建议您清理密码输入吗?
问题描述:
我清理用户名输入像这样:建议您清理密码输入吗?
function clean($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
我正在使用PDO格式准备的语句和散列密码,所以它仍然是可取的也是干净的密码输入?
以下是代码。要小心,它是未完成的这一刻,也非常混乱。
<?php
// start session
session_start();
?>
<!DOCTYPE html>
<head>
<link href='css/verify-id.css' rel='stylesheet'>
</head>
<body>
<?php
function clean($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// set or enter password
if (isset($_POST['password']) && empty($_POST['password'])) {
$error = 'A password is required.';
$identity = '';
$tip = '';
$prompt = '';
} else if (isset($_POST['password']) && !empty($_POST['password'])) {
//echo '<br>SESSION idPersist<br>'.$_SESSION['idPersist'];
//echo '<br><br>POST password<br>'.$_POST['password'];
$password = $_SESSION['password'];
$idPersist = $_SESSION['idPersist'];
include 'include/database-connection.php';
if ($_SESSION['prompt'] === 'Enter Password') {
//echo '<br><br>SESSION prompt is Enter Password';
// compare password
$sql = 'SELECT pass FROM guests WHERE id = :id';
$stmt = $conn->prepare($sql);
$stmt->bindParam(':id', $idPersist);
$conn->exec($sql);
} else if ($_SESSION['prompt'] === 'Set Password') {
echo '<br><br>SESSION prompt is Set Password';
/*
// set password
$sql = 'INSERT INTO guests (pass)
VALUES (:password)';
$stmt = $conn->prepare($sql);
$stmt->bindParam(':password', $password);
//$conn->exec($sql);
*/
}
$conn = null;
/*
$error = '';
$identity = '';
$tip = '';
$prompt = '';
*/
}
// enter id
if (!isset($_POST['password']) && empty($_POST['id'])) {
$error = 'An ID is required.';
} else if (!isset($_POST['password']) && !empty($_POST['id'])) {
include 'include/database-connection.php';
$id = clean($_POST['id']);
$sql = 'SELECT id, pass FROM guests WHERE id = :id';
$stmt = $conn->prepare($sql);
$stmt->bindParam(':id', $id);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result) {
$_SESSION['idPersist'] = $id;
$identity = 'password';
$tip = 'Password';
$error = '';
if (is_null($result['pass'])) {
$prompt = 'Set Password';
$_SESSION['prompt'] = 'Set Password';
} else {
$prompt = 'Enter Password';
$_SESSION['prompt'] = 'Enter Password';
}
} else {
$prompt = 'Enter Valid ID';
}
$conn = null;
}
}
?>
<form
accept-charset ='UTF-8'
action ='<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>'
autocomplete ='off'
enctype ='application/x-www-form-urlencoded'
method ='post'
target ='_self'>
<input
autofocus
id ='<?php
if (empty($identity)) {
echo 'id';
} else {
echo $identity;
}
?>'
name ='<?php
if (empty($identity)) {
echo 'id';
} else {
echo $identity;
}
?>'
placeholder ='<?php
if (empty($tip)) {
echo 'ID';
} else {
echo $tip;
}
?>'
required
size ='25'
title ='<?php
if (empty($tip)) {
echo 'ID';
} else {
echo $tip;
}
?>'
type ='text'>
<span><?php echo $error; ?></span>
<input
id ='submit'
name ='submit'
type ='submit'
value ='<?php
if (empty($prompt)) {
echo 'Enter ID';
} else {
echo $prompt;
}
?>'>
</form>
</body>
</html>
不,不这样做。此外,该功能通常被错误地使用,请小心。 – chris85
将您使用的密码应用于只用于散列的密码,您会获得什么? –
@HubertGrzeskowiak我不确定你的意思?我计划对密码进行哈希处理,但是我不确定是否在破坏之前进行了密码哈希处理? – Anthony