问题描述
因此,我正在寻求设计一个高度安全的php用户系统.我决定从登录/会话结束开始.我希望有人看看我的计划,并告知我漏洞和安全漏洞.
So I am looking to design a high security php user system. I have decided to begin at the login/session end. I would like someone to take a look at my plan and inform me of loopholes and security flaws.
这是我第一次尝试在这样的级别上创建系统,如果您发现问题,可以向我发送资源来帮助我修复它.
This is my first time attempting to create a system on such a level, if you find a problem could you send me resources to help me fix it.
连接到数据库*我将使用MYSQL,因此它是您的标准数据库连接,存储在站点根目录之外的文件中.
Connecting to the database*I will be using MYSQL so it's your standard database connect stored in a file outside of the sites root.
注册*注册将是一种简单的形式,我正在使用存储在外部文件中的函数来清理输入并防止SQL注入
Registration*The registration will be a simple form, I am using a function stored in a external file to sanitize the input and protect from SQL Injection
// A function to sanitize input for data being input into a database
function sanitizeinput($rawinput) {
$sanitizedinput = mysql_real_escape_string($rawinput);
return $sanitizedinput;
}
此功能上需要我进一步保护吗?
Is there anything I need on this function to secure it up any more?
密码是使用SHA-512或BCrypyt进行哈希处理的密码,我进行了一些研究,并看到很多人说MD5不再足够安全,我想确保最好的安全性,那么应该怎么做?我使用哈希密码.
The password is the to be hashed using either SHA-512 or BCrypyt, I have done a little research and have seen a lot of people saying MD5 is no longer secure enough, I want to ensure the best security possible so what should I use to hash the passwords.
我还使用以下代码段添加了随机生成的盐,并将其附加到哈希密码的前面,然后重新进行哈希处理.然后将盐以纯文本格式存储在数据库中,我是否应该考虑对其进行加密以提高安全性?
I have also added a randomly generated salt using the following snippet, which this appended to the front of the hashed password and then rehashed. The salt is then stored in the database in plain text format should I be thinking of encrypting this for extra security?
当用户登录时,将对输入的密码进行哈希处理,然后添加并重新哈希数据库中的盐,然后将其与数据库中存储的密码进行比较.
When a user goes to log in their entered password will be hashed, the salt from the database added and rehashed and then compared to the password stored in the database.
如果密码匹配,将创建一个会话,然后将其锁定到单个IP地址和用户代理.该会话将在短时间后过期.该会话将仅用于存储登录令牌,用户名和密码当然不会存储在会话中.
If the password matches a session will be created that will then be locked to a single IP address and user agent. The session will then expire after a short time. The session will only be used to store a login token, the username and password will of course not be store in the session.
当用户登录时,令牌将使用分配给它的用户名存储到数据库中,以便我们可以安全地使用令牌从数据库中提取用户详细信息,而无需将其存储在会话中.
When the user logs in the token will be stored into the database with a username assigned to it, so that we can safely pull the users details from the database using the token, without the risk storing it in the session.
如果密码不正确,用户将无法登录... duh,我也将对此实施强制暴力保护,在三次尝试之后,用户IP和用户代理将被锁定15分钟,而十次之后失败的尝试在防火墙中被阻止.
If the password is incorrect the user will not be logged in... duh, I will enforce a brute force protection on this too, after three attempts the users IP and User Agent will be locked out for 15 mins and after ten failed attempts blocked in the firewall.
我觉得我忘记了一些东西,但是我不能直接将手指放在上面.
I feel like I am forgetting something, but I can't put my finger directly upon it.
任何帮助或建议将不胜感激.
Any help or advice would be much appreciated.
推荐答案
我绝不是专家,而是首先切换到PDO以连接到mySQL.似乎有点困难,但是如果使用得当,可以保护您100%免受尝试进行sql注入的任何人的侵害.对于加密,我使用它来为每个用户生成随机盐:
I am by no means an expert on this but first off switch to PDO for connecting to mySQL. It seems a little more difficult but protects you 100% from anyone trying to do sql injections IF USED PROPERLY. For encryption I used this to generate a random salt per user:
function generateSalt($length, $chars)
{
$randString = '';
$charLength = strlen($chars);
for($count = 0; $count < $length; $count++)
{
$randString .= substr($chars, mt_Rand(0, ($charLength-1)), 1);
}
return $randString;
}
如果您给它输入一个字符串,它将从该字符串中的字符中喷出给定长度的盐.然后我相信我用河豚鱼是因为它不容易裂开.
If you feed it a string it spits out a given length salt from the characters in that string. Then I believe I used blowfish due to the fact that it is not easy to crack.
您是否考虑过XSS漏洞?我还没有,需要继续做下去.确保用户没有将html或javascript代码注入您的数据库中,后者稍后可能会显示在页面上.
Did you consider XSS vulnerabilities? I have not yet and need to get on that. Make sure users aren't injecting html or javascript code into your database that might be displayed somewhere on the page later.
祝你好运.
这是我用来散列"的
$cryptOptions = '$2y$10$' . $salt . '$';
$hashedPassword = crypt($password1, $cryptOptions);
这篇关于设计一个PHP用户登录系统的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!