php - Login system with Client Hash
问题描述
I am trying to make a simple login system that allows users to register/login, but want to hash the password on the client side before sending it over to the server. I know this isn't standard practice but trying to get it to work. Was hoping I could get some insight of where I am going wrong.
Here is my code so far:
<?php
include_once('connect.php');
$username = $_POST['username'];
$sql = "SELECT salt FROM users WHERE username = '$username';";
$result = $conn->query($sql);
$row = mysqli_fetch_assoc($result);
echo $row['salt'];
$variable = $_GET['tmp'];
$getPass = "SELECT passwordhash FROM users WHERE username = '$username' AND passwordhash = '$variable ';";
//Run the sql and either set tmp variable of isValid to 1 or 0 and then echo it below or see how many rows are returned?
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<link rel="stylesheet" href="style.css">
<script src="sha256.js"> </script>
<script>
function changeFormLogin() {
var pass = document.getElementById('getPass').value;
var username = document.getElementById('username').value;
var getSalt = <?php echo $row['salt']; ?>
var hashpass = SHA256(pass+pass);
var tmp = validateLogin(hashpass);
if(tmp ==1){
//Welcome the user back, and load new form
}
else{
//Tell them to try again, notify them.
}
document.getElementById("demo").innerHTML = getSalt; //Used for testing
return true;
}
function validateLogin(hashPass){
}
</script>
</head>
<body>
<div class="loginBox">
<img src="user.png" class="user">
<h2>Log In Here</h2>
<form action="#" onsubmit ="return changeFormLogin()">
<p>Email</p>
<input id="username" type="email" name="username" placeholder="Enter Email" required>
<p>Password</p>
<input id="getPass" type="password" name="password" placeholder="••••••" required>
<input type="submit" name="login" value="Sign In">
<p id="demo"></p>
</form>
<a href="index.php"><input type="submit" name="login" value="Return home"></a>
</div>
Or if there is a way to simplify this I am all for it!
解决方案
您允许表单提交到服务器,它会阻止 javascript 执行。
我不确定您是否使用https://cdnjs.com/libraries/js-sha256库或类似的库,但是它需要小写的 sha256 而不是您输入的大写。
这是工作代码,
function changeFormLogin() {
var pass = document.getElementById('getPass').value;
var username = document.getElementById('username').value;
var getSalt = 123566 //your salt
var hashpass = sha256(pass+pass);
console.log(hashpass);
var tmp = validateLogin(hashpass);
if(tmp ==1){
//Welcome the user back, and load new form
}
else{
//Tell them to try again, notify them.
}
document.getElementById("demo").innerHTML = getSalt; //Used for testing
return true;
}
function validateLogin(hashPass){
}<!doctype html>
<html>
<head>
<meta charset="utf-8">
<link rel="stylesheet" href="style.css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/js-sha256/0.9.0/sha256.min.js" ></script>
</head>
<body>
<div class="loginBox">
<img src="user.png" class="user">
<h2>Log In Here</h2>
<form action="javascript:;" onsubmit="return changeFormLogin()">
<p>Email</p>
<input id="username" type="email" name="username" placeholder="Enter Email" required>
<p>Password</p>
<input id="getPass" type="password" name="password" placeholder="••••••" required>
<input type="submit" name="login" value="Sign In">
<p id="demo"></p>
</form>
<a href="index.php"><input type="submit" name="login" value="Return home"></a>
</div>
</body>
</html>您可以做的事情,并不意味着您应该做,您正在使用 GET 来获取散列字符串,这是不好的做法。此外,您永远不应该在客户端执行应该在服务器端完成的操作,例如散列密码。
永远不要将这样的东西用于生产目的,就像其他人在评论中所说的那样,请看看 SQL 注入是什么,永远不要相信您的用户在输入字段中键入的内容。
推荐阅读
- css - 为什么 Safari 中的 CSS Grid 行高不同?
- ios - 在 Swift 中列出使用 External Accessory 连接的配件数量
- dataweave - 如何根据特定条件过滤 dataweave 中的响应?
- string - 强制用户输入一个特定的数值(帕斯卡)
- css - 如何在 component.ts 文件中引用 css 类
- python - 在 Python 中将 keras 模型作为参数发送给外部函数
- c# - 在 C# 中使用 AMO 连接时,角色从 Azure 分析服务数据库返回为空
- python - 如何修复重叠的 matplotlib y 轴刻度标签或自动缩放绘图?
- python - 在 SQLAlchemy 中使用装饰器创建引擎
- python - 根据正则表达式条件在数据框中设置列