next statement is a 64 byte hex
// string representing the 32 byte sha256 hash of the password. The original
// password cannot be recovered from the hash. For more information:
// http://en.wikipedia.org/wiki/Cryptographic_hash_function
$password = hash('sha256', $_POST['password'] . $salt);
// Next we hash the hash value 65536 more times. The purpose of this is to
// protect against brute force attacks. Now an attacker must compute the hash 65537
// times for each guess they make against a password, whereas if the password
// were hashed only once the attacker would have been able to make 65537 different
// guesses in the same amount of time instead of only one.
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
// Here we prepare our tokens for insertion into the SQL query. We do not
// store the original password; only the hashed version of it. We do store
// the salt (in its plaintext form; this is not a security risk).
$query_params = array(
':username' => $_POST['username'],
':password' => $password,
':salt' => $salt,
':email' => $_POST['email']
);
try
{
// Execute the query to create the user
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die('
<div class="notice fail">
<div class="notice-p">
Something went wrong!<br />
Please try again.
</div>
</div><br />
' . $ex->getMessage());
}
ob_clean();
// This redirects the user back to the login page after they register
header("Location: /signin/");
// Calling die or exit after performing a redirect using the header function
// is critical. The rest of your PHP script will continue to execute and
// will be sent to the user if you do not die or exit.
die();
}
//session to store input after die() function
?>
Sie tun nicht, dass es in PDO, was Sie tun es in der HTML oder Javascript und dann wieder in PHP-Code, bevor Sie so weit wie die Datenbank und PDO – RiggsFolly
Bitte nicht __Rollen Sie Ihre eigenen Passwort hashing. PHP bietet [ 'password_hash()'] (http://php.net/manual/en/function.password-hash.php) und [ 'password_verify()'] (http://php.net/manual/ en/function.password-verify.php) benutze sie bitte. Und hier sind einige [gute Ideen über Passwörter] (https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) Wenn Sie eine PHP-Version vor 5.5 verwenden [gibt es ein Kompatibilitätspaket hier] (https //github.com/ircmaxell/password_compat) – RiggsFolly
Sie könnten mindestens 2 Ihre Abfragen mit der Verwendung von 'fusionieren WHERE username =:: Benutzername oder E =: email' – RiggsFolly